If you want to use Bitwarden CLI for ssh have a look at: How to use use Bitwarden CLI for SSH-Keys in macOS
Wirtten and tested on macOS Ventura
To allow Touch ID on your Mac to authenticate you for sudo access instead of a password you need to do the following.
- Open Terminal
- Switch to the root user with:
sudo -i - Edit
/etc/pam.d/sudo:
nano /etc/pam.d/sudoThe contents of this file should look like this:
# sudo: auth account password session
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so- You need to add an additional auth line to the top:
auth sufficient pam_tid.so
- So it now looks like this:
# sudo: auth account password session
auth sufficient pam_tid.so
auth sufficient pam_smartcard.so
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so-
Save the file with
ctrl oand exit withcrtl x -
Try to use sudo, and you should be prompted to authenticate with Touch ID.
Source: https://apple.stackexchange.com/a/306324/409134
- Add the following line to your
.zshrcwith:nano ~/.zshrc
export BW_USER='<YOUR-USER>'
bw() {
bw_exec=$(sh -c "which bw")
local -r bw_session_file='/var/root/.bitwarden.session' # Only accessible as root
_read_token_from_file() {
local -r err_token_not_found="Token not found, please run bw --regenerate-session-key"
case $1 in
'--force')
unset bw_session
;;
esac
if [ "$bw_session" = "$err_token_not_found" ]; then
unset bw_session
fi
# If the session key env variable is not set, read it from the file
# if file it not there, ask user to regenerate it
if [ -z "$bw_session" ]; then
bw_session="$(
sh -c "sudo cat $bw_session_file 2> /dev/null"
# shellcheck disable=SC2181
if [ "$?" -ne "0" ]; then
echo "$err_token_not_found"
sudo -k # De-elevate privileges
exit 1
fi
sudo -k # De-elevate privileges
)"
# shellcheck disable=SC2181
if [ "$bw_session" = "$err_token_not_found" ]; then
echo "$err_token_not_found"
return 1
fi
fi
}
case $1 in
'--regenerate-session-key')
echo "Regenerating session key, this has invalidated all existing sessions..."
sudo rm -f /var/root/.bitwarden.session && ${bw_exec} logout 2>/dev/null # Invalidate all existing sessions
${bw_exec} login "${BW_USER}" --raw | sudo tee /var/root/.bitwarden.session &>/dev/null # Generate new session key
_read_token_from_file --force # Read the new session key for immediate use
sudo -k # De-elevate privileges, only doing this now so _read_token_from_file can resuse the same sudo session
;;
'login' | 'logout' | 'config')
${bw_exec} "$@"
;;
'--help' | '-h' | '')
${bw_exec} "$@"
echo "To regenerate your session key type:"
echo " bw --regenerate-session-key"
;;
*)
_read_token_from_file
${bw_exec} "$@" --session "$bw_session"
;;
esac
}- Then run:
exec zshandbw --regenerate-session-key
If you logout of bitwarden cli again you have to generate a new sessionkey! This might be usefull when traveling internationally.
Now you're good to go! Use with e.g.:
bw get item 99ee88d2-6046-4ea7-92c2-acac464b1412
The default sudo timout will be applied (Change sudo timeout)
27.08.2023: Updated the help menu, credits to Moulick
10.09.2023: Don't keep elevated rights in Terminal, credits to Moulick
Though I get prompted for touch ID, I still get asked for my master password and 2FA 😢 Is there a way to not have to input master password/2fa everytime?