CLI sign-in fails on Termux (Android), localhost DNS request issue?

scy
scy
Community Member

I'm trying to run the 1Password CLI in a somewhat unusual environment: On an Android device, using Termux. This is mainly because my device is running pretty much Google-free, using LineageOS 15.1. I don't have access to the Play Store and thus can't install the normal Android app. (An official, trustworthy APK download from your website would be so awesome, could you maybe ping your Android team?)

I've downloaded the 1Password CLI for Linux/ARM, and it's basically running. However, it seems to have problems looking up DNS names. This is the error I'm getting while signing in:

$ op signin xxxxxxxx.1password.eu xxxxxxxx@xxxxxxxx.xxx A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX
Enter the password for xxxxxxxx@xxxxxxxx.xxx at xxxxxxxx.1password.eu:
[LOG] 2019/05/19 13:44:44 (ERROR) Get https://xxxxxxxx.1password.eu/api/v2/auth/xxxxxxxx@xxxxxxxx.xxx/A3/XXXXXX/xxxxxxxxxxxxxxx: dial tcp: lookup xxxxxxxx.1password.eu on [::1]:53: read udp [::1]:46090->[::1]:53: read: connection refused

To me, it looks like the tool is trying to look up the sign-in host name by querying a DNS server on localhost. And while I do run a unusual setup, running a local DNS server is not part of it. ;)

I don't know why it's doing that, running curl xxxxxxxx.1password.eu works fine, it's just op that's misbehaving.

As far as I can tell from the log message, op is implemented in Go, so I'll have a look at where it's getting its list of DNS servers from, but in the mean time, maybe you know something about it.


1Password Version: 0.5.6
Extension Version: Not Provided
OS Version: LineageOS 15.1, Termux 0.69
Sync Type: Not Provided

Comments

  • scy
    scy
    Community Member

    Okay, so the problem seems to definitely be related to DNS lookups. Android doesn't have /etc/resolv.conf, and Go defaults to localhost if it's missing. This can apparently be solved by compiling for GOOS=android. Would you be willing to provide that?

    Creating /etc/resolv.conf on a non-rooted Android is impossible, and even with a rooted one I wasn't successful.

    Alternatively, I could try building it on my own, but I guess op isn't open source?

  • Hi @scy!

    What an exciting setup! As a fellow linux user, its awesome to see you using our software like this.

    I'll check with the rest of the team regarding created a version targeted at the android os, and the android team regarding releasing a signed apk. However those could take a bit of time if we are willing to provide them.

    Due to a couple considerations, op is not open source at this time. However your instincts are correct; the tool is written in Go.

    Your knowledge here may be better than mine: Without the /etc/resolv.conf file present, any dns lookup call will fail to localhost, as the first step of the DNS lookup tree is not present. Furthermore, short of directly dialling an ip, there isn't a code-based solution available to us. Is this correct?

  • scy
    scy
    Community Member

    Hi @graham_1P and thanks for getting back to me!

    I don't think that my Go knowledge is better than yours, it's rather limited. ;) However, I looked into alternatives as you suggested.

    Since Go 1.9, there's Resolver.Dial, allowing you to specify a custom resolver. I haven't found any examples on how to use it though. The basic idea could be something like

    1. check (somehow) if you're on Android, or alternatively if you're on GOOS=linux and /etc/resolv.conf is missing
    2. if so, set up a custom dialer to fall back to, I don't know, 8.8.8.8 or 9.9.9.9?

    But what about if the system is indeed running a resolver on localhost? Using a custom DNS server instead of relying on Go's fallback would probably not break their setup, but nevertheless changes behavior in a way. It seems like a ugly hack to me, and the real solution would be to build for GOOS=android.

    For completeness, I've also looked into some of the things mentioned in Name Resolution. For example, even though apparently HOSTALIASES doesn't do anything on most Linux tools nowadays, I've tried setting it, but it didn't change op's behavior.

    Setting GODEBUG=netdns=1 had an effect though: It tells me

    go package net: built with netgo build tag; using Go's DNS resolver
    

    Trying to force it to use cgo was unsuccessful though; GODEBUG=netdns=gco+1 still results in the same debug message, so apparently either the netgo build tag overrides requesting cgo at runtime, or you've disabled cgo altogether when building. Again, a binary for GOOS=android would probably simply do the right thing on Android.

    Since I've rooted this phone, I had one last option to try: Indeed running a local DNS resolver. So I've installed dnsmasq, started it with dnsmasq -dqR -S 9.9.9.9 and tried op update — and it worked :) Now of course, that's a hack nevertheless, but at least I can work with that until there's a 1Password APK available for download or you can provide a version of op built for Android. By the way, feel free to contact me if you need someone to try out an experimental build before releasing it to the world.

    Hope that helps, please get in touch if you need anything else.

  • Hey @scy !

    Thanks for all your investigation. I'm glad to hear running a local DNS resolver works. I was playing a bit with termux last night and its a neat app. Helped me solve another customer's issue actually.

    After chatting with my coworkers, considering this is a fairly rare request, I doubt we are going to produce a signed APK or a custom arch build. That may change if there are more customers requesting these builds, but currently neither are in our roadmap. Opensourcing OP would be awesome, and something we are actively looking towards, but the time horizon for that is far in the future.

  • scy
    scy
    Community Member

    Hi @graham_1P, sorry for not getting back to you earlier.

    I'm happy to hear that you like Termux. It's an awesome app.

    Of course I can fully understand that your priorities might be on other things. Since I really don't want to run a local DNS resolver as root on my device permanently, but I do need a password manager on the go, I had to cancel my family subscription and migrate to a (fully open source) competitor. No hard feelings, and thank you for your service.

  • AGAlumB
    AGAlumB
    1Password Alumni

    No worries. Thanks for the update. :) We do have a great native Android app, but indeed that could be problematic for you if you're determined to use Google's OS without any Google services, since 1Password uses their store so that users benefit from the ecosystem of signed, verified apps and update mechanisms (for the OS too). But even if you're not going to use 1Password, we'd rather you use something else than nothing at all. Cheers!

This discussion has been closed.