Skip to content

Instantly share code, notes, and snippets.

@mietzen

mietzen/macos-bitwarden-cli-with-touch-id.md

Last active March 30, 2025 00:37
Show Gist options
  • Save mietzen/f383d87c0973c1af877b39e09b50021e to your computer and use it in GitHub Desktop.
Save mietzen/f383d87c0973c1af877b39e09b50021e to your computer and use it in GitHub Desktop.
Download ZIP
How to use use Bitwarden CLI with macOS Touch ID
Raw
macos-bitwarden-cli-with-touch-id.md

How to use Bitwarden CLI with macOS Touch ID

If you want to use Bitwarden CLI for ssh have a look at: How to use use Bitwarden CLI for SSH-Keys in macOS

Wirtten and tested on macOS Ventura

Configure Touch ID for the sudo command

To allow Touch ID on your Mac to authenticate you for sudo access instead of a password you need to do the following.

  • Open Terminal
  • Switch to the root user with: sudo -i
  • Edit /etc/pam.d/sudo:
nano /etc/pam.d/sudo

The contents of this file should look like this:

# sudo: auth account password session
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so
  • You need to add an additional auth line to the top:

auth sufficient pam_tid.so

  • So it now looks like this:
# sudo: auth account password session
auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

  • Save the file with ctrl o and exit with crtl x

  • Try to use sudo, and you should be prompted to authenticate with Touch ID.

Source: https://apple.stackexchange.com/a/306324/409134

Get bw to use Touch ID (via sudo)

  • Add the following line to your .zshrc with: nano ~/.zshrc
export BW_USER='<YOUR-USER>'

bw() {
  bw_exec=$(sh -c "which bw")
  local -r bw_session_file='/var/root/.bitwarden.session' # Only accessible as root

  _read_token_from_file() {

    local -r err_token_not_found="Token not found, please run bw --regenerate-session-key"
    case $1 in
    '--force')
      unset bw_session
      ;;
    esac

    if [ "$bw_session" = "$err_token_not_found" ]; then
      unset bw_session
    fi

    # If the session key env variable is not set, read it from the file
    # if file it not there, ask user to regenerate it

    if [ -z "$bw_session" ]; then
      bw_session="$(
        sh -c "sudo cat $bw_session_file 2> /dev/null"
        # shellcheck disable=SC2181
        if [ "$?" -ne "0" ]; then
          echo "$err_token_not_found"
          sudo -k # De-elevate privileges
          exit 1
        fi
        sudo -k # De-elevate privileges
      )"

      # shellcheck disable=SC2181
      if [ "$bw_session" = "$err_token_not_found" ]; then
        echo "$err_token_not_found"
        return 1
      fi
    fi
  }

  case $1 in
  '--regenerate-session-key')
    echo "Regenerating session key, this has invalidated all existing sessions..."
    sudo rm -f /var/root/.bitwarden.session && ${bw_exec} logout 2>/dev/null # Invalidate all existing sessions

    ${bw_exec} login "${BW_USER}" --raw | sudo tee /var/root/.bitwarden.session &>/dev/null # Generate new session key

    _read_token_from_file --force # Read the new session key for immediate use
    sudo -k                       # De-elevate privileges, only doing this now so _read_token_from_file can resuse the same sudo session
    ;;

  'login' | 'logout' | 'config')
    ${bw_exec} "$@"
    ;;


  '--help' | '-h' | '')
    ${bw_exec} "$@"
    echo "To regenerate your session key type:"
    echo "  bw --regenerate-session-key"
    ;;

  *)
    _read_token_from_file

    ${bw_exec} "$@" --session "$bw_session"
    ;;
  esac
}
  • Then run: exec zsh and bw --regenerate-session-key

If you logout of bitwarden cli again you have to generate a new sessionkey! This might be usefull when traveling internationally.

Now you're good to go! Use with e.g.:

bw get item 99ee88d2-6046-4ea7-92c2-acac464b1412

image

The default sudo timout will be applied (Change sudo timeout)

Edits:

27.08.2023: Updated the help menu, credits to Moulick

10.09.2023: Don't keep elevated rights in Terminal, credits to Moulick

@zestysoft
Copy link

Just wanted to give a heads up that macos has a new /etc/pam.d/sudo_local file that you should edit instead. The settings will stick across updates.

This is the contents of that file for myself:

auth       optional       /opt/homebrew/lib/pam/pam_reattach.so ignore_ssh
auth       sufficient     pam_tid.so

The reattach is required if you use iterm with tmux. you can use brew install pam-reattach to get the .so file.
Also that path assumes an apple silicon device. I think it differs for intel system.

It's unfortunate bw can't authenticate the way the one password cli does -- just prompt for touch id, no passwords or mfa.

@Opa-
Copy link

Opa- commented Dec 18, 2024

Thanks for this gist, here's a Fish shell variant if anyone's interested https://gist.github.com/Opa-/b828995590ca79e653a01c63bbaca64f

@gh10ltz
Copy link

gh10ltz commented Mar 25, 2025
edited
Loading

Thanks for the starting point. I've made a few changes to this which include:

  • Safer session storage by using the native macOS keychain (in lieu of a root owned plaintext file)
  • Stronger privilege management by prompting for auth/fingerprint on every privileged action
  • Restricted sudo to pam_tid.so only and disabled password fallback in userland
bw() {
  bw_exec=$(sh -c "which bw")
  local bw_session  

  _read_token_from_file() {
    local -r err_token_not_found="Token not found, please run bw --regenerate-session-key"
    case $1 in
    '--force')
      unset bw_session
      ;;
    esac

    if [ "$bw_session" = "$err_token_not_found" ]; then
      unset bw_session
    fi

    if [ -z "$bw_session" ]; then
      bw_session="$(sudo security find-generic-password -a root -s BW_SESSION -w 2>/dev/null)"

      if [ $? -ne 0 ]; then
        echo "$err_token_not_found"
        sudo --reset-timestamp
        return 1
      fi

      sudo --reset-timestamp
    fi
  }

  case $1 in
  '--regenerate-session-key')
    sudo security delete-generic-password -a root -s BW_SESSION 2>/dev/null
    echo "Regenerating session key, this has invalidated all existing sessions..."
    ${bw_exec} logout 2>/dev/null

    new_session=$(${bw_exec} login "${BW_USER}" --raw)
    sudo security add-generic-password -U -a root -s BW_SESSION -w "${new_session}"

    _read_token_from_file --force
    sudo --reset-timestamp
    ;;

  'login' | 'logout' | 'config')
    ${bw_exec} "$@"
    ;;

  '--help' | '-h' | '')
    ${bw_exec} "$@"
    echo "To regenerate your session key type:"
    echo "  bw --regenerate-session-key"
    ;;

  *)
    _read_token_from_file

    ${bw_exec} "$@" --session "$bw_session"
    ;;
  esac
}
sudo() {
  unset -f sudo
  if [[ "$(uname)" == 'Darwin' ]] && ! (grep -q 'pam_tid.so' /etc/pam.d/sudo_local && grep -q 'pam_deny.so' /etc/pam.d/sudo_local); then
    sudo cp /etc/pam.d/sudo_local /etc/pam.d/sudo_local.bak 2>/dev/null
    echo "# sudo_local: local config file which survives system update and is included for sudo" | sudo tee /etc/pam.d/sudo_local > /dev/null
    echo "auth sufficient pam_tid.so" | sudo tee -a /etc/pam.d/sudo_local > /dev/null
    echo "auth requisite pam_deny.so" | sudo tee -a /etc/pam.d/sudo_local > /dev/null
  fi
  sudo "$@"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment