How to use Bitwarden CLI with macOS Touch ID

If you want to use Bitwarden CLI for ssh have a look at: How to use use Bitwarden CLI for SSH-Keys in macOS

Wirtten and tested on macOS Ventura

Configure Touch ID for the sudo command

To allow Touch ID on your Mac to authenticate you for sudo access instead of a password you need to do the following.

• Open Terminal
• Switch to the root user with: sudo -i
• Edit /etc/pam.d/sudo:

nano /etc/pam.d/sudo

The contents of this file should look like this:

# sudo: auth account password session
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

• You need to add an additional auth line to the top:

auth sufficient pam_tid.so

• So it now looks like this:

# sudo: auth account password session
auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

• Save the file with ctrl o and exit with crtl x

• Try to use sudo, and you should be prompted to authenticate with Touch ID.

Source: https://apple.stackexchange.com/a/306324/409134

Get bw to use Touch ID (via sudo)

• Add the following line to your .zshrc with: nano ~/.zshrc

export BW_USER='<YOUR-USER>'

bw() {
  bw_exec=$(sh -c "which bw")
  local -r bw_session_file='/var/root/.bitwarden.session' # Only accessible as root

  _read_token_from_file() {

    local -r err_token_not_found="Token not found, please run bw --regenerate-session-key"
    case $1 in
    '--force')
      unset bw_session
      ;;
    esac

    if [ "$bw_session" = "$err_token_not_found" ]; then
      unset bw_session
    fi

    # If the session key env variable is not set, read it from the file
    # if file it not there, ask user to regenerate it

    if [ -z "$bw_session" ]; then
      bw_session="$(
        sh -c "sudo cat $bw_session_file 2> /dev/null"
        # shellcheck disable=SC2181
        if [ "$?" -ne "0" ]; then
          echo "$err_token_not_found"
          sudo -k # De-elevate privileges
          exit 1
        fi
        sudo -k # De-elevate privileges
      )"

      # shellcheck disable=SC2181
      if [ "$bw_session" = "$err_token_not_found" ]; then
        echo "$err_token_not_found"
        return 1
      fi
    fi
  }

  case $1 in
  '--regenerate-session-key')
    echo "Regenerating session key, this has invalidated all existing sessions..."
    sudo rm -f /var/root/.bitwarden.session && ${bw_exec} logout 2>/dev/null # Invalidate all existing sessions

    ${bw_exec} login "${BW_USER}" --raw | sudo tee /var/root/.bitwarden.session &>/dev/null # Generate new session key

    _read_token_from_file --force # Read the new session key for immediate use
    sudo -k                       # De-elevate privileges, only doing this now so _read_token_from_file can resuse the same sudo session
    ;;

  'login' | 'logout' | 'config')
    ${bw_exec} "$@"
    ;;


  '--help' | '-h' | '')
    ${bw_exec} "$@"
    echo "To regenerate your session key type:"
    echo "  bw --regenerate-session-key"
    ;;

  *)
    _read_token_from_file

    ${bw_exec} "$@" --session "$bw_session"
    ;;
  esac
}

• Then run: exec zsh and bw --regenerate-session-key

If you logout of bitwarden cli again you have to generate a new sessionkey! This might be usefull when traveling internationally.

Now you're good to go! Use with e.g.:

bw get item 99ee88d2-6046-4ea7-92c2-acac464b1412

The default sudo timout will be applied (Change sudo timeout)

Edits:

27.08.2023: Updated the help menu, credits to Moulick

10.09.2023: Don't keep elevated rights in Terminal, credits to Moulick