Yubikey and session sharing across terminals

mickael

Hi,

I have activated the 2FA on my 1Password account. Each time I have to login in a terminal, I have to indicate the 2FA auth code. As I am a bit lazy (or too occupied to loose some time with this ;) ), I was wondering if the CLI support the Yubikey ?

Another question is related to session management, I use terminals heavily. In each terminal I launch I need to re-authenticate. Do you have some good practices to share, to improve the auth user experience without sacrificing security too much ?

I was thinking about storing the SESSION Key in a tmp file created with mktmp or a file in a ram disk and add a source command if the file exists in my .zshrc.

Thanks,

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

cohix

@mickael an upcoming version will support what we call the dsecret, meaning that after you auth once with a particular account, you will not need to 2FA again using the CLI.

You cannot reuse a session file, as once the session dies on the server, you cannot use that session file to create a new one, it does not have all of the cryptographic parts that it needs to negotiate a new session.

Once again, in a future update (probably not the next one, but maybe the one after), we will have a mechanism by which the CLI will be able to authenticate itself without the need to re-enter the master password each time, but that will be opt-in and not the default.

mickael

Thanks @cohix, nice to hear !

Really impatient to see the futures updates of the CLI !

mickael

I ended up with the following "solution":

In my .zshrc:

#!/usr/bin/env bash

OP_SESSIONSHARING_FILE=$(find ${TMPDIR:-/tmp} -maxdepth 1 -name "opsessions.*" -print0 | xargs -0 ls -1 -t | head -1)

if [[ ! -z "$OP_SESSIONSHARING_FILE" ]] && [[ -f "$OP_SESSIONSHARING_FILE" ]]; then
  . "$OP_SESSIONSHARING_FILE"
else
  mktemp -t opsessions > /dev/null
fi

alias oplogin='eval $(opsign.sh in)'
alias oplogout='eval $(opsign.sh out)'

And my opsign.sh script:

#!/usr/bin/env bash
set -e

TEAM_SESSION_KEY=
MY_SESSION_KEY=
ACTION=${1:-in}

function checks() {
  if ! which op > /dev/null; then
    echo "1Password CLI (op) is not installed."
    exit 1
  fi

  if [[ -z "$OP_TEAM_SHORTHAND" ]]; then
    echo "OP_TEAM_SHORTHAND environment variable missing"
    exit 1
  fi

  if [[ -z "$OP_SESSIONSHARING_FILE" ]]; then
    mktemp -t opsessions > /dev/null
  fi
}

cleanup() {
  find ${TMPDIR:-/tmp} -maxdepth 1 -name "opsessions.*" -print0 | xargs -0 ls -1 -t | tail -n +2 | xargs /bin/rm
}

function initSessionSharingTempFile() {
  echo "#!/usr/bin/env bash" > "$OP_SESSIONSHARING_FILE"
}

function op_signin() {
  TEAM_SESSION_KEY=$(op signin $OP_TEAM_SHORTHAND --output=raw)
  MY_SESSION_KEY=$(op signin my --output=raw)
}

function op_signout() {
  if [[ -f "$OP_SESSIONSHARING_FILE" ]]; then
    /bin/rm "$OP_SESSIONSHARING_FILE"
  fi
  op signout
  echo "export OP_SESSION_${OP_TEAM_SHORTHAND}="
  echo "export OP_SESSION_my="
}

function persistSessionKeys() {
  echo "export OP_SESSION_${OP_TEAM_SHORTHAND}=${TEAM_SESSION_KEY}"
  echo "export OP_SESSION_my=${MY_SESSION_KEY}"
}

function getSessionSharingFile() {
  find ${TMPDIR:-/tmp} -maxdepth 1 -name "opsessions.*" -print0 | xargs -0 ls -1 -t | head -1
}

checks
cleanup

if [[ "$ACTION" == "in" ]]; then
  op_signin
  OP_SESSIONSHARING_FILE=$(getSessionSharingFile)
  initSessionSharingTempFile
  persistSessionKeys >> "$OP_SESSIONSHARING_FILE"
  persistSessionKeys
else
  OP_SESSIONSHARING_FILE=$(getSessionSharingFile)
  op_signout
fi

To login I run oplogin and to logout oplogout

Published here also: https://gist.github.com/mickaelperrin/2e155fc054f80fe948441962c367ae75

mickael

Strange, I created a long post with the details but it disappears after editing it...

So, to be concise, I implemented the following solution to share my sessions across terminals:

https://gist.github.com/mickaelperrin/2e155fc054f80fe948441962c367ae75

Then I use oplogin and oplogout to signin / signout.

mickael

For those, who are not confident in storing the env var in a plain text file, I have updated my gist to store it encrypted with gpg.

cohix

Very nice! I like that solution quite a bit. I like that you made it resilient to all sorts of edge cases, too :)

mickael

I updated my gist to easily handle the update of OP_ env variables in existing terminals. Just run opup.

The gist indicates also how to grab OP_ env variables in custom shell scripts.

https://gist.github.com/mickaelperrin/2e155fc054f80fe948441962c367ae75

rickfillion

Awesome. Thanks for creating that.

Rick

mickael

To come back to my first question and as I plan more and more to move my main GPG keys to a Yubikey, could you expose what's the impact of registering a Yubikey in 1Password?

The documentation explains:

Your 1Password account is now protected by two-factor authentication. To continue using your account on other devices or to sign in to it on a new device, you’ll need to enter a six-digit authentication code from Yubico Authenticator.

Does it change how the CLI or iPhone or whatever application works? Do I need to generate the Yubikey 2FA to unlock on any device, especially on the iPhone app ?

AGAlumB

@mickael: Nope! Yubikey, like any other two-factor authentication, is a second factor of authentication, so it's only used when authenticating, i.e. when you sign into the account, not when you unlock 1Password (with only your Master Password). So the difference would be when signing in initially in the app/browser, not when using it normally after that. :)