Cannot use sudolikeaboss with 1Password 6.8.1

gregmtl
gregmtl
Community Member
edited August 2017 in Mac

I use sudolikeaboss to quickly login to my servers in iTerm2 via 1Password. But this functionality broke with 1Password 6.8.1 and the explanation here seems to be that communication with 1Password can no longer be through WebSockets, but must be through Native Messaging. Hence the disappearance of the "Verify browser code signature" checkbox in the advanced settings screen of 1Password version 6.8.1.

I am not sure a fix is forthcoming and this is a tool I use daily to manage multiple servers. Is there any recommendations that the team at 1Password can make for people like me who need this integration with sudolikeaboss and have already been updated 1Password version 6.8.1?

Thanks very much in advance.


1Password Version: 6.8.1
Extension Version: 4.6.10.90
OS Version: OS X 10.12.6
Sync Type: Dropbox

«1

Comments

  • beyer
    beyer
    1Password Alumni

    Hey @gregmtl,

    The post you've linked to was written by @rudy, one of our developers, so his summation is accurate. I see he asked if anyone was interested in working on the changes necessary to keep sudolikeaboss working, but no one has stepped up.

    It looks like you've already downgraded which will help you out temporarily, but I do not see a long term solution without sudolikeaboss being a code signed binary (and us allowing that code signature in 1Password).

    We are working on a project internally for our 1Password.com members that should open the door for various 3rd party tools, but unfortunately, I can't quite yet discuss that publically.

    I'm sorry I don't have better news yet, but I'll ping @rudy and see if he has any further advice.

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • 2bithacker
    2bithacker
    Community Member

    Personally, I'd love to see 1Password add a command line tool as on official feature. Run the program, it pops up the box, spit the selected password out on STDOUT. Having sudolikeaboss break every other release really messes with my daily routine.

  • Thanks for the feedback, @2bithacker. We would like to be able to offer a 1st party solution in the future.

    Ben

  • brycekahle
    brycekahle
    Community Member

    @beyer @rudy @ben I'm very interested in adding Native Messaging support to sudolikeaboss. Please contact me so we can discuss details.

  • Hi @brycekahle,

    Thanks for your interested in continuing compatibility. I've spoken to Rudy about this. He mentioned he also saw some similar comments on your GitHub and that as soon as we have more information that we can share one of our developers will be in touch.

    Ben

  • brycekahle
    brycekahle
    Community Member

    @ben Great. Thanks for the update.

  • Lars
    Lars
    1Password Alumni

    You're quite welcome, @brycekahle! :)

  • EuroTrash
    EuroTrash
    Community Member

    I agree with @2bithacker that a 1st party solution is needed. I skipped 6.8.0 and waited for 6.8.1 thinking I would avoid major upgrade issues and surprise it was 6.8.1 that broke sudolikeaboss... dammit!

  • beyer
    beyer
    1Password Alumni

    Thanks for taking the time to let us know @EuroTrash! We are investigating this possibility, and we will let you all know.

    Have a great rest of your week!

    --
    Andrew Beyer (Ann Arbor, MI)
    Lifeline @ AgileBits

  • brycekahle
    brycekahle
    Community Member

    @ben Any update? To be clear, I'm not asking AgileBits to do any of the work. I just need information/specs/requirements on the Native Messaging protocol and any additional requirements such as code signing. If you cannot provide me with protocol specs, please let me know so I can explore other avenues.

  • @brycekahle

    Unfortunately I don't have any update to share right now. Currently 1Password is hard coded to only accept code signatures from the major web browsers. We don't yet have a mechanism for accepting other signatures. That is something we're considering, but no final decision on what direction to take has been made.

    Ben

  • EuroTrash
    EuroTrash
    Community Member
    edited September 2017

    @ben Sounds like an argument for a first party replacement for sudolikeaboss.

    How can I roll back to the appstore version of 6.8.0 if I never installed it?

  • Lars
    Lars
    1Password Alumni

    @EuroTrash -- when you say "appstore," do you mean the Mac App Store? If so, you can't download versions released earlier than the date of your purchase. If you meant our own AgileBits store, you can get any version from our version history server.

    If you have a paid copy of the Mac App Store version of 1Password, or a 1password.com subscription, you can switch to our version and that should get you where you want to be. Let us know if you have any problems!

  • brycekahle
    brycekahle
    Community Member
    edited September 2017

    @Ben After disassembling the Native Message host and 1Password helper apps, I see the list of hard coded code signatures. If would be happy to obtain a code signing identity from Apple and sign the sudolikeaboss binary. Would you then be able to add that signature in an update of 1Password? Is there some other trust issue? sudolikeaboss requires a user to select a login/password, so it isn't like a malicious program could use it to obtain passwords without the user knowing.

    I'm also happy to take this conversation offline. My email is [removed].

  • @brycekahle,

    I'll have one of our developers get in touch with you directly. Thanks! :)

    Ben

  • EuroTrash
    EuroTrash
    Community Member

    @Lars When I say appstore I mean Mac App Store.... (of course!) I use iCloud for syncing. Again I skipped/ 6.8.0 because I didn't want sudolikeaboss to break on a major upgrade.... but low and behold you all fooled me and broke it on the 6.8.1 (a minor version release) . I doubt there is a way to roll back to 6.8.0 from 6.8.1 (Mac appstore) This problem could have been totally prevented by noting that 3rd party browser compatibility could be broken by this update. NOT noting this major change, in a minor release, does a major disservice to your loyal customers. (me!)

    Does 6.8.2 address any of this? Have any decision been made re: 1P support for the terminal?

  • Lars
    Lars
    1Password Alumni

    Hi @EuroTrash -- I agree that rolling back to a previous version of a Mac App Store app is difficult if not impossible. However, if you've paid for 1Password via the Mac App Store, you can certainly download and install the version of 1Password 6 for Mac from our website. It will pick up the fact that you've licensed 1Password via the Mac App Store. You'd need to migrate your data from the Mac App Store version to our version of 1Password for Mac, but that's not overly difficult and can be accomplished a number of ways.

    We don't have anything to share regarding compatibility of 1Password with unsigned applications, but if you'd like to try installing an older version of 1Password for Mac and you'd like help with migrating data from the Mac App Store version to our version, just let us know.

  • bragi0
    bragi0
    Community Member

    I'll just throw my hat in the ring as one of the sufferers here, sudolikeaboss is critical for me in our environment as we're currently unable to roll out ssh keys or ssh certs on a few hundred of our hosts. It doesn't sound hard to copy-n-paste out of 1password mini until you have to do it a hundred times a day. cmd-\ for the win there!.

    The new CLI app doesn't solve for my particular use case.

  • Lars
    Lars
    1Password Alumni

    @bragi0 - thanks for adding your voice!

  • georgieff
    georgieff
    Community Member

    Same here. I can't even downgrade the version since I upgraded to High Sierra.

  • I'm sorry to hear that, georgieff.

    Rick

  • EuroTrash
    EuroTrash
    Community Member

    @bragi0 what is "The new CLI app" that you refer to? Is there a 1P CLI solution that I'm unaware of? I've seen nothing in the Release Notes

  • EuroTrash
    EuroTrash
    Community Member
    edited October 2017

    OK I found the CLI tool. Interesting tool, but sadly, doesn't seem to help me with sudolikeaboss functionality. I maintain dozens of client servers and I've been using 1P to store server and application keys and passwords. sudolikeaboss + iTerm2 worked perfectly. I'd happily pay for a 1st party sudolikeaboss solution.

  • Lars
    Lars
    1Password Alumni

    @EuroTrash -- it's an interesting idea, but one I doubt we'll wind up doing any time soon, given the scope of work we've already got on our plates. We've been trying to tighten the security of 1Password overall, and recognizing only signed code is a big part of that. Depending on how acute your need for such a thing is, you might be better served by working on the sudolikeaboss team to sign their entire code bundle.

  • cttwapps
    cttwapps
    Community Member

    I too used to use sudolikeaboss and the 6.8.1 update impacted my workflow; however, given that I always have several terminals open using op presented a workaround.

    I finally got some time to play with op after the initial launch announcement (beyond the 5-10min I played with it then) and I worked up the following small shell script: https://gist.github.com/cttwapps/f2c24a496aabe650875580a6cf16ba15.js

    It's just a simple, single purpose, wrapper around op that tries to be relatively reasonable about session management. Note: I bounce from meeting-room to meeting-room some days and connectivity is not the best so I try to make the most of the 30min lifespan span of the token; not to mention it's just polite to 1password.com)

    I'm of the school of "release early and often" so the linked gist may have quiet a few changes on the days I get to focus my attention on folding op into my workflow.

    Lastly, "necessity is the mother of invention", I wrote this small script in a few minutes to address my needs and workflow; you may not find this useful or it's use may be limited by your workflow. I will gladly help out where I can to make it most useful for the most people but that will be in bursts so please be respectful of my time. Thanks muchly and I hope this helps someone.

  • cohix
    cohix
    1Password Alumni

    @cttwapps Thanks for sharing that! I took a look and if you don't mind I have a few suggestions (I'm one of the CLI developers).

    Firstly, you don't need to use the full signin command every time. I would keep the if statement at line 2 the same, but the else statement at line 14 can be changed to use the shorthand: op signin [account-name]. In your example, it would be op signin acme. Your account details are saved into the CLI's config file so you don't need to provide that information every time you create a new session, only on the first signin :)

    Secondly, I'm pretty sure lines 16+17 are unneeded. The eval of the signin command saves the session token into your environment for you, I don't think you need to do it again, though correct me if I'm wrong there (things can be odd when scripting).

    An alternative is to do this: S=$(op signin acme --output=raw) (this gives you just the session token, not an eval statement).
    Then: op get item [options] --session=$S. Every command supports the --session flag so you can pass in a session token rather than rely on the environment variable if you so choose. You can see the documentation for more information!

    Let me know what you think. Also, feel free to join the CLI section of the forums to share more scripts and tools you may come up with! We love seeing stuff like this.

  • cttwapps
    cttwapps
    Community Member
    edited October 2017

    @cohix

    This is part of the my use case and workflow I was mentioning; my environment doesn't always guarantee that .op/config will exist everywhere I may need data from 1password so the full signin command is used. I could test for it the same way I do in line 2 and make the signin string conditional.

    As for lines 16+17 this provides a means of getting at the op session token across multiple logins within a 30min period. In my testing op did not persist the session token in a meaningful way so if I logged out I would have to get a new token when needed. This is mainly to be "polite" to the API that op uses.

  • cohix
    cohix
    1Password Alumni

    @cttwapps Oh well in that case, as you were :) That seems reasonable enough!

  • cttwapps
    cttwapps
    Community Member

    @cohix I will write in the testing for ~/.op/config for sure, that's a reasonable test despite environmental shenanigans. I'd like to eventually turn this into something that can be used as a co-process for iTerm. :)

This discussion has been closed.