can emacs use the mac os x keychain?

can emacs use the mac os x keychain?

[vm user]

hi all, several emacs packages such as tramp and VM ask for
passwords.  does anyone know how to make emacs get the password from
the mac os x keychain instead of having to type it every time?
thanks...

Re: can emacs use the mac os x keychain?

[Barry Margolin]

In article 
<370a1897-25aa-418f-9631-1570dfa99de3@z7g2000yqb.googlegroups.com>,
 vm user <emacs_user@hotmail.com> wrote:

> hi all, several emacs packages such as tramp and VM ask for
> passwords.  does anyone know how to make emacs get the password from
> the mac os x keychain instead of having to type it every time?
> thanks...

If you're using tramp's ssh method, you can install SSHKeychain.

-- 
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Wed, 21 Apr 2010 00:02:17 -0400 Barry Margolin <barmar@alum.mit.edu> wrote: 

BM> In article 
BM> <370a1897-25aa-418f-9631-1570dfa99de3@z7g2000yqb.googlegroups.com>,
BM>  vm user <emacs_user@hotmail.com> wrote:

>> hi all, several emacs packages such as tramp and VM ask for
>> passwords.  does anyone know how to make emacs get the password from
>> the mac os x keychain instead of having to type it every time?
>> thanks...

BM> If you're using tramp's ssh method, you can install SSHKeychain.

Can this be called by other code?  I could add support in
auth-source.el to look in the OS X keychain.

Ted

Re: can emacs use the mac os x keychain?

[Barry Margolin]

In article <87633kaess.fsf@lifelogs.com>,
 Ted Zlatanov <tzz@lifelogs.com> wrote:

> On Wed, 21 Apr 2010 00:02:17 -0400 Barry Margolin <barmar@alum.mit.edu> 
> wrote: 
> 
> BM> In article 
> BM> <370a1897-25aa-418f-9631-1570dfa99de3@z7g2000yqb.googlegroups.com>,
> BM>  vm user <emacs_user@hotmail.com> wrote:
> 
> >> hi all, several emacs packages such as tramp and VM ask for
> >> passwords.  does anyone know how to make emacs get the password from
> >> the mac os x keychain instead of having to type it every time?
> >> thanks...
> 
> BM> If you're using tramp's ssh method, you can install SSHKeychain.
> 
> Can this be called by other code?  I could add support in
> auth-source.el to look in the OS X keychain.

SSHKeychain operates an ssh-agent, so it's only useful for applications 
that use SSH keys.

Here's the docuemntation of Apple's Keychain API:

http://developer.apple.com/mac/library/documentation/Security/Reference/k
eychainservices/Reference/reference.html

-- 
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Re: can emacs use the mac os x keychain?

[vm user]

On Apr 21, 1:36 pm, Ted Zlatanov <t...@lifelogs.com> wrote:
> On Wed, 21 Apr 2010 00:02:17 -0400 Barry Margolin <bar...@alum.mit.edu> wrote:
>
> BM> In article
> BM> <370a1897-25aa-418f-9631-1570dfa99...@z7g2000yqb.googlegroups.com>,
> BM>  vm user <emacs_u...@hotmail.com> wrote:
>
> >> hi all, several emacs packages such as tramp and VM ask for
> >> passwords.  does anyone know how to make emacs get the password from
> >> the mac os x keychain instead of having to type it every time?
> >> thanks...
>
> BM> If you're using tramp's ssh method, you can install SSHKeychain.
>
> Can this be called by other code?  I could add support in
> auth-source.el to look in the OS X keychain.
>
> Ted

does this mean that the keychain would be available to all emacs
application using passwords?  e.g. vm, tramp, epg...  that would
certainly be fantastic...

Re: can emacs use the mac os x keychain?

[vm user]

On Jul 1, 12:20 pm, Ted Zlatanov <t...@lifelogs.com> wrote:
> (sorry for the long delay)
>
> On Thu, 22 Apr 2010 19:18:15 -0700 (PDT) vm user <emacs_u...@hotmail.com> wrote:
>
> vu> does this mean that the keychain would be available to all emacs
> vu> application using passwords?  e.g. vm, tramp, epg...  that would
> vu> certainly be fantastic...
>
> Sure.  We (Michael Albinus, really) just added support for the Secrets
> API, which is for Linux only, and auth-source is set up to handle
> multiple source types already.
>
> On Wed, 21 Apr 2010 20:58:26 -0400 Barry Margolin <bar...@alum.mit.edu> wrote:
>
> BM> Here's the docuemntation of Apple's Keychain API:
>
> BM>http://developer.apple.com/mac/library/documentation/Security/Referen...
>
> Unless there's a helper program or support inside Emacs (the latter is
> unlikely IMO) it's not possible to query this API from within Emacs.
>
> Ted

I am quite an ignorant in these things, but does the following help?
http://log.scifihifi.com/post/55837387/simple-iphone-keychain-code

Re: can emacs use the mac os x keychain?

[Uday S Reddy]

vm user wrote:

> 
> does this mean that the keychain would be available to all emacs
> application using passwords?  e.g. vm, tramp, epg...  that would
> certainly be fantastic...

I have just added auth-source retrieval of passwords to VM.  It is on the 
trunk, revision 891.  So, whatever sources are supported by auth-source will be 
available in VM.

It seems quite painless to use EasyPG-encrypted storage (.authinfo.gpg file). 
Please give it a try.

Cheers,
Uday

Re: can emacs use the mac os x keychain?

[Uday S Reddy]

Ted Zlatanov wrote:

> BM> Here's the docuemntation of Apple's Keychain API:
> 
> BM> http://developer.apple.com/mac/library/documentation/Security/Reference/keychainservices/Reference/reference.html
> 
> Unless there's a helper program or support inside Emacs (the latter is
> unlikely IMO) it's not possible to query this API from within Emacs.

Ted, does this mean that your earlier post is retracted?  I am not sure what 
else it means to add Apple keychain support to auth-source.

Another question that I always wondered about.  Does auth-source allow for 
multiple logins on the same server/protocol combination?

Cheers,
Uday

Re: can emacs use the mac os x keychain?

[vm user]

On Jul 25, 4:04 pm, Uday S Reddy <uDOTsDOTre...@cs.bham.ac.uk> wrote:
> vm user wrote:
>
> > does this mean that the keychain would be available to all emacs
> > application using passwords?  e.g. vm, tramp, epg...  that would
> > certainly be fantastic...
>
> I have just added auth-source retrieval of passwords to VM.  It is on the
> trunk, revision 891.  So, whatever sources are supported by auth-source will be
> available in VM.

nice

> It seems quite painless to use EasyPG-encrypted storage (.authinfo.gpg file).
> Please give it a try.

certainly an improvement!  would still be good to have the keychain
support, as this would mean that a password needs to be typed only
upon login...

> Cheers,
> Uday

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Sat, 24 Jul 2010 20:36:18 -0700 (PDT) vm user <emacs_user@hotmail.com> wrote: 

vu> On Jul 1, 12:20 pm, Ted Zlatanov <t...@lifelogs.com> wrote:

>> Unless there's a helper program or support inside Emacs (the latter is
>> unlikely IMO) it's not possible to query this API from within Emacs.

vu> I am quite an ignorant in these things, but does the following help?
vu> http://log.scifihifi.com/post/55837387/simple-iphone-keychain-code

That seems useful.  I think auth-source needs a general protocol to talk
to helper applications when Emacs itself doesn't support it.  This can
be tricky because of the security implications of passing passwords.
EPG does it well but I don't know the specifics.  So there's really
three parts:

1) define a helper protocol to pass auth request parameters in the
environment somehow

2) read the password back securely

3) write an implementation that works with the Mac OS X keychain

Contributions welcome on all 3 items.  I don't know if I'll have time
soon to work on this, but feedback would certainly help.

On Sun, 25 Jul 2010 21:09:30 +0100 Uday S Reddy <uDOTsDOTreddy@cs.bham.ac.uk> wrote: 

USR> Another question that I always wondered about.  Does auth-source allow
USR> for multiple logins on the same server/protocol combination?

Not currently.  The first one found is picked IIRC.  I think it would
make the UI significantly more complex to allow multiples and perhaps
confuse users.  The advanced users that need that can typically use
aliases for the server name.  Do you see a need for it?

Ted

Re: can emacs use the mac os x keychain?

[Uday S Reddy]

Ted Zlatanov wrote:

> USR> Another question that I always wondered about.  Does auth-source allow
> USR> for multiple logins on the same server/protocol combination?
> 
> Not currently.  The first one found is picked IIRC.  I think it would
> make the UI significantly more complex to allow multiples and perhaps
> confuse users.  The advanced users that need that can typically use
> aliases for the server name.  Do you see a need for it?

Yes, I think it is needed.  Some people maintain multiple email accounts on 
ISP's like gmail, hotmail etc.  In organizations, it is common for people to 
have a personal email account and, separately, one or more role-based or team 
email accounts (techsupport, sales, admissions, ...).  I know that many novice 
users might find it hard to deal with it.  But, gmail and hotmail are educating 
them fast.  So, yes, restricting to single email accounts per server would be a 
serious limitation.

I am not sure what you mean by UI getting complex.  The only user interaction 
seems to be to ask for a passphrase.  (There is a problem at the moment because 
it doesn't say passphrase for which auth-source.  So, if somebody happens to 
use multiple auth-sources with different passphrases, they would be in trouble!)

If you instead mean the API getting complex, one could call 
auth-source-user-or-password with '("login" "password") as the MODE and get 
back a list of results.  A simple `assoc' would give the desired password.

Cheers,
Uday

auth-source multiple accounts (was: can emacs use the mac os x keychain?)

[Ted Zlatanov]

On Mon, 26 Jul 2010 15:47:30 +0100 Uday S Reddy <uDOTsDOTreddy@cs.bham.ac.uk> wrote: 

USR> Ted Zlatanov wrote:
USR> Another question that I always wondered about.  Does auth-source allow
USR> for multiple logins on the same server/protocol combination?
>> 
>> Not currently.  The first one found is picked IIRC.  I think it would
>> make the UI significantly more complex to allow multiples and perhaps
>> confuse users.  The advanced users that need that can typically use
>> aliases for the server name.  Do you see a need for it?

USR> Yes, I think it is needed.
...
USR> I am not sure what you mean by UI getting complex.  The only user
USR> interaction seems to be to ask for a passphrase.  (There is a problem
USR> at the moment because it doesn't say passphrase for which auth-source.
USR> So, if somebody happens to use multiple auth-sources with different
USR> passphrases, they would be in trouble!)

The passphrase query is actually from EPG/EPA I think (you're referring
to the decoding of the .gpg file, right?) so it's outside of
auth-source.  The other source type is the Secrets API which requests
the passphrase externally as well.  auth-source currently does not
interact with the user.

Maybe it's better to use auth-source-pick parameters, something like
(account "my-account-1") coupled with "account my-account-1" in the
netrc file.  In Gnus we can do it since each server entry has its own
name which can be separate from the actual server address.  Will that
work in VM, giving a logical name to each account?  See auth-source-pick
and auth-source-user-or-password for the details; the query data format
is pretty simple thanks to Michael Albinus' help recently.

Ted

Re: auth-source multiple accounts

[Uday S Reddy]

Ted Zlatanov wrote:

> Maybe it's better to use auth-source-pick parameters, something like
> (account "my-account-1") coupled with "account my-account-1" in the
> netrc file.  In Gnus we can do it since each server entry has its own
> name which can be separate from the actual server address.  Will that
> work in VM, giving a logical name to each account?  See auth-source-pick
> and auth-source-user-or-password for the details; the query data format
> is pretty simple thanks to Michael Albinus' help recently.

I don't follow everything you say.

We do have logical account names in VM.  Are you saying that we could use them 
in the netrc file as the "machine", instead of the actual host name?  We could. 
  But I suppose the users will wonder why these things are supposed to be 
called "machines".

But I am not sure how auth-source-pick can help with this problem.  It seems 
like a way to pick a source file.

Cheers,
Uday

Re: auth-source multiple accounts

[Ted Zlatanov]

On Mon, 26 Jul 2010 22:21:19 +0100 Uday S Reddy <uDOTsDOTreddy@cs.bham.ac.uk> wrote: 

USR> We do have logical account names in VM.  Are you saying that we could
USR> use them in the netrc file as the "machine", instead of the actual
USR> host name?  We could. But I suppose the users will wonder why these
USR> things are supposed to be called "machines".

I mean "machine" will still be the server name but VM will also pass an
optional (account "xyz") query parameter to
auth-source-user-or-password, which will find "account xyz" in the netrc
file.

I'll add another optional parameter QUERIES to
auth-source-user-or-password.  It will be an alist.  When a query is not
specified you'd still get the first match (thus it's backwards
compatible).  Does all that sound reasonable?

USR> But I am not sure how auth-source-pick can help with this problem.  It
USR> seems like a way to pick a source file.

Sorry, I made a mistake, just see auth-source-user-or-password.
auth-source-pick deals with auth-source backends, which VM doesn't care
about.

Ted

Re: auth-source multiple accounts

[Uday S Reddy]

Ted Zlatanov wrote:

> I mean "machine" will still be the server name but VM will also pass an
> optional (account "xyz") query parameter to
> auth-source-user-or-password, which will find "account xyz" in the netrc
> file.
> 
> I'll add another optional parameter QUERIES to
> auth-source-user-or-password.  It will be an alist.  When a query is not
> specified you'd still get the first match (thus it's backwards
> compatible).  Does all that sound reasonable?

Adding a QUERIES parameter is good but I would urge you to allow (login "xyz") 
as a possible query.

For looking up email passwords, the "account" attribute seems like an overkill. 
  What would users put as their "account", if not their login id?  Since they 
are already using the "login" parameter to write their login id, it seems like 
unnecessary duplication.

Thanks for all your help!

Cheers,
Uday

Re: auth-source multiple accounts

[Ted Zlatanov]

On Tue, 27 Jul 2010 18:19:13 +0100 Uday S Reddy <uDOTsDOTreddy@cs.bham.ac.uk> wrote: 

USR> Ted Zlatanov wrote:
>> I mean "machine" will still be the server name but VM will also pass an
>> optional (account "xyz") query parameter to
>> auth-source-user-or-password, which will find "account xyz" in the netrc
>> file.
>> 
>> I'll add another optional parameter QUERIES to
>> auth-source-user-or-password.  It will be an alist.  When a query is not
>> specified you'd still get the first match (thus it's backwards
>> compatible).  Does all that sound reasonable?

USR> Adding a QUERIES parameter is good but I would urge you to allow
USR> (login "xyz") as a possible query.

USR> For looking up email passwords, the "account" attribute seems like an
USR> overkill. What would users put as their "account", if not their login
USR> id?  Since they are already using the "login" parameter to write their
USR> login id, it seems like unnecessary duplication.

I want to make it more generic with QUERIES since not every auth-source
API user will want the login ID to be a query key.  VM and Gnus have
this kind of data hierarchy but url*.el doesn't, for example.  I think
that's a good compromise and doesn't extend the API too much.

From VM you would pass me (k v) as the query, e.g. (login "xyz").  In
the netrc/authinfo file, then, I would match only lines with

.... login xyz ....

in them.  So the query key and value are a contract between the
application and the user.  auth-source is just a conduit.  If VM
standardizes on (login "xyz") then we'll add a VM-specific section to
the auth.texi manual giving an example.  For Gnus we'll probably use
(server "xyz") because the Gnus configuration hierarchy is structured
that way.

Ted

Re: auth-source multiple accounts

[Uday S Reddy]

On 7/27/2010 6:59 PM, Ted Zlatanov wrote:

>
> I want to make it more generic with QUERIES since not every auth-source
> API user will want the login ID to be a query key.  VM and Gnus have
> this kind of data hierarchy but url*.el doesn't, for example.  I think
> that's a good compromise and doesn't extend the API too much.
>
>  From VM you would pass me (k v) as the query, e.g. (login "xyz").  In
> the netrc/authinfo file, then, I would match only lines with
>
> .... login xyz ....
>
> in them.  So the query key and value are a contract between the
> application and the user.  auth-source is just a conduit.  If VM
> standardizes on (login "xyz") then we'll add a VM-specific section to
> the auth.texi manual giving an example.  For Gnus we'll probably use
> (server "xyz") because the Gnus configuration hierarchy is structured
> that way.

Hi Ted, I am entirely in support of the general queries feature. as long it 
includes login-queries.

However, there is another problem.  (Sorry to be bringing up so many problems:-(

I suppose auth-source is part of the Gnus distribution.  Am I right?  So, 
people are going to be using different versions of auth-source, obtained via 
the Gnus distribution, FSF distribution and XEmacs distribution (not to mention 
other independent distros).  It will take years for all of these distributions 
to converge.

So, I won't be able to use the new version of auth-source-user-or-password in 
VM until I can be sure that all our users have retired the old version.  Sounds 
terrible, doesn't it?  When we deal with independent distributions, it appears 
that backward-compatibility is not enough; forward-compatibility is also needed.

One solution is to add a new function instead of adding an optional parameter 
to the existing function.  Then I can test to see if the new function exists 
and use the querying functionality if it does.

Cheers,
Uday

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Mon, 26 Jul 2010 08:47:27 -0500 Ted Zlatanov <tzz@lifelogs.com> wrote: 

TZ> On Sat, 24 Jul 2010 20:36:18 -0700 (PDT) vm user <emacs_user@hotmail.com> wrote: 
vu> On Jul 1, 12:20 pm, Ted Zlatanov <t...@lifelogs.com> wrote:

>>> Unless there's a helper program or support inside Emacs (the latter is
>>> unlikely IMO) it's not possible to query this API from within Emacs.

vu> I am quite an ignorant in these things, but does the following help?
vu> http://log.scifihifi.com/post/55837387/simple-iphone-keychain-code

TZ> That seems useful.  I think auth-source needs a general protocol to talk
TZ> to helper applications when Emacs itself doesn't support it.  This can
TZ> be tricky because of the security implications of passing passwords.
TZ> EPG does it well but I don't know the specifics.  So there's really
TZ> three parts:

TZ> 1) define a helper protocol to pass auth request parameters in the
TZ> environment somehow

TZ> 2) read the password back securely

TZ> 3) write an implementation that works with the Mac OS X keychain

Adrian, is there any chance that the NS Emacs port can provide those
keychain functions through an ELisp layer?  It would make it easier and
more secure to get user passwords, plus users wouldn't need to install
the helper program.

I don't know if there are any linking issues with that, so cc-ing
emacs-devel as well.

Thanks
Ted

Re: auth-source multiple accounts

[Uday S Reddy]

On 7/28/2010 2:07 PM, Ted Zlatanov wrote:

> auth-source.el (specifically, auth-source-user-or-password) will work
> either way.  The new query parameter is optional so at worst the user
> will get the wrong password.  There will be no error.  So you don't have
> to give up on old versions.  Just warn the user that the account won't
> be part of the lookup.

Yes, but, if I call auth-source-user-or-password with the extra parameter, and 
the user is using an old version of auth-source.el, there will be an error. 
But the version number idea is good.  I can test for it before calling.

Let me know when you have the new version ready so that I can test it along 
with VM.

Cheers,
Uday

Re: can emacs use the mac os x keychain?

[Adrian Robert]

> TZ> 1) define a helper protocol to pass auth request parameters in the
> TZ> environment somehow
> 
> TZ> 2) read the password back securely
> 
> TZ> 3) write an implementation that works with the Mac OS X keychain
> 
> Adrian, is there any chance that the NS Emacs port can provide those
> keychain functions through an ELisp layer?  It would make it easier and
> more secure to get user passwords, plus users wouldn't need to install
> the helper program.

A useful-sounding idea but seems mainly like something that would be a third-party package or maybe part of Aquamacs.  Are there any platform-independent parts of the needed functionality that the NS port lacks and Emacs on X11 or W32 has?

Re: can emacs use the mac os x keychain?

[Stefan Monnier]

TZ> 1) define a helper protocol to pass auth request parameters in the
TZ> environment somehow
TZ> 2) read the password back securely
TZ> 3) write an implementation that works with the Mac OS X keychain
>> Adrian, is there any chance that the NS Emacs port can provide those
>> keychain functions through an ELisp layer?  It would make it easier and
>> more secure to get user passwords, plus users wouldn't need to install
>> the helper program.
> A useful-sounding idea but seems mainly like something that would be
> a third-party package or maybe part of Aquamacs.

Why do you think so?  I think access to the system's standard keychain
facility would be good to have in general, on all systems.


        Stefan

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Thu, 29 Jul 2010 07:31:43 +0300 Adrian Robert <adrian.b.robert@gmail.com> wrote: 

TZ> 1) define a helper protocol to pass auth request parameters in the
TZ> environment somehow
>> 
TZ> 2) read the password back securely
>> 
TZ> 3) write an implementation that works with the Mac OS X keychain
>> 
>> Adrian, is there any chance that the NS Emacs port can provide those
>> keychain functions through an ELisp layer?  It would make it easier and
>> more secure to get user passwords, plus users wouldn't need to install
>> the helper program.

AR> A useful-sounding idea but seems mainly like something that would be
AR> a third-party package or maybe part of Aquamacs.  Are there any
AR> platform-independent parts of the needed functionality that the NS
AR> port lacks and Emacs on X11 or W32 has?

A third-party package wouldn't get the C-level bindings that are
necessary to make it reasonably secure.  The platform-independent part
is auth-source.el, which I have tried to hook into Emacs wherever
authentication is needed.  See auth.texi for more details.

On Thu, 29 Jul 2010 15:01:50 +0200 Stefan Monnier <monnier@iro.umontreal.ca> wrote: 

SM> I think access to the system's standard keychain facility would be
SM> good to have in general, on all systems.

Thanks for Michael Albinus' work on auth-source.el, it now supports the
Secrets API which is supposed to become the standard where D-Bus is
available (so Emacs can interact with this API without helper apps if it
has D-Bus support configured).  auth.texi hasn't been updated with the
Secrets API info because it's still experimental.  

Assuming we get the NS port access to the Mac OS X keychain, that leaves
W32 as the only major platform lacking keychain support.  I don't
believe W32 has a standard keychain so that may be OK.

Ted

Re: can emacs use the mac os x keychain?

[David Reitter]

On Jul 29, 2010, at 9:17 AM, Ted Zlatanov wrote:
> 
> AR> A useful-sounding idea but seems mainly like something that would be
> AR> a third-party package or maybe part of Aquamacs.  Are there any
> AR> platform-independent parts of the needed functionality that the NS
> AR> port lacks and Emacs on X11 or W32 has?
> 
...
> Assuming we get the NS port access to the Mac OS X keychain, that leaves
> W32 as the only major platform lacking keychain support.  I don't
> believe W32 has a standard keychain so that may be OK.

I principle, the C part would be fairly simple.  There are separate functions for "internet passwords", which retrieve and store passwords for a host/port/account combination.

Am I right assuming that we would need an API paralleling that provided by secrets.el?

There are a few issues as far as I can see:

- The user is prompted via a graphical dialog to unlock a keychain (i.e., to provide a password protecting all the passwords).  When in TTY, we shouldn't do this, but unlock the keychain ourselves, i.e., read a password from the user via a (password) minibuffer.  This sort of interaction would have to be handled by an extra Lisp layer.  (Once the application is trusted, this prompt would go away.)   How is this done in GNOME?

- Any passwords that we obtain would probably have to be copied so we can return them as a Lisp string.  What provisions are in place in order to protect the copy and guarantee its deletion after use?


http://developer.apple.com/mac/library/documentation/Security/Reference/keychainservices/Reference/reference.html#//apple_ref/c/func/SecKeychainFindInternetPassword

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Thu, 29 Jul 2010 14:52:14 -0400 David Reitter <david.reitter@gmail.com> wrote: 

DR> On Jul 29, 2010, at 9:17 AM, Ted Zlatanov wrote:
>> 
AR> A useful-sounding idea but seems mainly like something that would be
AR> a third-party package or maybe part of Aquamacs.  Are there any
AR> platform-independent parts of the needed functionality that the NS
AR> port lacks and Emacs on X11 or W32 has?
>> 
DR> ...
>> Assuming we get the NS port access to the Mac OS X keychain, that leaves
>> W32 as the only major platform lacking keychain support.  I don't
>> believe W32 has a standard keychain so that may be OK.

DR> I principle, the C part would be fairly simple.  There are separate
DR> functions for "internet passwords", which retrieve and store
DR> passwords for a host/port/account combination.

DR> Am I right assuming that we would need an API paralleling that
DR> provided by secrets.el?

It can be different.  auth-source.el folds the various backends under a
common interface, so I think it's best to provide simple mappings to the
underlying calls and let auth-source.el worry about the rest.  The
internet keychain calls, for instance, should be separated.

DR> There are a few issues as far as I can see:

DR> - The user is prompted via a graphical dialog to unlock a keychain
DR> (i.e., to provide a password protecting all the passwords).  When in
DR> TTY, we shouldn't do this, but unlock the keychain ourselves, i.e.,
DR> read a password from the user via a (password) minibuffer.  This
DR> sort of interaction would have to be handled by an extra Lisp layer.
DR> (Once the application is trusted, this prompt would go away.)  How
DR> is this done in GNOME?

IMHO it's acceptable to unlock only from the GUI but I'm not opposed to
what you describe.  GNOME's Seahorse works only in X, not in the TTY.

DR> - Any passwords that we obtain would probably have to be copied so
DR> we can return them as a Lisp string.  What provisions are in place
DR> in order to protect the copy and guarantee its deletion after use?

None from auth-source.el.  I don't know if ELisp has any variable tags
to do this protection but looking at the manual, I don't believe so.

Ted

Re: can emacs use the mac os x keychain?

[YAMAMOTO Mitsuharu]

>>>>> On Wed, 28 Jul 2010 09:53:03 -0500, Ted Zlatanov <tzz@lifelogs.com> said:

> Adrian, is there any chance that the NS Emacs port can provide those
> keychain functions through an ELisp layer?  It would make it easier
> and more secure to get user passwords, plus users wouldn't need to
> install the helper program.

Mac OS X 10.3 or later comes with a command line interface
/usr/bin/security for keychains.  Did you try it?  Or do you mean it
was not sufficient with respect to functionality or security?

A merit of the use of an external program is that we can use it
regardless of several builds on the platform including TTY-only and
X11.

				     YAMAMOTO Mitsuharu
				mituharu@math.s.chiba-u.ac.jp

Re: can emacs use the mac os x keychain?

[Richard Stallman]

What does the "mac os X keychain" do?

Re: can emacs use the mac os x keychain?

[Stuart Hacking]

On 30 July 2010 10:17, Richard Stallman <rms@gnu.org> wrote:
> What does the "mac os X keychain" do?
>
>

It provides a central facility for storing secure information.

from Wikipedia:
"A Keychain can contain various types of data: passwords (Websites,
FTP servers, SSH accounts, network shares, wireless networks,
groupware applications, encrypted disk images), private keys,
certificates and secure notes."

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Fri, 30 Jul 2010 09:13:22 +0900 YAMAMOTO Mitsuharu <mituharu@math.s.chiba-u.ac.jp> wrote: 

>>>>>> On Wed, 28 Jul 2010 09:53:03 -0500, Ted Zlatanov <tzz@lifelogs.com> said:
>> Adrian, is there any chance that the NS Emacs port can provide those
>> keychain functions through an ELisp layer?  It would make it easier
>> and more secure to get user passwords, plus users wouldn't need to
>> install the helper program.

YM> Mac OS X 10.3 or later comes with a command line interface
YM> /usr/bin/security for keychains.  Did you try it?  Or do you mean it
YM> was not sufficient with respect to functionality or security?

YM> A merit of the use of an external program is that we can use it
YM> regardless of several builds on the platform including TTY-only and
YM> X11.

I didn't know about this helper app.  Thank you for mentioning it.  I
expected to have to write a special one (see the original post in this
thread).  If it pops up the GUI dialog when possible, it's sufficient in
terms of UI functionality, but we also have to worry about X11 and TTY
modes (and what if you log in remotely over SSH?).

If /usr/bin/security can handle regular and internet keychains (the two
types David Reitter mentioned) then it's sufficient in terms of backend
functionality.  I don't think it can ever be as secure, however, as a
direct C call, so for security I'd rather use direct C calls if that's
an option.

I am far from expert on Mac OS X issues so I'll go with whatever you,
David Reitter, and Adrian Robert (and other experts on that platform)
decide.

Ted

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Fri, 30 Jul 2010 05:17:08 -0400 Richard Stallman <rms@gnu.org> wrote: 

RS> What does the "mac os X keychain" do?

To add to Stuart Hacking's description: the GNOME analogue is Seahorse;
KDE's is KWallet I believe.  On Mac OS X the keychain is more deeply
integrated with the OS, though, so for instance the unlock dialog is
always presented the same way and only when necessary.

Ted

Re: can emacs use the mac os x keychain?

[Richard Stallman]

    "A Keychain can contain various types of data: passwords (Websites,
    FTP servers, SSH accounts, network shares, wireless networks,
    groupware applications, encrypted disk images), private keys,
    certificates and secure notes."

This is a sufficiently minor thing that it is ok of Emacs can use it.

Re: can emacs use the mac os x keychain?

[YAMAMOTO Mitsuharu]

>>>>> On Fri, 30 Jul 2010 08:24:28 -0500, Ted Zlatanov <tzz@lifelogs.com> said:

> If /usr/bin/security can handle regular and internet keychains (the
> two types David Reitter mentioned) then it's sufficient in terms of
> backend functionality.  I don't think it can ever be as secure,
> however, as a direct C call, so for security I'd rather use direct C
> calls if that's an option.

One drawback of the use of /usr/bin/security would be that the user
might grant the generic command `security' access to the item by
adding it to the "trusted applications" list in order to avoid the
application access confirmation dialog.

http://developer.apple.com/mac/library/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html#//apple_ref/doc/uid/TP30000897-CH204-SW5

It might be desirable to call Keychain API directly rather than via
the `security' command so that the keychain can know which application
wants to access the item in a more specific way.

				     YAMAMOTO Mitsuharu
				mituharu@math.s.chiba-u.ac.jp

Re: can emacs use the mac os x keychain?

[Ted Zlatanov]

On Sun, 01 Aug 2010 10:44:35 +0900 YAMAMOTO Mitsuharu <mituharu@math.s.chiba-u.ac.jp> wrote: 

>>>>>> On Fri, 30 Jul 2010 08:24:28 -0500, Ted Zlatanov <tzz@lifelogs.com> said:
>> If /usr/bin/security can handle regular and internet keychains (the
>> two types David Reitter mentioned) then it's sufficient in terms of
>> backend functionality.  I don't think it can ever be as secure,
>> however, as a direct C call, so for security I'd rather use direct C
>> calls if that's an option.

YM> One drawback of the use of /usr/bin/security would be that the user
YM> might grant the generic command `security' access to the item by
YM> adding it to the "trusted applications" list in order to avoid the
YM> application access confirmation dialog.

YM> It might be desirable to call Keychain API directly rather than via
YM> the `security' command so that the keychain can know which application
YM> wants to access the item in a more specific way.

Thank you for your explanation.  Since we are in agreement on using the
C API directly, I hope you, David, or Adrian (or someone else willing to
contribute) find the time to implement these calls and provide an ELisp
layer on top.

Thank you
Ted

Re: auth-source multiple accounts

[Ted Zlatanov]

On Wed, 28 Jul 2010 22:39:11 +0100 Uday S Reddy <uDOTsDOTreddy@cs.bham.ac.uk> wrote: 

USR> On 7/28/2010 2:07 PM, Ted Zlatanov wrote:
>> auth-source.el (specifically, auth-source-user-or-password) will work
>> either way.  The new query parameter is optional so at worst the user
>> will get the wrong password.  There will be no error.  So you don't have
>> to give up on old versions.  Just warn the user that the account won't
>> be part of the lookup.

USR> Yes, but, if I call auth-source-user-or-password with the extra
USR> parameter, and the user is using an old version of auth-source.el,
USR> there will be an error. But the version number idea is good.  I can
USR> test for it before calling.

USR> Let me know when you have the new version ready so that I can test it
USR> along with VM.

Please see my auth-source API proposal in the Gnus 'ding' mailing list
or in the Tramp mailing list.  I need to know if you find it acceptable
to resolve the multiple account issue.

Thanks
Ted

Re: auth-source multiple accounts

[Ted Zlatanov]

On Wed, 28 Jul 2010 22:39:11 +0100 Uday S Reddy <uDOTsDOTreddy@cs.bham.ac.uk> wrote: 

USR> On 7/28/2010 2:07 PM, Ted Zlatanov wrote:
>> auth-source.el (specifically, auth-source-user-or-password) will work
>> either way.  The new query parameter is optional so at worst the user
>> will get the wrong password.  There will be no error.  So you don't have
>> to give up on old versions.  Just warn the user that the account won't
>> be part of the lookup.

USR> Yes, but, if I call auth-source-user-or-password with the extra
USR> parameter, and the user is using an old version of auth-source.el,
USR> there will be an error. But the version number idea is good.  I can
USR> test for it before calling.

USR> Let me know when you have the new version ready so that I can test it
USR> along with VM.

There's a much improved `auth-source-search' function in Emacs now.  I
think it will do what you need, and you can simply check if it exists
and fall back on `auth-source-user-or-password' otherwise.  The
docstring is as complete as I could make it and I hope it answers any
questions.

Thanks
Ted