1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
|
\input texinfo @c -*-texinfo-*-
@setfilename ../../info/auth
@settitle Emacs auth-source Library @value{VERSION}
@set VERSION 0.2
@copying
This file describes the Emacs auth-source library.
Copyright @copyright{} 2008-2011 Free Software Foundation, Inc.
@quotation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, with the Front-Cover texts being ``A GNU Manual,''
and with the Back-Cover Texts as in (a) below. A copy of the license
is included in the section entitled ``GNU Free Documentation License''
in the Emacs manual.
(a) The FSF's Back-Cover Text is: ``You have the freedom to copy and
modify this GNU manual. Buying copies from the FSF supports it in
developing GNU and promoting software freedom.''
This document is part of a collection distributed under the GNU Free
Documentation License. If you want to distribute this document
separately from the collection, you can do so by adding a copy of the
license to the document, as described in section 6 of the license.
@end quotation
@end copying
@dircategory Emacs
@direntry
* Auth-source: (auth). The Emacs auth-source library.
@end direntry
@titlepage
@title Emacs auth-source Library
@author by Ted Zlatanov
@page
@vskip 0pt plus 1filll
@insertcopying
@end titlepage
@contents
@ifnottex
@node Top
@top Emacs auth-source
This manual describes the Emacs auth-source library.
It is a way for multiple applications to share a single configuration
(in Emacs and in files) for user convenience.
@insertcopying
@menu
* Overview:: Overview of the auth-source library.
* Help for users::
* Secret Service API::
* Help for developers::
* GnuPG and EasyPG Assistant Configuration::
* Index::
* Function Index::
* Variable Index::
@end menu
@end ifnottex
@node Overview
@chapter Overview
The auth-source library is simply a way for Emacs and Gnus, among
others, to answer the old burning question ``I have a server name and
a port, what are my user name and password?''
The auth-source library actually supports more than just the user name
(known as the login) or the password, but only those two are in use
today in Emacs or Gnus. Similarly, the auth-source library supports
multiple storage formats, currently either the classic ``netrc''
format, examples of which you can see later in this document, or the
Secret Service API.
@node Help for users
@chapter Help for users
``Netrc'' files are a de facto standard. They look like this:
@example
machine @var{mymachine} login @var{myloginname} password @var{mypassword} port @var{myport}
@end example
The machine is the server (either a DNS name or an IP address).
The port is optional. If it's missing, auth-source will assume any
port is OK. Actually the port is a protocol name or a port number so
you can have separate entries for port @var{143} and for protocol
@var{imap} if you fancy that. Anyway, you can just omit the port if
you don't need it.
The login and password are simply your login credentials to the server.
``Netrc'' files are usually called @code{.authinfo} or @code{.netrc};
nowadays @code{.authinfo} seems to be more popular and the auth-source
library encourages this confusion by making it the default, as you'll
see later.
If you have problems with the port, set @code{auth-source-debug} to
@code{t} and see what port the library is checking in the
@code{*Messages*} buffer. Ditto for any other problems, your first
step is always to see what's being checked. The second step, of
course, is to write a blog entry about it and wait for the answer in
the comments.
You can customize the variable @code{auth-sources}. The following may
be needed if you are using an older version of Emacs or if the
auth-source library is not loaded for some other reason.
@lisp
(require 'auth-source) ;; probably not necessary
(customize-variable 'auth-sources) ;; optional, do it once
@end lisp
@defvar auth-sources
The @code{auth-sources} variable tells the auth-source library where
your netrc files or Secret Service API collection items live for a
particular host and protocol. While you can get fancy, the default
and simplest configuration is:
@lisp
;;; old default: required :host and :protocol, not needed anymore
(setq auth-sources '((:source "~/.authinfo.gpg" :host t :protocol t)))
;;; mostly equivalent (see below about fallbacks) but shorter:
(setq auth-sources '((:source "~/.authinfo.gpg")))
@end lisp
This says ``for any host and any protocol, use just that one file.''
Sweet simplicity. In fact, the latter is already the default, so
unless you want to move your netrc file, it will just work if you have
that file. Make sure it exists.
By adding multiple entries to @code{auth-sources} with a particular
host or protocol, you can have specific netrc files for that host or
protocol. Usually this is unnecessary but may make sense if you have
shared netrc files or some other unusual setup (90% of Emacs users
have unusual setups and the remaining 10% are @emph{really} unusual).
Here's an example that uses the Secret Service API for all lookups,
using the default collection:
@lisp
(setq auth-sources '((:source (:secrets default))))
@end lisp
And here's a mixed example, using two sources:
@lisp
(setq auth-sources '((:source (:secrets default) :host "myserver" :user "joe")
(:source "~/.authinfo.gpg")))
@end lisp
The best match is determined by order (starts from the bottom) only
for the first pass, where things are checked exactly. In the example
above, the first pass would find a single match for host
@code{myserver}. The netrc choice would fail because it matches any
host and protocol implicitly (as a @emph{fallback}). A specified
value of @code{:host t} in @code{auth-sources} is considered a match
on the first pass, unlike a missing @code{:host}.
Now if you look for host @code{missing}, it won't match either source
explicitly. The second pass (the @emph{fallback} pass) will look at
all the implicit matches and collect them. They will be scored and
returned sorted by score. The score is based on the number of
explicit parameters that matched. See the @code{auth-pick} function
for details.
@end defvar
If you don't customize @code{auth-sources}, you'll have to live with
the defaults: any host and any port are looked up in the netrc
file @code{~/.authinfo.gpg}, which is a GnuPG encrypted file
(@pxref{GnuPG and EasyPG Assistant Configuration}).
The simplest working netrc line example is one without a port.
@example
machine YOURMACHINE login YOU password YOURPASSWORD
@end example
This will match any authentication port. Simple, right? But what if
there's a SMTP server on port 433 of that machine that needs a
different password from the IMAP server?
@example
machine YOURMACHINE login YOU password SMTPPASSWORD port 433
machine YOURMACHINE login YOU password GENERALPASSWORD
@end example
For url-auth authentication (HTTP/HTTPS), you need to put this in your
netrc file:
@example
machine yourmachine.com:80 port http login testuser password testpass
@end example
This will match any realm and authentication method (basic or digest)
over HTTP. HTTPS is set up similarly. If you want finer controls,
explore the url-auth source code and variables.
For Tramp authentication, use:
@example
machine yourmachine.com port scp login testuser password testpass
@end example
Note that the port denotes the Tramp connection method. When you
don't use a port entry, you match any Tramp method, as explained
earlier. Since Tramp has about 88 connection methods, this may be
necessary if you have an unusual (see earlier comment on those) setup.
@node Secret Service API
@chapter Secret Service API
TODO: how does it work generally, how does secrets.el work, some examples.
@node Help for developers
@chapter Help for developers
The auth-source library only has one function for external use.
@defun auth-source-user-or-password mode host port &optional username
Retrieve appropriate authentication tokens, determined by @var{mode},
for host @var{host} and @var{port}. If @var{username} is provided it
will also be checked. If @code{auth-source-debug} is t, debugging
messages will be printed. Set @code{auth-source-debug} to a function
to use that function for logging. The parameters passed will be the
same that the @code{message} function takes, that is, a string
formatting spec and optional parameters.
If @var{mode} is a list of strings, the function will return a list of
strings or @code{nil} objects (thus you can avoid parsing the netrc
file or checking the Secret Service API more than once). If it's a
string, the function will return a string or a @code{nil} object.
Currently only the modes ``login'' and ``password'' are recognized but
more may be added in the future.
@var{host} is a string containing the host name.
@var{port} contains the protocol name (e.g. ``imap'') or
a port number. It must be a string, corresponding to the port in the
users' netrc files.
@var{username} contains the user name (e.g. ``joe'') as a string.
@example
;; IMAP example
(setq auth (auth-source-user-or-password
'("login" "password")
"anyhostnamehere"
"imap"))
(nth 0 auth) ; the login name
(nth 1 auth) ; the password
@end example
@end defun
@node GnuPG and EasyPG Assistant Configuration
@appendix GnuPG and EasyPG Assistant Configuration
If you don't customize @code{auth-sources}, the auth-source library
reads @code{~/.authinfo.gpg}, which is a GnuPG encrypted file.
In Emacs 23 or later there is an option @code{auto-encryption-mode} to
automatically decrypt @code{*.gpg} files. It is enabled by default.
If you are using earlier versions of Emacs, you will need:
@lisp
(require 'epa-file)
(epa-file-enable)
@end lisp
If you want your GnuPG passwords to be cached, set up @code{gpg-agent}
or EasyPG Assitant
(@pxref{Caching Passphrases, , Caching Passphrases, epa}).
To quick start, here are some questions:
@enumerate
@item
Do you use GnuPG version 2 instead of GnuPG version 1?
@item
Do you use symmetric encryption rather than public key encryption?
@item
Do you want to use gpg-agent?
@end enumerate
Here are configurations depending on your answers:
@multitable {111} {222} {333} {configuration configuration configuration}
@item @b{1} @tab @b{2} @tab @b{3} @tab Configuration
@item Yes @tab Yes @tab Yes @tab Set up gpg-agent.
@item Yes @tab Yes @tab No @tab You can't, without gpg-agent.
@item Yes @tab No @tab Yes @tab Set up gpg-agent.
@item Yes @tab No @tab No @tab You can't, without gpg-agent.
@item No @tab Yes @tab Yes @tab Set up elisp passphrase cache.
@item No @tab Yes @tab No @tab Set up elisp passphrase cache.
@item No @tab No @tab Yes @tab Set up gpg-agent.
@item No @tab No @tab No @tab You can't, without gpg-agent.
@end multitable
To set up gpg-agent, follow the instruction in GnuPG manual
(@pxref{Invoking GPG-AGENT, , Invoking GPG-AGENT, gnupg}).
To set up elisp passphrase cache, set
@code{epa-file-cache-passphrase-for-symmetric-encryption}.
@node Index
@chapter Index
@printindex cp
@node Function Index
@chapter Function Index
@printindex fn
@node Variable Index
@chapter Variable Index
@printindex vr
@bye
@c End:
|