From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: akater Newsgroups: gmane.emacs.devel Subject: Reconsider password-cache policy Date: Mon, 26 Jul 2021 12:52:44 +0000 Message-ID: <87h7ghz17n.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="15695"; mail-complaints-to="usenet@ciao.gmane.io" To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon Jul 26 15:05:26 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1m80IQ-0003o9-Ai for ged-emacs-devel@m.gmane-mx.org; Mon, 26 Jul 2021 15:05:26 +0200 Original-Received: from localhost ([::1]:37866 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1m80IP-0007iz-A1 for ged-emacs-devel@m.gmane-mx.org; Mon, 26 Jul 2021 09:05:25 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:48366) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1m80H3-0005WW-Aa for emacs-devel@gnu.org; Mon, 26 Jul 2021 09:04:01 -0400 Original-Received: from mail-ej1-x632.google.com ([2a00:1450:4864:20::632]:37403) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1m80H1-0000wH-Mn for emacs-devel@gnu.org; Mon, 26 Jul 2021 09:04:01 -0400 Original-Received: by mail-ej1-x632.google.com with SMTP id nb11so16351251ejc.4 for ; Mon, 26 Jul 2021 06:03:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version; bh=nzgbHJgX6r7/5h/UQ/UnVVaxrnMHVXdPPRJwwAcJXqM=; b=RxaNPMYbAdI8FLgLd2Mt4HA3VJsPqD/DDu5EgmWuOjxqaCK6xNdST/IKuxpnxj3RhK g/Ux7BtXe/JYM9AC86qHcGQpjoBeAk4XhKre4SEGs5bQcyminBfntcYOWNJ6YCt9F2C/ 1MwxWAy6BnPw4nXE8EEolCLBMWNGTpDS4jYINR8O7Cqmbd/5W1G+LzzE47uh1Kcfmcpd hE1eMVxvD23EiEFXcK7Y6ABf7W8T1G77rVAYbg2whaQXqm1r738kG6gYO6RImCOtlfuN Q6SuwJe9iylgQuzTEFf4z0Sf0inj5bP/i+/Bh0GDBzjf5aWD1x1HSkh70HoQKE7UNn+I Zdgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version; bh=nzgbHJgX6r7/5h/UQ/UnVVaxrnMHVXdPPRJwwAcJXqM=; b=RgXtRFHAF8Jxu+p45N13+7LHwRF0ZdtILEYpYp2fyPCCl/S0LWfEo5kpbzZNrygfZn +J7R5mqHQ0VYKMknJlG2gRB21zTUYoOuJAfhjfULyogAVjQQQw0MIaT2tFnT0kbXqQdC PKjkA/nTsKEAS3M8dOk4WVRM9aFrFc+WnkgkNcjASdFRRgGiW7OHWkn+ZibKgdZhAgBb v6YRe+mINY5ufTNagAOU5LPUw22D/zYBcDb3VIrmf1W+98y4GuMEgVO9b4vS9V0a+qvW VesR/gCmEm/X/yNkWyeUv/JIZExqGlW+PHWxyrVin2FJ4T2VNo9R+kQuQK1rWAaDuyux 1zRg== X-Gm-Message-State: AOAM533Z50frrzTQjEVNh94MW+mrOrxWi4LysXh0wfiVlLZ1mh9ImUoz t9U5TgvRdGCv132BkECsLlnz+U9lxtw= X-Google-Smtp-Source: ABdhPJwLXmYl7cGKrQwb9+RMFmZsSK/CPdcEJs8xrYy2bnHeAq+QS4QFXuplRsEqZ6yjbonAmYr/yQ== X-Received: by 2002:a17:906:7951:: with SMTP id l17mr17104217ejo.529.1627304635746; Mon, 26 Jul 2021 06:03:55 -0700 (PDT) Original-Received: from localhost ([185.220.101.12]) by smtp.googlemail.com with ESMTPSA id b15sm614275ejv.15.2021.07.26.06.03.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Jul 2021 06:03:55 -0700 (PDT) Received-SPF: pass client-ip=2a00:1450:4864:20::632; envelope-from=nuclearspace@gmail.com; helo=mail-ej1-x632.google.com X-Spam_score_int: -7 X-Spam_score: -0.8 X-Spam_bar: / X-Spam_report: (-0.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:271646 Archived-At: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Consider the following snippet from =3Dtramp.el=3D: #+begin_example elisp ;; Try the password cache. (progn (setq auth-passwd (password-read pw-prompt key) tramp-password-save-function (lambda () (password-cache-add key auth-passwd))) auth-passwd) #+end_example I think that if the intent of the progn form is to =E2=80=9Ctry the password cache=E2=80=9D then such trial should fail whenever password caching is tur= ned off, i.e. when ~password-cache~ variable set to nil. This suggestion will likely be questioned but in any case, there seems to be no way at all to prevent TRAMP from caching passwords. Cf. ~auth-source-do-cache~ variable; there does not seem to be any equivalent in TRAMP. So there should be ~tramp-do-password-cache~ variable at least. However, I have no doubts that if ~password-cache~ is set to nil then ~password-data~ must be kept empty. Authors of third party libraries should not attempt to use password cache when ~password-cache~ is nil. Thus, ~password-cache-add~ should always check the value of ~password-cache~ before doing anything and if yes, it should emit a warning that there was an attempt to add a password to cache but ~password-cache~ is nil. So, at the very least in ~tramp-read-passwd~ there should be #+begin_example elisp ;; Try the password cache. (when tramp-do-password-cache (setq auth-passwd (password-read pw-prompt key) tramp-password-save-function (lambda () (password-cache-add key auth-passwd))) auth-passwd) #+end_example with newly defined ~tramp-do-password-cache~ variable. but I certainly suggest to go further, explicitly warn third party library authors against using password cache when ~password-cache~ is nil, and alter (at least) the definitions of =2D ~tramp-read-passwd~: #+begin_example elisp ;; Try the password cache. (when password-cache (setq auth-passwd (password-read pw-prompt key) tramp-password-save-function (lambda () (password-cache-add key auth-passwd))) auth-passwd) #+end_example =2D ~password-cache-add~: #+begin_example elisp (defun password-cache-add (key password) "Add password to cache. The password is removed by a timer after `password-cache-expiry' seconds." (if (not password-cache) (warn (format "There was an attempt to add a password to cache while `%s' is nil" 'password-cache)) (when (and password-cache-expiry (eq (gethash key password-data 'password-cache-no-data) 'password-cache-no-data)) (run-at-time password-cache-expiry nil #'password-cache-remove key)) (puthash key password password-data)) nil) #+end_example =2D ~auth-source-search~: #+begin_example elisp (when password-cache (auth-source-remember spec found)) #+end_example and alias ~auth-source-do-cache~ variable to ~password-cache~, marking it as obsolete. There is no point in allowing one library to use the cache but disallowing another to do it. It does not help with security as any Elisp code can access that data anyway, any time, while added complexity is always bad for security. In contrast, there certainly must be a clear way to turn caching off once and for all. Given the current policy, it can not possibly exist. Multiplying ~..-do-cache~ variables across elisp libraries will not do users any good. I also think that password caching should be turned off by default. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJLBAEBCgA1FiEEgu5SJRdnQOF34djNsr6xYbHsf0QFAmD+sB0XHG51Y2xlYXJz cGFjZUBnbWFpbC5jb20ACgkQsr6xYbHsf0SJfw//Rq0sD3+QXic88G/FWVfmwBq1 O3fKs1HAGkVM7qFj6xINBh5ksmsIzhs//8+UJlq6DZ+i5DL1gG8KFeZsiksxv6An eFhuViPwEZmpqZZf1TsvUq95gGyGBA52QCp5NBFuIOY/ub1wj7DOwDkjSAGkNsHX gPGt+zOdrkYf++UaNMK7xHRuTUs5fvUSIZxQa4VLPcw1WelS2r85E0VkG/gmV5MZ 1LnVdjJ0etHtWSEbOt6yViQDI3LmkalQpuNdHVZNI+6pZNgyljfkNegsbGbnLIx4 270QsRGDJ+v+0AN/7XWSv6bHf5jN2TGODVXMsof+Rzdbn92e7TUb1jHPXZZEyj5I R+CtX1P9lY6aYNjl+D4naLSknu9GO2FGu+5PIzfQep671QCFVdy6hjXGj/B2FGp3 bDVa52hqAXOjZyisjprh927rStkU9wyxEPKLz1eCzJvEjpcUQxu1bxskZrOrSraq oO1aT+O89t/A6TlH6cr8YKVeveNsF/FsoCBRNH/DEWJviu8/vnZSzLQ6EH24uBwD 4iG10EV2w2KYc3dqwXCJvz4Tf8hI6z8432RTnjpSnAofQ/6gQ7RdQq7mF9j5BEcy +vei7xfck+Qutsb0B2tone/1sqdPiehE02w0yqAnCnmaqQXzErw3X2bC9CS+psSr xM6EV2G6Ep7R78kej88= =hghR -----END PGP SIGNATURE----- --=-=-=--