can emacs use the mac os x keychain?

can emacs use the mac os x keychain?

[vm user]

hi all, several emacs packages such as tramp and VM ask for
passwords.  does anyone know how to make emacs get the password from
the mac os x keychain instead of having to type it every time?
thanks...

Re: can emacs use the mac os x keychain?

[Barry Margolin]

In article 
<370a1897-25aa-418f-9631-1570dfa99de3@z7g2000yqb.googlegroups.com>,
 vm user <emacs_user@hotmail.com> wrote:

> hi all, several emacs packages such as tramp and VM ask for
> passwords.  does anyone know how to make emacs get the password from
> the mac os x keychain instead of having to type it every time?
> thanks...

If you're using tramp's ssh method, you can install SSHKeychain.

-- 
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Wed, 21 Apr 2010 00:02:17 -0400 Barry Margolin <barmar@alum.mit.edu> wrote: 

BM> In article 
BM> <370a1897-25aa-418f-9631-1570dfa99de3@z7g2000yqb.googlegroups.com>,
BM>  vm user <emacs_user@hotmail.com> wrote:

>> hi all, several emacs packages such as tramp and VM ask for
>> passwords.  does anyone know how to make emacs get the password from
>> the mac os x keychain instead of having to type it every time?
>> thanks...

BM> If you're using tramp's ssh method, you can install SSHKeychain.

Can this be called by other code?  I could add support in
auth-source.el to look in the OS X keychain.

Ted

Re: can emacs use the mac os x keychain?

[Barry Margolin]

In article <87633kaess.fsf@lifelogs.com>,
 Ted Zlatanov <tzz@lifelogs.com> wrote:

> On Wed, 21 Apr 2010 00:02:17 -0400 Barry Margolin <barmar@alum.mit.edu> 
> wrote: 
> 
> BM> In article 
> BM> <370a1897-25aa-418f-9631-1570dfa99de3@z7g2000yqb.googlegroups.com>,
> BM>  vm user <emacs_user@hotmail.com> wrote:
> 
> >> hi all, several emacs packages such as tramp and VM ask for
> >> passwords.  does anyone know how to make emacs get the password from
> >> the mac os x keychain instead of having to type it every time?
> >> thanks...
> 
> BM> If you're using tramp's ssh method, you can install SSHKeychain.
> 
> Can this be called by other code?  I could add support in
> auth-source.el to look in the OS X keychain.

SSHKeychain operates an ssh-agent, so it's only useful for applications 
that use SSH keys.

Here's the docuemntation of Apple's Keychain API:

http://developer.apple.com/mac/library/documentation/Security/Reference/k
eychainservices/Reference/reference.html

-- 
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: can emacs use the mac os x keychain?

[vm user]

On Apr 21, 1:36 pm, Ted Zlatanov <t...@lifelogs.com> wrote:
> On Wed, 21 Apr 2010 00:02:17 -0400 Barry Margolin <bar...@alum.mit.edu> wrote:
>
> BM> In article
> BM> <370a1897-25aa-418f-9631-1570dfa99...@z7g2000yqb.googlegroups.com>,
> BM>  vm user <emacs_u...@hotmail.com> wrote:
>
> >> hi all, several emacs packages such as tramp and VM ask for
> >> passwords.  does anyone know how to make emacs get the password from
> >> the mac os x keychain instead of having to type it every time?
> >> thanks...
>
> BM> If you're using tramp's ssh method, you can install SSHKeychain.
>
> Can this be called by other code?  I could add support in
> auth-source.el to look in the OS X keychain.
>
> Ted

does this mean that the keychain would be available to all emacs
application using passwords?  e.g. vm, tramp, epg...  that would
certainly be fantastic...

Re: can emacs use the mac os x keychain?

[vm user]

On Jul 1, 12:20 pm, Ted Zlatanov <t...@lifelogs.com> wrote:
> (sorry for the long delay)
>
> On Thu, 22 Apr 2010 19:18:15 -0700 (PDT) vm user <emacs_u...@hotmail.com> wrote:
>
> vu> does this mean that the keychain would be available to all emacs
> vu> application using passwords?  e.g. vm, tramp, epg...  that would
> vu> certainly be fantastic...
>
> Sure.  We (Michael Albinus, really) just added support for the Secrets
> API, which is for Linux only, and auth-source is set up to handle
> multiple source types already.
>
> On Wed, 21 Apr 2010 20:58:26 -0400 Barry Margolin <bar...@alum.mit.edu> wrote:
>
> BM> Here's the docuemntation of Apple's Keychain API:
>
> BM>http://developer.apple.com/mac/library/documentation/Security/Referen...
>
> Unless there's a helper program or support inside Emacs (the latter is
> unlikely IMO) it's not possible to query this API from within Emacs.
>
> Ted

I am quite an ignorant in these things, but does the following help?
http://log.scifihifi.com/post/55837387/simple-iphone-keychain-code

Re: can emacs use the mac os x keychain?

[Uday S Reddy]

vm user wrote:

> 
> does this mean that the keychain would be available to all emacs
> application using passwords?  e.g. vm, tramp, epg...  that would
> certainly be fantastic...

I have just added auth-source retrieval of passwords to VM.  It is on the 
trunk, revision 891.  So, whatever sources are supported by auth-source will be 
available in VM.

It seems quite painless to use EasyPG-encrypted storage (.authinfo.gpg file). 
Please give it a try.

Cheers,
Uday

Re: can emacs use the mac os x keychain?

[Uday S Reddy]

Ted Zlatanov wrote:

> BM> Here's the docuemntation of Apple's Keychain API:
> 
> BM> http://developer.apple.com/mac/library/documentation/Security/Reference/keychainservices/Reference/reference.html
> 
> Unless there's a helper program or support inside Emacs (the latter is
> unlikely IMO) it's not possible to query this API from within Emacs.

Ted, does this mean that your earlier post is retracted?  I am not sure what 
else it means to add Apple keychain support to auth-source.

Another question that I always wondered about.  Does auth-source allow for 
multiple logins on the same server/protocol combination?

Cheers,
Uday

Re: can emacs use the mac os x keychain?

[vm user]

On Jul 25, 4:04 pm, Uday S Reddy <uDOTsDOTre...@cs.bham.ac.uk> wrote:
> vm user wrote:
>
> > does this mean that the keychain would be available to all emacs
> > application using passwords?  e.g. vm, tramp, epg...  that would
> > certainly be fantastic...
>
> I have just added auth-source retrieval of passwords to VM.  It is on the
> trunk, revision 891.  So, whatever sources are supported by auth-source will be
> available in VM.

nice

> It seems quite painless to use EasyPG-encrypted storage (.authinfo.gpg file).
> Please give it a try.

certainly an improvement!  would still be good to have the keychain
support, as this would mean that a password needs to be typed only
upon login...

> Cheers,
> Uday

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Sat, 24 Jul 2010 20:36:18 -0700 (PDT) vm user <emacs_user@hotmail.com> wrote: 

vu> On Jul 1, 12:20 pm, Ted Zlatanov <t...@lifelogs.com> wrote:

>> Unless there's a helper program or support inside Emacs (the latter is
>> unlikely IMO) it's not possible to query this API from within Emacs.

vu> I am quite an ignorant in these things, but does the following help?
vu> http://log.scifihifi.com/post/55837387/simple-iphone-keychain-code

That seems useful.  I think auth-source needs a general protocol to talk
to helper applications when Emacs itself doesn't support it.  This can
be tricky because of the security implications of passing passwords.
EPG does it well but I don't know the specifics.  So there's really
three parts:

1) define a helper protocol to pass auth request parameters in the
environment somehow

2) read the password back securely

3) write an implementation that works with the Mac OS X keychain

Contributions welcome on all 3 items.  I don't know if I'll have time
soon to work on this, but feedback would certainly help.

On Sun, 25 Jul 2010 21:09:30 +0100 Uday S Reddy <uDOTsDOTreddy@cs.bham.ac.uk> wrote: 

USR> Another question that I always wondered about.  Does auth-source allow
USR> for multiple logins on the same server/protocol combination?

Not currently.  The first one found is picked IIRC.  I think it would
make the UI significantly more complex to allow multiples and perhaps
confuse users.  The advanced users that need that can typically use
aliases for the server name.  Do you see a need for it?

Ted

Re: can emacs use the mac os x keychain?

[Uday S Reddy]

Ted Zlatanov wrote:

> USR> Another question that I always wondered about.  Does auth-source allow
> USR> for multiple logins on the same server/protocol combination?
> 
> Not currently.  The first one found is picked IIRC.  I think it would
> make the UI significantly more complex to allow multiples and perhaps
> confuse users.  The advanced users that need that can typically use
> aliases for the server name.  Do you see a need for it?

Yes, I think it is needed.  Some people maintain multiple email accounts on 
ISP's like gmail, hotmail etc.  In organizations, it is common for people to 
have a personal email account and, separately, one or more role-based or team 
email accounts (techsupport, sales, admissions, ...).  I know that many novice 
users might find it hard to deal with it.  But, gmail and hotmail are educating 
them fast.  So, yes, restricting to single email accounts per server would be a 
serious limitation.

I am not sure what you mean by UI getting complex.  The only user interaction 
seems to be to ask for a passphrase.  (There is a problem at the moment because 
it doesn't say passphrase for which auth-source.  So, if somebody happens to 
use multiple auth-sources with different passphrases, they would be in trouble!)

If you instead mean the API getting complex, one could call 
auth-source-user-or-password with '("login" "password") as the MODE and get 
back a list of results.  A simple `assoc' would give the desired password.

Cheers,
Uday

auth-source multiple accounts (was: can emacs use the mac os x keychain?)

[Ted Zlatanov]

On Mon, 26 Jul 2010 15:47:30 +0100 Uday S Reddy <uDOTsDOTreddy@cs.bham.ac.uk> wrote: 

USR> Ted Zlatanov wrote:
USR> Another question that I always wondered about.  Does auth-source allow
USR> for multiple logins on the same server/protocol combination?
>> 
>> Not currently.  The first one found is picked IIRC.  I think it would
>> make the UI significantly more complex to allow multiples and perhaps
>> confuse users.  The advanced users that need that can typically use
>> aliases for the server name.  Do you see a need for it?

USR> Yes, I think it is needed.
...
USR> I am not sure what you mean by UI getting complex.  The only user
USR> interaction seems to be to ask for a passphrase.  (There is a problem
USR> at the moment because it doesn't say passphrase for which auth-source.
USR> So, if somebody happens to use multiple auth-sources with different
USR> passphrases, they would be in trouble!)

The passphrase query is actually from EPG/EPA I think (you're referring
to the decoding of the .gpg file, right?) so it's outside of
auth-source.  The other source type is the Secrets API which requests
the passphrase externally as well.  auth-source currently does not
interact with the user.

Maybe it's better to use auth-source-pick parameters, something like
(account "my-account-1") coupled with "account my-account-1" in the
netrc file.  In Gnus we can do it since each server entry has its own
name which can be separate from the actual server address.  Will that
work in VM, giving a logical name to each account?  See auth-source-pick
and auth-source-user-or-password for the details; the query data format
is pretty simple thanks to Michael Albinus' help recently.

Ted

Re: auth-source multiple accounts

[Uday S Reddy]

Ted Zlatanov wrote:

> Maybe it's better to use auth-source-pick parameters, something like
> (account "my-account-1") coupled with "account my-account-1" in the
> netrc file.  In Gnus we can do it since each server entry has its own
> name which can be separate from the actual server address.  Will that
> work in VM, giving a logical name to each account?  See auth-source-pick
> and auth-source-user-or-password for the details; the query data format
> is pretty simple thanks to Michael Albinus' help recently.

I don't follow everything you say.

We do have logical account names in VM.  Are you saying that we could use them 
in the netrc file as the "machine", instead of the actual host name?  We could. 
  But I suppose the users will wonder why these things are supposed to be 
called "machines".

But I am not sure how auth-source-pick can help with this problem.  It seems 
like a way to pick a source file.

Cheers,
Uday

Re: auth-source multiple accounts

[Ted Zlatanov]

On Mon, 26 Jul 2010 22:21:19 +0100 Uday S Reddy <uDOTsDOTreddy@cs.bham.ac.uk> wrote: 

USR> We do have logical account names in VM.  Are you saying that we could
USR> use them in the netrc file as the "machine", instead of the actual
USR> host name?  We could. But I suppose the users will wonder why these
USR> things are supposed to be called "machines".

I mean "machine" will still be the server name but VM will also pass an
optional (account "xyz") query parameter to
auth-source-user-or-password, which will find "account xyz" in the netrc
file.

I'll add another optional parameter QUERIES to
auth-source-user-or-password.  It will be an alist.  When a query is not
specified you'd still get the first match (thus it's backwards
compatible).  Does all that sound reasonable?

USR> But I am not sure how auth-source-pick can help with this problem.  It
USR> seems like a way to pick a source file.

Sorry, I made a mistake, just see auth-source-user-or-password.
auth-source-pick deals with auth-source backends, which VM doesn't care
about.

Ted

Re: auth-source multiple accounts

[Uday S Reddy]

Ted Zlatanov wrote:

> I mean "machine" will still be the server name but VM will also pass an
> optional (account "xyz") query parameter to
> auth-source-user-or-password, which will find "account xyz" in the netrc
> file.
> 
> I'll add another optional parameter QUERIES to
> auth-source-user-or-password.  It will be an alist.  When a query is not
> specified you'd still get the first match (thus it's backwards
> compatible).  Does all that sound reasonable?

Adding a QUERIES parameter is good but I would urge you to allow (login "xyz") 
as a possible query.

For looking up email passwords, the "account" attribute seems like an overkill. 
  What would users put as their "account", if not their login id?  Since they 
are already using the "login" parameter to write their login id, it seems like 
unnecessary duplication.

Thanks for all your help!

Cheers,
Uday

Re: auth-source multiple accounts

[Ted Zlatanov]

On Tue, 27 Jul 2010 18:19:13 +0100 Uday S Reddy <uDOTsDOTreddy@cs.bham.ac.uk> wrote: 

USR> Ted Zlatanov wrote:
>> I mean "machine" will still be the server name but VM will also pass an
>> optional (account "xyz") query parameter to
>> auth-source-user-or-password, which will find "account xyz" in the netrc
>> file.
>> 
>> I'll add another optional parameter QUERIES to
>> auth-source-user-or-password.  It will be an alist.  When a query is not
>> specified you'd still get the first match (thus it's backwards
>> compatible).  Does all that sound reasonable?

USR> Adding a QUERIES parameter is good but I would urge you to allow
USR> (login "xyz") as a possible query.

USR> For looking up email passwords, the "account" attribute seems like an
USR> overkill. What would users put as their "account", if not their login
USR> id?  Since they are already using the "login" parameter to write their
USR> login id, it seems like unnecessary duplication.

I want to make it more generic with QUERIES since not every auth-source
API user will want the login ID to be a query key.  VM and Gnus have
this kind of data hierarchy but url*.el doesn't, for example.  I think
that's a good compromise and doesn't extend the API too much.

From VM you would pass me (k v) as the query, e.g. (login "xyz").  In
the netrc/authinfo file, then, I would match only lines with

.... login xyz ....

in them.  So the query key and value are a contract between the
application and the user.  auth-source is just a conduit.  If VM
standardizes on (login "xyz") then we'll add a VM-specific section to
the auth.texi manual giving an example.  For Gnus we'll probably use
(server "xyz") because the Gnus configuration hierarchy is structured
that way.

Ted

Re: auth-source multiple accounts

[Uday S Reddy]

On 7/27/2010 6:59 PM, Ted Zlatanov wrote:

>
> I want to make it more generic with QUERIES since not every auth-source
> API user will want the login ID to be a query key.  VM and Gnus have
> this kind of data hierarchy but url*.el doesn't, for example.  I think
> that's a good compromise and doesn't extend the API too much.
>
>  From VM you would pass me (k v) as the query, e.g. (login "xyz").  In
> the netrc/authinfo file, then, I would match only lines with
>
> .... login xyz ....
>
> in them.  So the query key and value are a contract between the
> application and the user.  auth-source is just a conduit.  If VM
> standardizes on (login "xyz") then we'll add a VM-specific section to
> the auth.texi manual giving an example.  For Gnus we'll probably use
> (server "xyz") because the Gnus configuration hierarchy is structured
> that way.

Hi Ted, I am entirely in support of the general queries feature. as long it 
includes login-queries.

However, there is another problem.  (Sorry to be bringing up so many problems:-(

I suppose auth-source is part of the Gnus distribution.  Am I right?  So, 
people are going to be using different versions of auth-source, obtained via 
the Gnus distribution, FSF distribution and XEmacs distribution (not to mention 
other independent distros).  It will take years for all of these distributions 
to converge.

So, I won't be able to use the new version of auth-source-user-or-password in 
VM until I can be sure that all our users have retired the old version.  Sounds 
terrible, doesn't it?  When we deal with independent distributions, it appears 
that backward-compatibility is not enough; forward-compatibility is also needed.

One solution is to add a new function instead of adding an optional parameter 
to the existing function.  Then I can test to see if the new function exists 
and use the querying functionality if it does.

Cheers,
Uday

Re: auth-source multiple accounts

[Uday S Reddy]

On 7/28/2010 2:07 PM, Ted Zlatanov wrote:

> auth-source.el (specifically, auth-source-user-or-password) will work
> either way.  The new query parameter is optional so at worst the user
> will get the wrong password.  There will be no error.  So you don't have
> to give up on old versions.  Just warn the user that the account won't
> be part of the lookup.

Yes, but, if I call auth-source-user-or-password with the extra parameter, and 
the user is using an old version of auth-source.el, there will be an error. 
But the version number idea is good.  I can test for it before calling.

Let me know when you have the new version ready so that I can test it along 
with VM.

Cheers,
Uday

Re: auth-source multiple accounts

[Ted Zlatanov]

On Wed, 28 Jul 2010 22:39:11 +0100 Uday S Reddy <uDOTsDOTreddy@cs.bham.ac.uk> wrote: 

USR> On 7/28/2010 2:07 PM, Ted Zlatanov wrote:
>> auth-source.el (specifically, auth-source-user-or-password) will work
>> either way.  The new query parameter is optional so at worst the user
>> will get the wrong password.  There will be no error.  So you don't have
>> to give up on old versions.  Just warn the user that the account won't
>> be part of the lookup.

USR> Yes, but, if I call auth-source-user-or-password with the extra
USR> parameter, and the user is using an old version of auth-source.el,
USR> there will be an error. But the version number idea is good.  I can
USR> test for it before calling.

USR> Let me know when you have the new version ready so that I can test it
USR> along with VM.

Please see my auth-source API proposal in the Gnus 'ding' mailing list
or in the Tramp mailing list.  I need to know if you find it acceptable
to resolve the multiple account issue.

Thanks
Ted

Re: auth-source multiple accounts

[Ted Zlatanov]

On Wed, 28 Jul 2010 22:39:11 +0100 Uday S Reddy <uDOTsDOTreddy@cs.bham.ac.uk> wrote: 

USR> On 7/28/2010 2:07 PM, Ted Zlatanov wrote:
>> auth-source.el (specifically, auth-source-user-or-password) will work
>> either way.  The new query parameter is optional so at worst the user
>> will get the wrong password.  There will be no error.  So you don't have
>> to give up on old versions.  Just warn the user that the account won't
>> be part of the lookup.

USR> Yes, but, if I call auth-source-user-or-password with the extra
USR> parameter, and the user is using an old version of auth-source.el,
USR> there will be an error. But the version number idea is good.  I can
USR> test for it before calling.

USR> Let me know when you have the new version ready so that I can test it
USR> along with VM.

There's a much improved `auth-source-search' function in Emacs now.  I
think it will do what you need, and you can simply check if it exists
and fall back on `auth-source-user-or-password' otherwise.  The
docstring is as complete as I could make it and I hope it answers any
questions.

Thanks
Ted

Re: auth-source multiple accounts

[Ted Zlatanov]

Uday, I tried posting and e-mailing this to you several times now.  I
hope you see it if I cross-post to the vminfo mailing list.

The auth-source library has been much improved.  Can you please take a
look at the new `auth-source-search' function and see if it fits VM's
needs as we discussed a while ago.  Let me know if you want to discuss
only on the vminfo list; I'll assume otherwise you'll reply to
emacs-help.

Here are the thread message IDs, all posted on this group under this
subject.

<370a1897-25aa-418f-9631-1570dfa99de3@z7g2000yqb.googlegroups.com>
	<barmar-C56D33.00021721042010@news.eternal-september.org>
	<87633kaess.fsf@lifelogs.com>
	<8d7c78ee-6ba8-448a-8f86-3d585e1af77f@u32g2000vbc.googlegroups.com>
	<87vd8z2myy.fsf@lifelogs.com>
	<01ea3506-d715-491d-b360-3abf34e98013@i31g2000yqm.googlegroups.com>
	<87r5iq1hjk.fsf@lifelogs.com> <i2k762$rck$1@north.jnrs.ja.net>
	<87630211kx.fsf_-_@lifelogs.com> <i2ku8g$53t$1@north.jnrs.ja.net>
	<87mxtdvx2d.fsf@lifelogs.com> <i2n4eh$q2f$1@north.jnrs.ja.net>
	<87pqy8vmah.fsf@lifelogs.com> <i2njfj$1fl$1@north.jnrs.ja.net>
	<87y6cvu53t.fsf@lifelogs.com> <i2q827$rvg$1@north.jnrs.ja.net>
        <8762smntzg.fsf@lifelogs.com>

Thanks
Ted

Re: auth-source multiple accounts

[Uday Reddy]

Ted Zlatanov wrote:
> Uday, I tried posting and e-mailing this to you several times now.  I
> hope you see it if I cross-post to the vminfo mailing list.

Hi Ted, I have indeed received your email prompt a week or two ago, and
I have it on my TO DO list to look at the new version of auth-source
library.  I will get back to you.

Cheers,
Uday