From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Bruno =?utf-8?Q?F=C3=A9lix?= Rezende Ribeiro Newsgroups: gmane.emacs.devel Subject: Re: tramp-auto-auth.el --- TRAMP automatic authentication library Date: Wed, 28 Aug 2019 20:50:15 -0300 Message-ID: <87o9086ea0.fsf@oitofelix.com> References: <877e74skek.fsf@oitofelix.com> <87woeyudc0.fsf@gmx.de> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="191065"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) Cc: Bruno =?utf-8?Q?F=C3=A9lix?= Rezende Ribeiro , emacs-devel@gnu.org To: Michael Albinus Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Aug 29 01:50:36 2019 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([209.51.188.17]) by blaine.gmane.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1i37i0-000nYz-GA for ged-emacs-devel@m.gmane.org; Thu, 29 Aug 2019 01:50:36 +0200 Original-Received: from localhost ([::1]:43838 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i37hz-0002lT-9s for ged-emacs-devel@m.gmane.org; Wed, 28 Aug 2019 19:50:35 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:57073) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i37hk-0002l0-GK for emacs-devel@gnu.org; Wed, 28 Aug 2019 19:50:23 -0400 Original-Received: from fencepost.gnu.org ([2001:470:142:3::e]:58140) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1i37hk-0003Gv-4O; Wed, 28 Aug 2019 19:50:20 -0400 Original-Received: from [189.15.151.87] (port=52264 helo=felix-laptop) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1i37hj-00081D-1K; Wed, 28 Aug 2019 19:50:19 -0400 In-Reply-To: <87woeyudc0.fsf@gmx.de> (Michael Albinus's message of "Tue, 27 Aug 2019 12:12:15 +0200") X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.org gmane.emacs.devel:239656 Archived-At: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello Michael and other GNU Emacs developers, Thanks for your reply. Michael Albinus writes: > Frankly, I'm not enthusiastic adding cleartext passwords into > Tramp. This has all the security flaws you know, and is good for > problems. At least in core Tramp it shouldn't be propagated. Please, find attached the implementation of tramp-auto-auth.el using exclusively the auth-source library. I did as you suggested except that I didn=E2=80=99t add a new keyword nor m= ade any change to auth-source.el. Quoting from the commentary section: When a TRAMP prompt is encountered, =E2=80=98tramp-auto-auth-mode=E2=80= =99 queries the alist =E2=80=98tramp-auto-auth-alist=E2=80=99 for the auth-source sp= ec value whose regexp key matches the correspondent TRAMP path. This spec is then used to query the auth-source library for a presumably phony entry exclusively dedicated to the whole class of TRAMP paths matching that regexp. To make use of the automatic authentication feature, on the Lisp side the variable =E2=80=98tramp-auto-auth-alist=E2=80=99 must be custom= ized to hold the path regexps and their respective auth-source specs, and then =E2=80=98tramp-auto-auth-mode=E2=80=99 must be enabled. For exampl= e: ---- ~/.emacs.el ------------------------------------------------- (require 'tramp-auto-auth) (add-to-list 'tramp-auto-auth-alist '("root@10\\.0\\." . (:host "Funny-Machines" :user "root" :port "ssh"))) (tramp-auto-auth-mode) ------------------------------------------------------------------ After this, just put the respective sacred secret in an authentication source supported by auth-source library. For instance: ---- ~/.authinfo.gpg --------------------------------------------- machine Funny-Machines login root password "$r00tP#sWD!" port ssh ------------------------------------------------------------------ In case you are feeling lazy or the secret is not so secret (nor so sacred) -- or for any reason you need to do it all from Lisp -- it=E2=80=99s enough to: (auth-source-remember '(:host "Funny-Machines" :user "root" :port "ssh") '((:secret "$r00tP#sWD!"))) And happy TRAMPing! Is this feature in this form suitable for inclusion in the TRAMP standard distribution? Please, let me know what you think. --=-=-= Content-Type: application/emacs-lisp Content-Disposition: attachment; filename=tramp-auto-auth.el Content-Transfer-Encoding: quoted-printable ;;; tramp-auto-auth.el --- TRAMP automatic authentication library ;; Copyright (C) 2019 Bruno F=C3=A9lix Rezende Ribeiro ;; Author: Bruno F=C3=A9lix Rezende Ribeiro ;; Maintainer: Bruno F=C3=A9lix Rezende Ribeiro ;; Keywords: comm, processes ;; Package: tramp-auto-auth ;; Package-Version: 20190827.1316 ;; Package-Requires: (tramp) ;; This program is free software: you can redistribute it and/or modify ;; it under the terms of the GNU General Public License as published by ;; the Free Software Foundation, either version 3 of the License, or ;; (at your option) any later version. ;; This program is distributed in the hope that it will be useful, ;; but WITHOUT ANY WARRANTY; without even the implied warranty of ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;; GNU General Public License for more details. ;; You should have received a copy of the GNU General Public License ;; along with this program. If not, see . ;;; Commentary: ;; This library provides =E2=80=98tramp-auto-auth-mode=E2=80=99: a global m= inor mode ;; whose purpose is to automatically feed TRAMP sub-processes with ;; passwords for paths matching regexps. This is useful in situations ;; where interactive user input is not desirable or feasible. For ;; instance, in sub-nets with large number of hosts or whose hosts ;; have dynamic IPs assigned to them. In those cases it=E2=80=99s not ;; practical to query passwords using the =E2=80=98auth-source=E2=80=99 lib= rary ;; directly, since this would require each host to be listed ;; explicitly and immutably in a Netrc file. Another scenario where ;; this mode is useful are non-interactive Emacs sessions (like those ;; used for batch processing or by evaluating =E2=80=98:async=E2=80=99 Org = Babel ;; source blocks) in which it=E2=80=99s impossible for the user to answer a ;; password-asking prompt. ;; ;; When a TRAMP prompt is encountered, =E2=80=98tramp-auto-auth-mode=E2=80= =99 queries ;; the alist =E2=80=98tramp-auto-auth-alist=E2=80=99 for the auth-source sp= ec value ;; whose regexp key matches the correspondent TRAMP path. This spec ;; is then used to query the auth-source library for a presumably ;; phony entry exclusively dedicated to the whole class of TRAMP ;; paths matching that regexp. ;; ;; To make use of the automatic authentication feature, on the Lisp ;; side the variable =E2=80=98tramp-auto-auth-alist=E2=80=99 must be custom= ized to ;; hold the path regexps and their respective auth-source specs, and ;; then =E2=80=98tramp-auto-auth-mode=E2=80=99 must be enabled. For exampl= e: ;; ;; ---- ~/.emacs.el ------------------------------------------------- ;; (require 'tramp-auto-auth) ;; ;; (add-to-list ;; 'tramp-auto-auth-alist ;; '("root@10\\.0\\." . ;; (:host "Funny-Machines" :user "root" :port "ssh"))) ;; ;; (tramp-auto-auth-mode) ;; ------------------------------------------------------------------ ;; ;; After this, just put the respective sacred secret in an ;; authentication source supported by auth-source library. For ;; instance: ;; ;; ---- ~/.authinfo.gpg --------------------------------------------- ;; machine Funny-Machines login root password "$r00tP#sWD!" port ssh ;; ------------------------------------------------------------------ ;; ;; In case you are feeling lazy or the secret is not so secret (nor so ;; sacred) -- or for any reason you need to do it all from Lisp -- ;; it=E2=80=99s enough to: ;; ;; (auth-source-remember '(:host "Funny-Machines" :user "root" :port "ssh") ;; '((:secret "$r00tP#sWD!"))) ;; ;; And happy TRAMPing! ;;; Code: (require 'tramp) (require 'auth-source) (defcustom tramp-auto-auth-alist nil "Alist of TRAMP paths regexps and their respective auth-source SPEC. Each element has the form (PATH-REGEXP . SPEC), where PATH-REGEXP is a regular expression to be matched against TRAMP paths and SPEC is the respective auth-source SPEC which will be used to retrieve the password to be sent to the TRAMP=E2=80=99s sub-process in case a match does occur. SPEC is exactly the one expected by =E2=80=98auth-source-search=E2=80=99." :type '(alist :key-type (string :tag "Path Regexp" :help-echo "Regexp which matches the desired TRAMP path") :value-type (plist :key-type (choice :tag "Key" :help-echo "Auth-source spec key" (const :tag "Host" :host) (const :tag "User" :user) (const :tag "Port" :port) (symbol :tag "Other keyword")) :value-type (string :tag "Value" :help-echo "Auth-source spec value") :tag "Auth-source spec" :help-echo "Password for the TRAMP path resource")) :group 'tramp :require 'tramp-auto-auth) ;;;###autoload (define-minor-mode tramp-auto-auth-mode "Toggle Tramp-Auto-Auth global minor mode on or off. With a prefix argument ARG, enable Tramp-Auto-Auth mode if ARG is positive, and disable it otherwise. If called from Lisp, enable the mode if ARG is omitted or nil, and toggle it if ARG is =E2=80=98toggle= =E2=80=99. When enabled =E2=80=98tramp-auto-auth-alist=E2=80=99 is used to automatical= ly authenticate to remote servers." :group 'tramp :global t :require 'tramp-auto-auth (if tramp-auto-auth-mode (progn (advice-add #'tramp-action-password :around (lambda (tramp-action-password proc vec) (pcase (or (car (last vec)) "") ((and (app (lambda (expval) (assoc-default expval tramp-auto-auth-alist #'string-match-p)) spec) (guard spec) (let pre-secret (plist-get (car (apply #'auth-source-search spec)) :secret)) (guard pre-secret) (let secret (if (functionp pre-secret) (funcall pre-secret) pre-secret)) (guard secret)) (process-send-string proc (concat secret tramp-local-end-of-line))) (_ (funcall tramp-action-password proc vec)))) '((name . tramp-auto-auth-mode))) (advice-add #'tramp-action-yesno :around (lambda (tramp-action-yesno proc vec) (pcase (or (car (last vec)) "") ((pred (lambda (expval) (assoc-default expval tramp-auto-auth-alist #'string-match-p))) (tramp-send-string vec (concat "yes" tramp-local-end-of-line))) (_ (funcall tramp-action-yesno proc vec)))) '((name . tramp-auto-auth-mode)))) (advice-remove #'tramp-action-password 'tramp-auto-auth-mode) (advice-remove #'tramp-action-yesno 'tramp-auto-auth-mode))) (provide 'tramp-auto-auth) ;;; tramp-auto-auth.el ends here --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable --=20 88888 FFFFF Bruno F=C3=A9lix Rezende Ribeiro (oitofelix) [0x28D618AF] 8 8 F http://oitofelix.freeshell.org/ 88888 FFFF mailto:oitofelix@gnu.org 8 8 F irc://chat.freenode.org/oitofelix 88888 F xmpp://oitofelix@riseup.net --=-=-=--