CLI Authentication without intervention
We have a completely automated script for Service accounts when requested by a user. The only thing that is missing is being able to allow the script to login then post the new login and logout. I'd make a new user for the Vault that has Write access only. This way the service account would be able to create the accounts but not be able to pull or modify existing information making the process more secure.
Is it possible to have an unattended script login and post the new account information. If so, please share this information as I have been racking my head trying to get this piece working. It is the only step left to have a completely hands off process for creating service accounts.
no matter what I do, i can't seem to pass the password to the OP command to login without intervention
Thanks in advance
1Password Version: 0.4.1
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hi @Toebee,
Currently it's possible as you can pipe the Master Password to the
op signin
command. The tricky part is how to protect the Master Password. You have a few options there like gpg, Hashicorp's Vault, etc... but there's currently nothing in the CLI tool itself to make that part easier. It's something we'd like to achieve but we aren't there yet.I hope this helps.
Rick
0 -
We use this in Jenkins so they are masked my the application with limited access to those settings. Makes it much easier for situations like this. I'm having trouble with which was the pipe should be. Do you happen to have an example of the password being piped in. Thanks for you help
0 -
eval $(echo "my master password" | op signin agilebits)
works here. I definitely wouldn't recommend using echo for it, but that's the simplest way to show an example.Hope that helps.
Rick
0 -
Sorry to keep bother you about this but I'm using Powershell and I just can't seem to pass the password through. I use Invoke-Expression $(op signin company) which prompts for password and works great but if i try to do an invoke-expression $($pass | op signin company) and many variations of this I just get authentication required which tells me it isn't properly passing the information. I've even replaced $pass with Write-Out "MyPassword" and it still give me grief. Thanks for all your help with this as even though this is giving me grief, it's been a great puzzle to figure out
0 -
I have had similar issues in certain cases under linux.
Here's what I did to fix the problem in that environment.
Perhaps something similar could be done under PowerShell ...I created the following shell script and made it executable (let's call it
oplogin
) ...#!/bin/sh /bin/cat - | op signin "${@}" exit $?
Then, I can do all of the following, and it works fine:
1.echo foo | oplogin [arguments]
2.oplogin [arguments]
and then entering the password manually at the terminal followed by EOF
3.oplogin [arguments] <file
where "file" contains the passwordThe use of
/bin/cat -
makes sure that the password always gets piped intoop signin
in a consistent manner, no matter how stdin is piped or redirected into the enclosing script.I'm not very familiar with PowerShell, but if you could do the moral equivalent of this
/bin/cat -
methodology under that environment, this might solve your problem.0 -
I would not recommend putting your password in clear text into a file on disk.
@Toebee : we'll try to figure out the Powershell equivalent of the command I used above.
Rick
0 -
Agreed about a cleartext password not being stored on disk. I just gave that as an example of how the
/bin/cat -
can work well to get around theop signin
stdin issues. Writing a script which does/bin/cat - | op signin ...etc...
will allow the data to be piped or redirected intoop signin
in any way that is possible.0 -
@HippoMan I've tried all the equivalent variations in PS to no avail. The equivalent is pretty much the following
Invoke-Expression $(write-output '$pass'|op signin company)
That will out the password and pipe it to the op command but that just gives me the error:
Invoke-Expression : Cannot bind argument to parameter 'Command' because it is null.
I've tried many variations of that as well including having the password right there in clear text (of course that is ONLY for testing)
I figure once I understand how it is getting passed through (if it is getting passed through) then I can make the necessary adjustments. Finding the solution to this will be a great step forward to the many PS users out there. :)0 -
I'm not sure if this will help you, but I noticed that
op signin
seems to fail if the $HOME environment variable is not set. Try setting HOME to a valid login directory, and export HOME before invokingop signin
. That might help.0 -
I don't think it's actually getting to the point of executing op there, so I doubt the $HOME issue is at play here (also I thought we fixed that?).
@cohix has a VM running Windows, so he should be able to figure out what's going on.
Rick
0 -
Yes, I now realize that the $HOME issue no longer exists in version 0.4.1, anyway. I saw it in the past, and that's why I suggested it as a possibility here, not knowing that it has now been fixed.
0 -
@Toebee First of all, thanks for pushing us to make sure all of the PS use-cases are rock solid, we never want to leave anyone out in the cold.
I am not a Windows user, but I threw together this PS script:
$PWD = "testaccountpass" Invoke-Expression $($PWD | ./op.exe signin {accountname}) ./op.exe get account
Which, when run in Powershell worked for me. If I am misunderstanding the issue, please let me know, and if you have a specific script that isn't working for you, could you please post it here?
Is it possible that since I'm running the exe from the same directory, that I'm getting a different result?
Also, as an aside, could you check to make sure you're running version 0.4.1? If you run
op.exe --version
, it'll let you know.Cheers,
Connor0 -
OMG!!!! I am now going to have to admit to my 'failure' In every iteration I've done, I've typed the wrong password. Every Variable I created, every encrypted variable and even every clear text attempt i've entered 1 character wrong every time for hours of testing. Talk about a rookie moved. How much time I could've saved for all of us for the simplest mistake. Thank you all for the time you put into this and I apologize for my 'typing error' :'(
Now to lift my head back up and finish my automation. Thanks again!
0 -
You have just now provided a valuable service: you helped to verify and validate the security of the 1Password CLI module under a large variety of input scenarios. :)
0 -
True, Something to check out is authenticating within Powershell ISE. What I have noticed in that is if you use a bad password, the entire command just hangs indefinitely. You have to kill the command. Maybe some kind of error code/stop would be helpful here.
0 -
Hmm ... is Powershell waiting for output from stdout, perhaps?
If so, is there a way to get Powershell to combine stderr into stdout when runningop signin ...
?In linux shells, it would look like this:
op signin ... 2>&1
This is just a wild guess, by the way.
0 -
That's a solid theory, HippoMan.
Rick
0 -
The following code works well, but how can you achieve the same but now with a one time password?
$PWD = "testaccountpass"
Invoke-Expression $($PWD | ./op.exe signin {accountname})
./op.exe get account
0 -
@Barriebethal You mean in the case the account uses 2FA? It would be similar to how you deal with the Secret Key: You would have to log into the account "manually" at least one time, at which point you provide the Secret Key, Master Password and 2FA code. After the first successful signin only the Master Password is required for subsequent authorization.
0 -
@felix_1p I have logged on via the app and website. But when I use the command line tool it still requires the OTP.
0 -
@Barriebethal The command line tool is a separate client. The first time you log into an account after enabling 2FA you will be asked for that token. After that you shouldn't be asked again. However there is a small bug that if you provide URL, email and Secret Key to signin, i.e.
op signin <url> <email> <secret key>
then you will be asked again. If you login just providing the account name or URL, i.e.
op signin <url>
you should not be asked again.
0