CLI Authentication without intervention

Toebee
Toebee
Community Member

We have a completely automated script for Service accounts when requested by a user. The only thing that is missing is being able to allow the script to login then post the new login and logout. I'd make a new user for the Vault that has Write access only. This way the service account would be able to create the accounts but not be able to pull or modify existing information making the process more secure.
Is it possible to have an unattended script login and post the new account information. If so, please share this information as I have been racking my head trying to get this piece working. It is the only step left to have a completely hands off process for creating service accounts.
no matter what I do, i can't seem to pass the password to the OP command to login without intervention
Thanks in advance


1Password Version: 0.4.1
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @Toebee,

    Currently it's possible as you can pipe the Master Password to the op signin command. The tricky part is how to protect the Master Password. You have a few options there like gpg, Hashicorp's Vault, etc... but there's currently nothing in the CLI tool itself to make that part easier. It's something we'd like to achieve but we aren't there yet.

    I hope this helps.

    Rick

  • Toebee
    Toebee
    Community Member

    We use this in Jenkins so they are masked my the application with limited access to those settings. Makes it much easier for situations like this. I'm having trouble with which was the pipe should be. Do you happen to have an example of the password being piped in. Thanks for you help

  • @Toebee

    eval $(echo "my master password" | op signin agilebits) works here. I definitely wouldn't recommend using echo for it, but that's the simplest way to show an example.

    Hope that helps.

    Rick

  • Toebee
    Toebee
    Community Member

    Sorry to keep bother you about this but I'm using Powershell and I just can't seem to pass the password through. I use Invoke-Expression $(op signin company) which prompts for password and works great but if i try to do an invoke-expression $($pass | op signin company) and many variations of this I just get authentication required which tells me it isn't properly passing the information. I've even replaced $pass with Write-Out "MyPassword" and it still give me grief. Thanks for all your help with this as even though this is giving me grief, it's been a great puzzle to figure out

  • HippoMan
    HippoMan
    Community Member
    edited May 2018

    I have had similar issues in certain cases under linux.
    Here's what I did to fix the problem in that environment.
    Perhaps something similar could be done under PowerShell ...

    I created the following shell script and made it executable (let's call it oplogin) ...

    #!/bin/sh
    /bin/cat - | op signin "${@}"
    exit $?
    

    Then, I can do all of the following, and it works fine:
    1. echo foo | oplogin [arguments]
    2. oplogin [arguments] and then entering the password manually at the terminal followed by EOF
    3. oplogin [arguments] <file where "file" contains the password

    The use of /bin/cat - makes sure that the password always gets piped into op signin in a consistent manner, no matter how stdin is piped or redirected into the enclosing script.

    I'm not very familiar with PowerShell, but if you could do the moral equivalent of this /bin/cat - methodology under that environment, this might solve your problem.

  • I would not recommend putting your password in clear text into a file on disk.

    @Toebee : we'll try to figure out the Powershell equivalent of the command I used above.

    Rick

  • HippoMan
    HippoMan
    Community Member

    Agreed about a cleartext password not being stored on disk. I just gave that as an example of how the /bin/cat - can work well to get around the op signin stdin issues. Writing a script which does /bin/cat - | op signin ...etc... will allow the data to be piped or redirected into op signin in any way that is possible.

  • Toebee
    Toebee
    Community Member
    edited May 2018

    @HippoMan I've tried all the equivalent variations in PS to no avail. The equivalent is pretty much the following
    Invoke-Expression $(write-output '$pass'|op signin company)
    That will out the password and pipe it to the op command but that just gives me the error:
    Invoke-Expression : Cannot bind argument to parameter 'Command' because it is null.
    I've tried many variations of that as well including having the password right there in clear text (of course that is ONLY for testing)
    I figure once I understand how it is getting passed through (if it is getting passed through) then I can make the necessary adjustments. Finding the solution to this will be a great step forward to the many PS users out there. :)

  • HippoMan
    HippoMan
    Community Member
    edited May 2018

    I'm not sure if this will help you, but I noticed that op signin seems to fail if the $HOME environment variable is not set. Try setting HOME to a valid login directory, and export HOME before invoking op signin. That might help.

  • I don't think it's actually getting to the point of executing op there, so I doubt the $HOME issue is at play here (also I thought we fixed that?).

    @cohix has a VM running Windows, so he should be able to figure out what's going on.

    Rick

  • Toebee
    Toebee
    Community Member

    Thanks guys! I really appreciate all the help. @HippoMan The $HOME setting doesn't help. I would imagine that if that had an affect then I wouldn't even be able to use op signin the regular way and not just inside of a script.

  • HippoMan
    HippoMan
    Community Member

    Yes, I now realize that the $HOME issue no longer exists in version 0.4.1, anyway. I saw it in the past, and that's why I suggested it as a possibility here, not knowing that it has now been fixed.

  • cohix
    cohix
    1Password Alumni

    @Toebee First of all, thanks for pushing us to make sure all of the PS use-cases are rock solid, we never want to leave anyone out in the cold.

    I am not a Windows user, but I threw together this PS script:

    $PWD = "testaccountpass"
    
    Invoke-Expression $($PWD | ./op.exe signin {accountname})
    
    ./op.exe get account
    

    Which, when run in Powershell worked for me. If I am misunderstanding the issue, please let me know, and if you have a specific script that isn't working for you, could you please post it here?

    Is it possible that since I'm running the exe from the same directory, that I'm getting a different result?

    Also, as an aside, could you check to make sure you're running version 0.4.1? If you run op.exe --version, it'll let you know.

    Cheers,
    Connor

  • Toebee
    Toebee
    Community Member

    OMG!!!! I am now going to have to admit to my 'failure' In every iteration I've done, I've typed the wrong password. Every Variable I created, every encrypted variable and even every clear text attempt i've entered 1 character wrong every time for hours of testing. Talk about a rookie moved. How much time I could've saved for all of us for the simplest mistake. Thank you all for the time you put into this and I apologize for my 'typing error' :'(

    Now to lift my head back up and finish my automation. Thanks again!

  • HippoMan
    HippoMan
    Community Member

    You have just now provided a valuable service: you helped to verify and validate the security of the 1Password CLI module under a large variety of input scenarios. :)

  • Toebee
    Toebee
    Community Member

    True, Something to check out is authenticating within Powershell ISE. What I have noticed in that is if you use a bad password, the entire command just hangs indefinitely. You have to kill the command. Maybe some kind of error code/stop would be helpful here.

  • HippoMan
    HippoMan
    Community Member
    edited May 2018

    Hmm ... is Powershell waiting for output from stdout, perhaps?
    If so, is there a way to get Powershell to combine stderr into stdout when running op signin ...?

    In linux shells, it would look like this: op signin ... 2>&1

    This is just a wild guess, by the way.

  • That's a solid theory, HippoMan.

    Rick

  • Barriebethal
    Barriebethal
    Community Member

    The following code works well, but how can you achieve the same but now with a one time password?

    $PWD = "testaccountpass"

    Invoke-Expression $($PWD | ./op.exe signin {accountname})

    ./op.exe get account

  • felix_1p
    felix_1p
    1Password Alumni

    @Barriebethal You mean in the case the account uses 2FA? It would be similar to how you deal with the Secret Key: You would have to log into the account "manually" at least one time, at which point you provide the Secret Key, Master Password and 2FA code. After the first successful signin only the Master Password is required for subsequent authorization.

  • Barriebethal
    Barriebethal
    Community Member

    @felix_1p I have logged on via the app and website. But when I use the command line tool it still requires the OTP.

  • felix_1p
    felix_1p
    1Password Alumni

    @Barriebethal The command line tool is a separate client. The first time you log into an account after enabling 2FA you will be asked for that token. After that you shouldn't be asked again. However there is a small bug that if you provide URL, email and Secret Key to signin, i.e.

    op signin <url> <email> <secret key>
    

    then you will be asked again. If you login just providing the account name or URL, i.e.

    op signin <url>
    

    you should not be asked again.

This discussion has been closed.