Skip to main content
March 31, 2022
Question

op CLI with biometric unlock using Polkit not working

  • March 31, 2022
  • 13 replies
  • 1330 views

Hi,
I'm using 1Password 8.6.1-1 and CLI 2.0.0-4 from the Arch User Repo. I usually use i3-gnome-flashback, but I see the same problem under GNOME on Wayland, or GNOME Flashback. I appreciate the i3 setup is a bit niche, and am happy to fix that myself if anyone can help me getting it working under a plain old GNOME + Wayland or Xorg session. :)

Here's some info about my installation:

shell
$ pacman -Qi 1password 1password-cli | grep -iE '^(Name|Version)'
Name : 1password
Version : 8.6.1-1
Name : 1password-cli
Version : 2.0.0-4
$ pacman -Ql 1password | grep -i polkit
1password /usr/share/polkit-1/
1password /usr/share/polkit-1/actions/
1password /usr/share/polkit-1/actions/com.1password.1Password.policy
$ op --version
2.0.0
$ 1password --version
8.6.1
$ ls -lL $( which op )
-rwxr-sr-x 1 root onepassword-cli 12664832 Mar 30 16:41 /usr/bin/op
$ ls -lL $( which 1password )
-rwxr-xr-x 1 root root 149375632 Mar 30 16:42 /usr/bin/1password
$ getent group | grep onepassword
onepassword-cli:x:1011:
onepassword:x:1012:
$ ss --listening | grep -i pass | column -t ; ls -la ${XDG_RUNTIME_DIR}/1Password-BrowserSupport.sock
nl UNCONN 0 0 uevent:keepassxc/53952 *
nl UNCONN 0 0 uevent:keepassxc/53952 *
u_str LISTEN 0 50 /tmp/qtsingleapp-Enpass-216b-3ed 25210 * 0
srw------- 1 my_username my_username 0 Mar 31 15:08 /run/user/my_uid/1Password-BrowserSupport.sock

Using the old method of adding an account manually works. Using e.g. eval $( secret-tool lookup provider 1Password profile work | op signin --account work) makes creds in my work vault available to the CLI using op item get etc. I would like to switch to the "biometric" (Polkit) unlock.

The 1Password GUI client setting Unlock using system authentication service works: I haven't ever had a problem with this.

I have read and followed https://developer.1password.com/docs/cli/about-biometric-unlock and https://developer.1password.com/docs/cli/get-started#sign-in. Whether the GUI client is running and unlocked or not, I do not get prompted to choose an account (I only have one). Instead, I get this:

```shell
$ op vault ls
No accounts configured for use with 1Password CLI.

You can either:
- Sign in with biometric unlock; see https://developer.1password.com/docs/cli/get-started/#sign-in for details.
- Add an account manually with op account add; see op account add --help for details.

Do you want to add an account manually now? [Y/n]
```

I saw the issues with the group ID being under 1000, and ensured that was not the case. The Polkit actions template appears to have been rendered correctly: in any case, if I manually install the template, replacing the placeholders with unix-user:my_username, I still see this issue. Other Polkit actions and rules work fine, e.g. GParted prompts me to enter credentials, then runs as expected.

Please let me know if I can provide more information for troubleshooting.


1Password Version: 8.6.1
Extension Version: 2.3.2
OS Version: Arch Linux (rolling)

13 replies

May 3, 2022

Hi Joris,
Thanks for your reply. Please push to get these flags documented, as it would have saved a lot of time for all involved (thanks again @awe!)

No, I didn't participate in any beta.

Re. awe's /home/awe/.1password/agent.sock: is that supposed to be there? It's not on my clients, though the absence doesn't seem to cause problems.

Cheers

May 13, 2022

Glad this has been fixed! Let us know if you encounter any other hurdles or have any other feedback, otherwise :)

awe's /home/awe/.1password/agent.sock: is that supposed to be there? It's not on my clients, though the absence doesn't seem to cause problems.

I am not specifically familiar with this, but I pinged Joris for his input here.

May 16, 2022

Re. awe's /home/awe/.1password/agent.sock: is that supposed to be there? It's not on my clients, though the absence doesn't seem to cause problems.

This is used by the https://developer.1password.com/docs/ssh. It does not have any effect on the CLI.