Skip to content

Instantly share code, notes, and snippets.

@jmaroeder

jmaroeder/README.md

Forked from Opa-/bitwarden.fish
Last active October 3, 2025 16:05
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jmaroeder/ef7cea56274c9238d73a5c6b0208db7a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jmaroeder/ef7cea56274c9238d73a5c6b0208db7a to your computer and use it in GitHub Desktop.
Download ZIP
How to use Bitwarden CLI with macOS Touch ID (Fish)
Raw
README.md

Bitwarden Fish Helper

Installation

1. Configure Touch ID for the sudo command

(instructions from mietzen)

NOTE: you may need to perform these steps every time you upgrade macOS.

To allow Touch ID on your Mac to authenticate you for sudo access instead of a password you need to do the following.

  • Open Terminal
  • Switch to the root user with: sudo -i
  • Edit /etc/pam.d/sudo:
nano /etc/pam.d/sudo

The contents of this file should look like this:

# sudo: auth account password session
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so
  • You need to add an additional auth line to the top:

auth sufficient pam_tid.so

  • So it now looks like this:
# sudo: auth account password session
auth       sufficient     pam_tid.so
auth       sufficient     pam_smartcard.so
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

  • Save the file with ctrl o and exit with crtl x

  • Try to use sudo, and you should be prompted to authenticate with Touch ID.

Source: https://apple.stackexchange.com/a/306324/409134

2. Install bitwarden-cli

$ brew install bitwarden-cli

3. Install Bitwarden Fish Helper function to protect session with sudo

This wrapper function around the bw command stores the session key in a file that requires root access to read.

Copy bitwarden.fish to your Fish config directory (eg ~/.config/conf.d) and restart your shell.

4. Log in to Bitwarden

$ bw login

5. Store session key

NOTE: you will need to re-run this command any time you re-log in

$ bw --regenerate-session-key

Usage

# Look up a password
$ bw list items --search <search term> | jq --raw-output '.[0].login.password'
# Look up a username
$ bw list items --search <search term> | jq --raw-output '.[0].login.username'

Credits

Raw
bitwarden.fish
# https://gist.github.com/Opa-/b828995590ca79e653a01c63bbaca64f
set -x BW_USER '<YOUR-USER>'
function bw
set bw_exec (which bw)
set -x NODE_OPTIONS --no-deprecation
set -g bw_session_file '/var/root/.bitwarden.session'
set -g err_token_not_found "Token not found, please run bw --regenerate-session-key"
function _read_token_from_file
switch $argv[1]
case --force
set -e bw_session
end
if test "$bw_session" = "$err_token_not_found"
set -e bw_session
end
if test -z "$bw_session"
set -g bw_session (sudo cat $bw_session_file 2>/dev/null)
if test "$status" -ne 0
echo "$err_token_not_found"
sudo -k # De-elevate privileges
return 1
end
sudo -k # De-elevate privileges
if test "$bw_session" = "$err_token_not_found"
echo "$err_token_not_found"
return 1
end
end
end
switch $argv[1]
case --regenerate-session-key
echo "Regenerating session key, this has invalidated all existing sessions..."
sudo rm -f $bw_session_file && $bw_exec logout 2>/dev/null
$bw_exec login $BW_USER --raw | sudo tee $bw_session_file 2>/dev/null
_read_token_from_file --force
sudo -k
case --version -v completion config generate help login logout sdk-version update
$bw_exec $argv
case --help -h ''
$bw_exec $argv
echo "To regenerate your session key type:"
echo " bw --regenerate-session-key"
case '*'
_read_token_from_file
$bw_exec $argv --session $bw_session
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment