From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Michael Albinus Newsgroups: gmane.emacs.devel Subject: Re: tramp-auto-auth.el --- TRAMP automatic authentication library Date: Thu, 29 Aug 2019 13:04:28 +0200 Message-ID: <87ftlkp70j.fsf@gmx.de> References: <877e74skek.fsf@oitofelix.com> <87woeyudc0.fsf@gmx.de> <87o9086ea0.fsf@oitofelix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="6374"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) Cc: emacs-devel@gnu.org To: Bruno =?utf-8?Q?F=C3=A9lix?= Rezende Ribeiro Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Aug 29 13:08:21 2019 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1i3IHt-0001Zh-3F for ged-emacs-devel@m.gmane.org; Thu, 29 Aug 2019 13:08:21 +0200 Original-Received: from localhost ([::1]:48214 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i3IHr-0005id-SL for ged-emacs-devel@m.gmane.org; Thu, 29 Aug 2019 07:08:20 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:53656) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i3IEM-0005gw-5d for emacs-devel@gnu.org; Thu, 29 Aug 2019 07:04:43 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i3IEK-0007mB-86 for emacs-devel@gnu.org; Thu, 29 Aug 2019 07:04:41 -0400 Original-Received: from mout.gmx.net ([212.227.17.21]:49137) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1i3IEJ-0007jf-O0; Thu, 29 Aug 2019 07:04:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1567076670; bh=ya0M+pZ3cjVkr6d+gYf+EXKm8ggaLkIZWmWwanfUHNU=; h=X-UI-Sender-Class:From:To:Cc:Subject:References:Date:In-Reply-To; b=OoWwqqs+RpBK+lUsEvvCBk8NUZyV0TYk+MukkW8BiVZ+iib2AmJaQkyrOsReN166C Avaae6COu6syu9Q82KcrCeBXl3qGrVxbYo2hJ+wT89gfIRISmc23PYUeY0J6LoMbJR q49dDggFnEbof/LZMQp9BGnLC3SB9k8bd/gSxExk= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Original-Received: from detlef.gmx.de ([212.86.58.150]) by mail.gmx.com (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1Mg6dy-1ihIjj3rG2-00hcRL; Thu, 29 Aug 2019 13:04:30 +0200 In-Reply-To: <87o9086ea0.fsf@oitofelix.com> ("Bruno =?utf-8?Q?F=C3=A9lix?= Rezende Ribeiro"'s message of "Wed, 28 Aug 2019 20:50:15 -0300") X-Provags-ID: V03:K1:ieWep2rJwWMYoFtZV6mhqSchjBLdsW8D7sOGq8KuR+sjWzsTF2S ZthkAy5PPHc/qmzStJBrCJBPemdwJMMzG+2byldHt/Og5R2FL7KjGqYq9XsghwKejJNlVbo 2UneYoKxRRYmhyql5I2q6a4gtEpCTuz4YVgy/DuXJDAviMCe8taSHVDkzPTymB/J3dmLfQr qo1T5zCE7UOlDNkAPXUVw== X-UI-Out-Filterresults: notjunk:1;V03:K0:wB0hYSh1Coc=:Cu+4jHMw1AUGbIWrhUWswR hYZmPl6VkIUPiZu8F3gmO0K30R1fw011TUE40WSB+29voK+sf0tfxPXmXsjoEErSktQd5ludz Mf47L5DQgwFpeviQzcJnIU9y1s6qyFy558hhUR8CGW9UsYH5BDLLhXc5wNn7ITRV6IwyB0EO3 dv2zygOtxKppif4MG5YRSK9APHGKVt4dsK8lqWGFUQBswT55/1KkSuUazVyFDyEnl6OGeAroW LToXFCHzNJnL++8Tds5yLcuzVcsrMup8JAeMd/+2laD2AG/54bP6bj9m+Q75iLhoIDXYzFJZe MylbP5WPqUyj3G2bLjnu1eoGI0K18PvuOXAuF6zoSmX3tpOCkYgIMmZNhlWQsD/FOhSz8BxpQ mMWrjI73kp+aD7MMg4ZjM3AYk8kct7rqX5kVaonLRWpTKlS4oQkkiRBc/N2rp3Ni0p6n/Qrq1 JCQgSjWDnmRpowiRgqCY4Gbhs4TSZxbeUgRVDXrLQP7j49BqO8o4New/eJOLJw8h9R4/KKDhg 74i4AjDfumYw8RbLE+4ryQQ/CtZ+hledrPADyfEsUpWUw3lXEoZSGtaoWa0mI33lLnLmE3lau fofrm95c3nvkLQUkaFywdrc0lvEqFSfdJa67u0bMKWJ0GHzeL6YfmyA1XEyiYV6Elzx6d39V8 Lx6s9NogBA2BvsyatMXPzqWiZzRdkr3ShyJivaZlMN5iEgkhP8r7i6BiBYljxtzgh14HEO9qQ I0Sf48sNlvJIkK31OlKbn9frcEnsMCBCWpmR0lI9SnEaVwsdnCLxGgOZmqL6AmAcvtC/Os58 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 212.227.17.21 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:239671 Archived-At: Bruno F=C3=A9lix Rezende Ribeiro writes: > Hello Michael and other GNU Emacs developers, Hi Bruno, >> Frankly, I'm not enthusiastic adding cleartext passwords into >> Tramp. This has all the security flaws you know, and is good for >> problems. At least in core Tramp it shouldn't be propagated. > > Please, find attached the implementation of tramp-auto-auth.el using > exclusively the auth-source library. Thanks for this! It looks better now to my eyes. > I did as you suggested except that I didn=E2=80=99t add a new keyword nor= made > any change to auth-source.el. > > Quoting from the commentary section: > > When a TRAMP prompt is encountered, =E2=80=98tramp-auto-auth-mode=E2= =80=99 queries > the alist =E2=80=98tramp-auto-auth-alist=E2=80=99 for the auth-source = spec value > whose regexp key matches the correspondent TRAMP path. This spec > is then used to query the auth-source library for a presumably > phony entry exclusively dedicated to the whole class of TRAMP > paths matching that regexp. Thinking about this, I believe we could use such a mechanism at broader level. You manage just one Tramp resource (passwords). WIBNI you could cluster remote hosts also for other resources? For example, in order to say "users for a given host share the same password if they access via 'ssh' or 'sftp' or 'scp'". Or if you say "the connection property [1] \"remote-shell\" of a given list of hosts shall be \"/bin/bash\"". Or if you say "the connection-local variable [2] `tramp-remote-path' for a given list of hosts shall contain \"/appli/pub/bin\"". [1] (info "(tramp) Predefined connection information") [2] (info "(tramp) Remote programs") Then you could declare just clusters. I would start with a cluster name (a string), and a list of regular expressions which identify the remote hosts. Using your example, one would declare (add-to-list 'tramp-clusters '("Funny-Machines" "root@10\\.0\\." "...")) For every resource, be it a password, a connection property, or a connection-local variable, Tramp would always check whether there is a setting of that resource for the host in question, and if not, whether there is a setting in a cluster the host belongs to. This broader approach wouldn't be implemented by an own package via advising Tramp functions, but in Tramp itself. For the beginning, one could start with managing passwords this way. > Is this feature in this form suitable for inclusion in the TRAMP > standard distribution? Does this proposal makes sense to you? Would you like to work on this? Just some comments on your code > ;; Copyright (C) 2019 Bruno F=C3=A9lix Rezende Ribeiro This would be FSF copyrighted, if included in Emacs/Tramp. > ;; Author: Bruno F=C3=A9lix Rezende Ribeiro > ;; Maintainer: Bruno F=C3=A9lix Rezende Ribeiro If there is an author, you don't need a maintainer. > ;; Package-Version: 20190827.1316 > ;; Package-Requires: (tramp) These entries are needed only in case it would be an ELPA package. > ;; After this, just put the respective sacred secret in an > ;; authentication source supported by auth-source library. For > ;; instance: > ;; > ;; ---- ~/.authinfo.gpg --------------------------------------------- > ;; machine Funny-Machines login root password "$r00tP#sWD!" port ssh > ;; ------------------------------------------------------------------ IIRC, neither "login" nor "port" keys are mandatory in auth-source. So you could live just with "machine" and "password". > ;; In case you are feeling lazy or the secret is not so secret (nor so > ;; sacred) -- or for any reason you need to do it all from Lisp -- > ;; it=E2=80=99s enough to: > ;; > ;; (auth-source-remember '(:host "Funny-Machines" :user "root" :port "ssh= ") > ;; '((:secret "$r00tP#sWD!"))) I wouldn't write this into a Tramp doc. Refer to the "auth" Info pages. > (defcustom tramp-auto-auth-alist A defcustom should have a :version key. In case it will be added to Tramp, :version "27.1" (the first Emacs version this user option has appeared) would be OK. > :require 'tramp-auto-auth) Why is this needed? > ;;;###autoload Please use ";;;###tramp-autoload". The user option makes only sense after Tramp has been loaded. > (advice-add #'tramp-action-password :around Code, which is part of core Emacs, shall not advice other functions. Advicing is intended for user-written Lisp. Please ensure also, that you do not exceed the 80 chars/line limit, for better readability. Best regards, Michael.