README.md 1.62 KB
Newer Older
Maciej Gol's avatar
Maciej Gol committed
1
# op-askpass
Maciej Gol's avatar
Maciej Gol committed
2 3 4

Load password-protected ssh keys to your agent without prompts using 1Password.

Maciej Gol's avatar
Maciej Gol committed
5 6
Currently tested on Ubuntu only.

Maciej Gol's avatar
Maciej Gol committed
7 8 9
## Getting started

```bash
Maciej Gol's avatar
Maciej Gol committed
10
$ pip install op-askpass
Maciej Gol's avatar
Maciej Gol committed
11 12 13 14 15 16 17
# This installs 1Password cli locally.
$ op-askpass setup-op-client my.1password.com my_username@gmail.com
$ op-askpass add-key ~/.ssh/id_rsa "my 1Password item name"
# This fetches the password from 1Password and calls ssh-add.
$ op-askpass login my
```

18
If your operating system (like Ubuntu 18) automatically adds ssh keys, but does not
Maciej Gol's avatar
Maciej Gol committed
19
unlock them use `op-askpass login --no-skip-existing`.
20

Maciej Gol's avatar
Maciej Gol committed
21 22
If your system does not have `gpg` binary to verify signature of `op` client,
use `op-askpass setup-op-client --no-verify`.
23

Maciej Gol's avatar
Maciej Gol committed
24 25 26 27 28 29 30 31 32 33 34
## Details

`op-askpass` stores a small configuration file and 1Password cli called `op`
in your `$HOME/.op-askpass` directory.

The configuration file contains a mapping from ssh key fingerprint to key path
and 1Password item name. The key path is needed for loading the key when
calling `op-askpass login`. The item name is looked up for password and
provided instead of prompt.

Underneath, `op-askpass` uses `SSH_ASKPASS` command to override prompt and
35 36
instead provide the password from 1Password. The only prompt is shown during
`op-askpass login` to retrieve a 30-minutes long session key.
Maciej Gol's avatar
Maciej Gol committed
37 38 39 40 41

You can list keys added to `op-askpass` using `list-keys` command, and delete not needed
ones with `op-askpass delete-key <path_to_key>`.


42
### 1Password integration
Maciej Gol's avatar
Maciej Gol committed
43 44 45

For regular, non-company users the 1Password domain is `my.1password.com`. For
company users it is usually `company.1password.com`.
46 47

Currently, only `password` 1Password items are supported.