If you want to use Bitwarden CLI for ssh
have a look at: How to use use Bitwarden CLI for SSH-Keys in macOS
Wirtten and tested on macOS Ventura
To allow Touch ID on your Mac to authenticate you for sudo access instead of a password you need to do the following.
- Open Terminal
- Switch to the root user with:
sudo -i
- Edit
/etc/pam.d/sudo
:
nano /etc/pam.d/sudo
The contents of this file should look like this:
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
- You need to add an additional auth line to the top:
auth sufficient pam_tid.so
- So it now looks like this:
# sudo: auth account password session
auth sufficient pam_tid.so
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
-
Save the file with
ctrl o
and exit withcrtl x
-
Try to use sudo, and you should be prompted to authenticate with Touch ID.
Source: https://apple.stackexchange.com/a/306324/409134
- Add the following line to your
.zshrc
with:nano ~/.zshrc
export BW_USER='<YOUR-USER>'
bw() {
bw_exec=$(sh -c "which bw")
local -r bw_session_file='/var/root/.bitwarden.session' # Only accessible as root
_read_token_from_file() {
local -r err_token_not_found="Token not found, please run bw --regenerate-session-key"
case $1 in
'--force')
unset bw_session
;;
esac
if [ "$bw_session" = "$err_token_not_found" ]; then
unset bw_session
fi
# If the session key env variable is not set, read it from the file
# if file it not there, ask user to regenerate it
if [ -z "$bw_session" ]; then
bw_session="$(
sh -c "sudo cat $bw_session_file 2> /dev/null"
# shellcheck disable=SC2181
if [ "$?" -ne "0" ]; then
echo "$err_token_not_found"
sudo -k # De-elevate privileges
exit 1
fi
sudo -k # De-elevate privileges
)"
# shellcheck disable=SC2181
if [ "$bw_session" = "$err_token_not_found" ]; then
echo "$err_token_not_found"
return 1
fi
fi
}
case $1 in
'--regenerate-session-key')
echo "Regenerating session key, this has invalidated all existing sessions..."
sudo rm -f /var/root/.bitwarden.session && ${bw_exec} logout 2>/dev/null # Invalidate all existing sessions
${bw_exec} login "${BW_USER}" --raw | sudo tee /var/root/.bitwarden.session &>/dev/null # Generate new session key
_read_token_from_file --force # Read the new session key for immediate use
sudo -k # De-elevate privileges, only doing this now so _read_token_from_file can resuse the same sudo session
;;
'login' | 'logout' | 'config')
${bw_exec} "$@"
;;
'--help' | '-h' | '')
${bw_exec} "$@"
echo "To regenerate your session key type:"
echo " bw --regenerate-session-key"
;;
*)
_read_token_from_file
${bw_exec} "$@" --session "$bw_session"
;;
esac
}
- Then run:
exec zsh
andbw --regenerate-session-key
If you logout of bitwarden cli again you have to generate a new sessionkey! This might be usefull when traveling internationally.
Now you're good to go! Use with e.g.:
bw get item 99ee88d2-6046-4ea7-92c2-acac464b1412
The default sudo
timout will be applied (Change sudo
timeout)
27.08.2023: Updated the help menu, credits to Moulick
10.09.2023: Don't keep elevated rights in Terminal, credits to Moulick
This now caches the token into an env var rather than reading from the file. Which means we only need to read the file once per session. After read/writing to the file,
sudo
is revoked withsudo -k
. Then I added some error handling for different situations. Now this works in all cases, file missing, env var missing etc.