Secure passwords in scripts

We have all – I hope – started using a password manager for the gazillion passwords we all have for miscellaneous websites and systems we access. My preference is 1Password and that is what I will show in this blog.

When using it with a website it works very nice, you just select the saved login and it fills it in and you get logged in with the super complex password you have for that site.

For logging into a server or sqlcl or som such it is not the same thing. Especially if you want to write a script that combines logging in to several things to automate something. The you have to cut and paste between the password manager and your command line.

I recently had the luxury of daydreaming about the perfect solution aka “The World according to Mathias”. Wouldn’t it be great if the same nice integration the web browser has with 1Passord also worked in my linux command line environment. It sure would!

Thinking some more about it, why on earth doesn’t that exist? I hit Google up on it and sure enough the good people on Agilebits that makes 1Password has had that thought long before I did. They have a complete command line solution for several operating systems that does pretty much anything one could imagine. Getting the password is just one small thing, but that was what I needed so that is the focus of this blog.

Download and unzip. Now you have “op” which is that program you will be using for all things 1Password on the command line.

You first need to sign in and authenticate with your secret key. You do this by specifying the url you log in at as well as your account-name (email address).

op signin

Enter your secret key and then your password. You are now signed in and remain signed in for 30 minutes, same way as the web or desktop application works. You could have given the above a shorthand name, but for me “my” works as the first part of the given url is used unless you specify something.

You can be signed in to multiple accounts at the same time and then use –account to specify the one you want to use. The defaults to use the one you signed into most recently.

From now on you will sign in using:

eval $(op signin)

If you have set up multiple accounts you specify that after “signin”. In the example used here your could specify “my”. It will now ask you for only your password. The eval part causes environment variables to be setup for your logged in accounts.

Now that you are logged in you can use it to get the password to log in to some service. Let’s begin with just getting the password.

op get item --fields password MyVerySecretPassword

We only want the password with that command. The entry in 1Password is called MyVerySecretPassword in this example. From it we get the password on standard out. As this is something I may do very often, I’d create an alias for “op get item –fields password” and name it getpw. Then I can get a password for an entry in 1Pasword with “getpw <name of the entry in 1Password”.

To use in a script or command and not end up with cut and paste is easy enough. Let’s say that we have a user usr1 with a very secret passord and we log into a database “mypdb” with sqlcl using “sqlcl usr1/********************@mypdb”. To get the password from 1Password we’d do something like this:

sqlcl usr1/$(getpw MyVerySecretPassword)@mypdb

That ends up with the command I wanted to execute. No hardcoded password, no file on my computer with it and no password that is too easy to be secure.

Another great part of this is that the same scripts can be used by everyone in a team pulling information from the things the team has saved in 1Password that everyone in the team has access to. So everyone signs into 1Password before they execute and then the same scripts can run without having to prompt everyone for their passwords or enter on the command line and still people not in the team cannot get access to the passwords.

This is of course just as usable on the Oracle cloud (or multi cloud) as it is on-prem or even in your personal local environment.

After having played with this for a little while, this is now a key requirement for any password manager I’d consider complete.


Leave a Comment

Your email address will not be published. Required fields are marked *