doy / rbw Goto Github PK

Hello there,

I just configured the client using the configure command.

When attempting to login (prompted for my master password), I receive:

❯ rbw login
rbw login: failed to log in to bitwarden instance: failed to parse JSON: .: missing field `ErrorModel` at line 1 column 126: missing field `ErrorModel` at line 1 column 126

So I had a look around my system for this son file and found it at ~/.config/rbw/config.json

When looking in there, I had found:

{
    "email": "[email protected]",
    "base_url": null,
    "identity_url": null,
    "lock_timeout": 3600
}

From the docs, I can gather that the URLs are ok to be null and will default to the BW servers.

System

RBW Version

❯ rbw --version
rbw 0.3.5

OS

❯ cat /etc/lsb-release
───────┬──────────────────────────────────────────────────────────────────────────────────────────
       │ File: /etc/lsb-release
───────┼──────────────────────────────────────────────────────────────────────────────────────────
   1   │ DISTRIB_ID=Ubuntu
   2   │ DISTRIB_RELEASE=20.04
   3   │ DISTRIB_CODENAME=focal
   4   │ DISTRIB_DESCRIPTION="Ubuntu 20.04 LTS"
───────┴──────────────────────────────────────────────────────────────────────────────────────────

Any suggestions?

Many sites provide TOTP secrets chunked by spaces. One example is Google. When I try to use rbw code on entries in my vault for those sites, I get the following error:

rbw code: totp secret was not valid base32

I believe this could be solved by just stripping all spaces from the TOTP secret strings.

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Os { code: 2, kind: NotFound, message: "No such file or directory" }', /home/kkga/.cargo/registry/src/github.com-1ecc6299db9ec823/rbw-1.2.0/src/edit.rs:44:10

I've tried setting different values for the EDITOR variable, but it seems to have no effect.

It seems that rbw doesn't include a trailing zero in its code subcommand output.rbw code <name> returns, for example 17368, if the expected code is 017368, and presumably would even return a two digit code if there were four trailing zeros. This is a problem because most applications won't accept an auth code with less than 6 digits, leaving the user to type the trailing zeros manually.

If the XDG_RUNTIME_DIRECTORY environment variable is not set (many non-systemd Linux distributions do not use this), rbw panics:

% RUST_BACKTRACE=1 rbw config set base_url 'redacted'
thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', /home/dustin/.cargo/registry/src/github.com-1ecc6299db9ec823/rbw-0.4.0/src/dirs.rs:65:5
stack backtrace:
   0: <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt
   1: core::fmt::write
   2: std::io::Write::write_fmt
   3: std::panicking::default_hook::{{closure}}
   4: std::panicking::default_hook
   5: std::panicking::rust_panic_with_hook
   6: rust_begin_unwind
   7: core::panicking::panic_fmt
   8: core::panicking::panic
   9: rbw::dirs::runtime_dir
  10: rbw::dirs::socket_file
  11: rbw::actions::quit
  12: rbw::commands::config_set
  13: rbw::main
  14: std::rt::lang_start::{{closure}}
  15: std::panicking::try::do_call
  16: __rust_maybe_catch_panic
  17: std::rt::lang_start_internal
  18: main
  19: __libc_start_main
  20: _start

I'm not totally sure how rust even compiles/links binaries, but I just noticed that on a fresh install of the *.deb release, I get the following:

rbw: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by rbw)

I'm assuming this means rbw was built against glibc 2.33, and since I only have 2.31, it's failing at runtime?

❯ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.2 LTS
Release:        20.04
Codename:       focal

❯ dpkg -l | grep libc6
ii  libc6:amd64                                2.31-0ubuntu9.2                          amd64        GNU C Library: Shared libraries
ii  libc6:i386                                 2.31-0ubuntu9.2                          i386         GNU C Library: Shared libraries
ii  libc6-dbg:amd64                            2.31-0ubuntu9.2                          amd64        GNU C Library: detached debugging symbols
ii  libc6-dev:amd64                            2.31-0ubuntu9.2                          amd64        GNU C Library: Development Libraries and Header Files

I have some Entries which have Spaces in their name, e.g. "Atlassian (Privat)". When I try to get that Entry by executing rbw get "Atlassian (Privat)", rbw seems to ignore the Quotes and use the String as two arguments (Item Name and Folder) and yields the following result:

rbw get: couldn't find entry for '(Privat)@Atlassian': no entry found

My current workaround for those entries is to use the UUID but at the moment this does not work with the Rofi script I am using for accessing Bitwarden.

I created a script that uses rbw as a git-credential helper.
I thought others may find this useful and suggest adding it to README.md
https://gist.github.com/mikeboiko/58ab730afd65bca0a125bc12b6f4670d

I'd like to request a GTK UI integration with rbw-agent. It seems like a great addition to this tool.

Anyway, would this be a consideration? Seems like you've done a majority of code, so writing a GTK based client that uses the same mechanism you setup for with the agent and all, might be good in.

I'd love to help as well, though I've never written Rust code, or GTK code, so may need some guidance. I tried to write something initially, so I could just raise PR, but I got dizzy trying to understand Rust.

Would you consider adding a command line flag that allows users to select an alternative config.json instead of the default one?

With any rbw command that seems to interact with the backend, I get the above error, for example rbw login:

rbw login: failed to parse message from agent: EOF while parsing a value at line 1 column 0

Is there a way to get more verbose output?
My rbw config show:

{
  "email": "[email protected]",
  "base_url": null,
  "identity_url": null,
  "lock_timeout": 3600
}

I'm running on 0.5.2

Hello,

After configuring my account email:

$ rbw config set email [email protected]

and running:

$ rbw login

I get the below error message:

rbw login: failed to log in to bitwarden instance: unimplemented cipherstring type: 0

This is using Bitwarden official cloud server. Web logon obviously works just fine.

What's odd is that, despite logon failing, I get confirmation emails to the contrary:

Subject: New Device Logged In From [...]

I get exactly the same error on OpenBSD with the official port/package (version 0.5.2) as well as on macOS Catalina (10.15.7) after running cargo install rbw (version 1.0.0).

Hello,

I just noticed that the length of a generated password is not respected and is limited depending on what option has been used, i.e.:

• 94 without any options
• 62 with --no-symbols
• 24 with --nonconfusables
• 10 with --only-numbers

Attached is an output of:

for i in $(jot 100)
do
        echo $i characters
        rbw gen $i | wc -m
        rbw gen $i --no-symbols | wc -m
        rbw gen $i --nonconfusables | wc -m
        rbw gen $i --only-numbers | wc -m
done > rbw-pass

GNU coreutils users will need to replace jot(1) with seq(1). The results are off by one due to newline character being present and counted.

Also, while we're at it, options are doubled on error, i.e.:

$ rbw gen --only-numbers
error: The following required arguments were not provided:
    <len>

USAGE:
    rbw generate <len> <--no-symbols|--only-numbers|--nonconfusables|--diceware|--no-symbols|--only-numbers|--nonconfusables|--diceware>

For more information try --help

On Termux /tmp is not writable - which leads to the following error:

$ rbw login
failed to daemonize: failed to create directory at /tmp/rbw-10147: Read-only file system (os error 30)
rbw login: failed to run rbw-agent: exit code: 1

Instead of assuming that /tmp is accessible it'd make sense to read the value of TMPDIR.

That being said, thanks for creating this!

Adding TOTP support could be nice in two cases:

1. When logging when 2fa is enabled on the account.
2. The ability to generate a TOTP code from a secret in bitwarden. this might be a new command like rbw code <name> [<user>]

I have a rust crate that could be used as a starting point for both — otpcli — but there are many others as well.

Is this as expected?

time rbw get --full "<password name>"  0.26s user 1.84s system 94% cpu 2.224 total

This is on a core i7 2020 Macbook Pro

Either enabling the wiki or adding a contrib/ directory where people could share their rbw integrations would be nice.

As an example, here is a little wrapper script I modified to work with rbw and such.

#!/bin/bash
# Wayland copy bitwarden passwords to paste once
set -eu

rbw unlocked || rbw unlock

set -o pipefail

wl-copy --paste-once "$(rbw-fzf)"

I had trouble login in with my password, I kept getting "Invalid password" from pinentry.

I noticed a GETPIN in pinentry returns %25 for the % character, I believe this may not be taken into account in rbw and that's probably why I couldn't log in. After using a password without the % character, I logged in successfully.

I was having issues accessing my passwords with rbw, I decided to rbw purge and resync, but I'm still having a problem synchronizing the database:

$ rbw sync
rbw sync: failed to sync database from server: failed to parse JSON: Ciphers[16].PasswordHistory[0].Password: invalid type: null, expected a string at line 1 column 40928: invalid type: null, expected a string at line 1 column 40928

Seems like a trivial enough fix, but I have no idea how to dump said JSON to figure out why it's not correctly formed.

Since it seems to be the PasswordHistory that's having issues I tried purging the history and even regenerating new entries but it still fails.

I'm running v1.1.2

As far as I can tell, the only way to change a password for an existing item in the vault is to launch a text editor. It would be useful if there were a way to, e.g. read a new password from standard input.

When I run rbw sync I get the following error:

rbw sync: failed to sync database from server: failed to parse JSON: .: missing field `access_token` at line 1 column 25: missing field `access_token` at line 1 column 25

rbw get: couldn't find entry for 'Google': multiple entries found

I don't mind making the names unique, just asking.

Hello,

After installing the latest version with cargo install rbw on macOS 10.14, I get this:

$ rbw --version
rbw 1.1.0
$ rbw login
rbw-agent: Unable to disable PTRACE_ATTACH on this platform: not implemented. Agent memory may be dumpable by other processes.
rbw login: failed to run rbw-agent: exit code: 1

Looks like a possible fall-out from #42.

When I run get --full I would expect to see everything stored against that item, at the moment several pieces of info are missing:

• TOTP code
• Website URLs
• Custom Fields

My config looks this way

{
"email": "@.com",
"base_url": null,
"identity_url": null,
"lock_timeout": 3600,
"pinentry": "pinentry"
}

When I try login with "rbw login" it returns:
rbw login: failed to log in to bitwarden instance: failed to parse JSON: .: expected value at line 1 column 1: expected value at line 1 column 1

I checked agent out/err files, both are empty.

rbw version is 1.2.0 installed on Ubuntu 20.04 from deb package. I googled a bit about Bitwarden Public API and failed to find any mention about email/password authentication, but rather client_id/key. I wonder if they changed the authentication recently?

Hi,
thanks for this tool. I have two instances of bitwarden (through bitwarden-rs) that I use frequently (personal and work). Is there a way to switch between accounts in rbw? Maybe like running two agents and passing an environment variable or option to rbw to chose the right one?

Hello,

The behaviour of gen, login, and sync seems counter-intuitive
to what's described in the README:

Usage

Commands can generally be used directly, and will handle logging in or
unlocking as necessary. For instance, running rbw ls will unlock the password
database before generating the list of entries (but will not attempt to log in
to the server), rbw sync will log in to the server before downloading the
password database (but will not unlock the database), and rbw generate will
do both.

However, neither gen, login, nor sync prompt for the password -
only ls does:

$ rbw gen 64 # generates 64-character password
[...]
$ rbw login # seemingly, nothing happens - returns to prompt
$ rbw sync # seemingly, nothing happens - returns to prompt
$ rbw ls # as expected, prompts for password and lists all entries
[...]

This is most likely me not fully understanding what happens behind
the scenes but, at least to a layman, this seems counter-intuitive.
According to the descritpion, one would expect both login and
sync to prompt for a password, no? Also, why would gen do both?
Why would it do either? Isn't it supposed to just generate a
password?

Also, ls does display an entry newly added via the web browser
add-on shortly before running the above test so it seems like it
is doing a sync, no?

I'd appreciate if you could explain in a bit more detail what
individual commands actually do behind the scenes :^)

Ta!

If the user does not respond to the PIN entry prompt within the timeout (default 60 seconds), rbw prints the following:

failed to parse pinentry output ("S ERROR gtk2.? 83886142 \nERR 83886142 Timeout <Pinentry>\n\u{0}…

The \u{0} sequence then repeats 4038 more times.

This happens for both pinentry-gtk and pinentry-curses.

Currently, three SUBCOMMANDS have aliases and all the aliases are doubled when help information is printed:

$ rbw -h | grep aliases
generate      Generate a new password [aliases: gen, gen]
list          List all entries in the local Bitwarden database [aliases: ls, ls]
remove        Remove a given entry [aliases: rm, rm]

Also, if there's only one, it should obviously read alias.

Hello!
I'm having trouble logging using private server (bitwarden_rs) and Yubikey. After entering password I'm getting:

$ rbw unlock
rbw unlock: TODO

The same for sync or ls.

Version (AUR rbw-git):

$ rbw --version
rbw 0.4.2

Besides being able to get passwords based on entry name and username, I think that it would be very useful to enable finding passwords based on the URI-fields. This could be used for integration with userscripts in browsers such as qutebrowser.

Possibly this could be implemented with a --uri flag to the get command, or simply by searching by URI in case of no match by name.

I'd like to help add automated build and "deployment" support to rbw if there is interest in getting that contribution.

I'd like to suggest the following process:

1. Project Maintainer @doy would initiate a new release using cargo release
   1.1. this results in a new tagged version being created (1.0, 1.1, 1.2, etc.)
2. Using GitHub actions a build for that tag is run.
   2.1. This creates a GitHub release
   2.2. Then a matrix build is run for every platform that needs to be supported (linux, mac, etc)
3. Each build uploads its artifacts to the GitHub release in 2.1.

I have an example of this in place already for my otpcli tool that we could use as a starting point if that makes sense @doy?

I am using successfully gpg on a server without any X server, so I know that pinentry-tty can work.
However, using rbw 0.3.4, I have the following output:

> rbw sync
rbw sync: failed to read password from pinentry: failed to parse pinentry output ("Log in to vault.example.com\nMaster Password: \u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}\u{0}
[Many more zeroes]

I strace'd the agent, and it seems that pinentry is fed with the correct input. However, I don't know if pinentry-tty can find my current tty from rbw-agent from an ssh session.

Did I missed something?

It's fairly simple to reproduce:

Using the desktop app create a new entry without password.

Sync rbw and attempt to edit the password using rbw edit on the entry.

You can now see that in the desktop app you have an history entry without password:

To make matters worse, rbw now errors out when attempting to access the vault because it can't deal with empty passwords (see #50).

For automation purposes, it would be nice if there were a way to check if the vault needs to be unlocked. Calling rbw unlock unconditionally is an option in some cases, it might not be in others. If the vault is locked, the pinentry dialog will appear, blocking the script from continuing until the user either cancels it or enters the master password.

There is a cross-platform rust crate called keyring that uses the running platforms secure password storage mechanism to store and access passwords. I'd love to add support for this in rbw. We can make it an optional feature, that you can opt in to with rbw config.

I have an initial pass at cutting it in in a branch.

Hi, I've a problem during login.

Version:
rbw --version rbw 0.5.0

Config file:
{ "email":"[email protected]", "base_url":null, "identity_url":null, "lock_timeout":3600 }

Command:
rbw login

Error:
rbw login: failed to log in to bitwarden instance: failed to parse JSON: TwoFactorProviders[0]: invalid type: string "0", expected u32 at line 1 column 93: invalid type: string "0", expected u32 at line 1 column 93

I use Authy as 2FA provider

It would be nice to have a type field in rbw list, which should be one of:

• Password
• Card
• Identity
• Secure note

I prefer using VISUAL='vim --remote-wait-silent', so that editing files with $VISUAL happen in my existing session. However, rbw does not split environment variables to run commands, resulting in:

$ rbw edit DEMO
thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: Os { code: 2, kind: NotFound, message: "No such file or directory" }', src/edit.rs:44:10
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

I'm getting the following error when executing rbw unlock:

rbw unlock: failed to unlock database: unimplemented cipherstring type: 6

Looks like maybe it's some functionality that's not yet implemented? I'm willing to help debug if needed but I'm not familiar with rust so I will need some assistance.

e.g.

rbw get entry -c

Copies the password of 'entry' to the clipboard.

Greetings!

My TOTP Secret field contains otpauth://totp/Aarhus%20Universitet%3Aau522953%40uni.au.dk?secret=xxxxxxxxxxxxxxxx&issuer=Microsoft and the bitwarden browser extension can correctly parse this and extract the secret.

It would be nice if rbw could do the same.

As it takes some time to save an entry, it would be nice if rbw edit detected when the contents of the file haven't changed and doesn't need to save.

I would like to use jq to manipulate my vault in the same way I did with the official bw client. So, I would like to see a -j --json option to list and get, to output in the same format bw does.

Hello,

I use EDITOR as well as VISUAL environment variables:

EDITOR=ed
VISUAL=vi

Both have their uses and mean different things. Most command line tools use VISUAL and only fall back to EDITOR if the former is either empty or not set, in the following order: VISUAL -> EDITOR -> vi, i.e.: ${VISUAL:-${EDITOR:-vi}}.

It would be great if a visual editor, i.e vi(1), could be used while editing entries using rbw edit ...
lastpass-cli had the same issue a while back ;^)

It's indirectly related to rbw, but it would be really good to have autocompletion in the most used shells, at least bash and zsh.

If someone is motivated/interested in doing this, please do so.
It really is a must have in my opinion, and I unfortunately don't have (yet) the skills needed to implement this in these respective programs.

On Arch Linux, /usr/bin/pinentry looks like so:

#!/bin/sh

test -e /usr/lib/libgtk-x11-2.0.so.0 && exec /usr/bin/pinentry-gtk-2  "$@"

exec /usr/bin/pinentry-curses "$@"

If this runs on a system with a desktop environment installed, it will always try to run the graphical pinentry program. This will happen even if I'm SSH'd into the system.

GnuPG has a roundabout way of forcing use of the CLI for pinentry, by setting GPG_TTY=$(tty). I'm not sure of exactly how this logic works, but it does seem to work reliably. It would be ideal if rbw had a similar mechanism.

When I use rbw edit to change the password for an item in my vault, all of URLs associated with that item get their match detection setting reset to default.