TRAMP sudo method not asking for password

TRAMP sudo method not asking for password

[Marcin Borkowski]

Hi all,

I have a very strange problem: the TRAMP sudo method stopped asking me
for the password.  How is that possible?  sudo in terminal behaves
normally, so it cannot be some global setting I messed up.

emacs -Q does TRT, i.e., asks for the password.

I understand that I can bisect my init.el, but it is almost 2 klines
long, so before I do that, I'd like to ask - maybe someone will know the
answer off the top of their head?

Note: deleting ~/.emacs.d/tramp didn't help.

TIA,

-- 
Marcin Borkowski
http://mbork.pl

Re: TRAMP sudo method not asking for password

[Marcin Borkowski]

On 2019-01-12, at 17:36, Marcin Borkowski <mbork@mbork.pl> wrote:

> Hi all,
>
> I have a very strange problem: the TRAMP sudo method stopped asking me
> for the password.  How is that possible?  sudo in terminal behaves
> normally, so it cannot be some global setting I messed up.
>
> emacs -Q does TRT, i.e., asks for the password.
>
> I understand that I can bisect my init.el, but it is almost 2 klines
> long, so before I do that, I'd like to ask - maybe someone will know the
> answer off the top of their head?
>
> Note: deleting ~/.emacs.d/tramp didn't help.

OK, so I have some further details.

Bisecting init.el didn't help.

For completeness, I have this in my `*Messages*':

--8<---------------cut here---------------start------------->8---
Tramp: Opening connection for root@tars using sudo...
Tramp: Sending command ‘exec env SHELL=/bin/sh sudo -u root -s -H -p P""a""s""s""w""o""r""d"":’
Tramp: Waiting for prompts from remote shell...
Tramp: Sending Password
Tramp: Waiting for prompts from remote shell...done
Tramp: Found remote shell prompt on ‘tars’
Tramp: Opening connection for root@tars using sudo...done
--8<---------------cut here---------------end--------------->8---

Using apropos-value, I found my password in `password-data'.  After
skimming through `password-cache.el', I tried `M-x password-reset' to no
avail.

I looked into ~/.emacs.d for some file/directory named `cache' or
similar, but didn't find anything.  Finally, I ran out of ideas.

I ran out of ideas.

I understand that I probably accidentally told Emacs to cache my
password.  What can I do to un-cache it?  (While convenient, it doesn't
seem very safe.)

TIA,

-- 
Marcin Borkowski
http://mbork.pl

Re: TRAMP sudo method not asking for password

[Marcin Borkowski]

On 2019-01-12, at 18:09, Marcin Borkowski <mbork@mbork.pl> wrote:

> On 2019-01-12, at 17:36, Marcin Borkowski <mbork@mbork.pl> wrote:
>
>> Hi all,
>>
>> I have a very strange problem: the TRAMP sudo method stopped asking me
>> for the password.  How is that possible?  sudo in terminal behaves
>> normally, so it cannot be some global setting I messed up.
>>
>> emacs -Q does TRT, i.e., asks for the password.
>>
>> I understand that I can bisect my init.el, but it is almost 2 klines
>> long, so before I do that, I'd like to ask - maybe someone will know the
>> answer off the top of their head?
>>
>> Note: deleting ~/.emacs.d/tramp didn't help.
>
> OK, so I have some further details.
>
> Bisecting init.el didn't help.
>
> For completeness, I have this in my `*Messages*':
>
> --8<---------------cut here---------------start------------->8---
> Tramp: Opening connection for root@tars using sudo...
> Tramp: Sending command ‘exec env SHELL=/bin/sh sudo -u root -s -H -p P""a""s""s""w""o""r""d"":’
> Tramp: Waiting for prompts from remote shell...
> Tramp: Sending Password
> Tramp: Waiting for prompts from remote shell...done
> Tramp: Found remote shell prompt on ‘tars’
> Tramp: Opening connection for root@tars using sudo...done
> --8<---------------cut here---------------end--------------->8---
>
> Using apropos-value, I found my password in `password-data'.  After
> skimming through `password-cache.el', I tried `M-x password-reset' to no
> avail.
>
> I looked into ~/.emacs.d for some file/directory named `cache' or
> similar, but didn't find anything.  Finally, I ran out of ideas.
>
> I ran out of ideas.
>
> I understand that I probably accidentally told Emacs to cache my
> password.  What can I do to un-cache it?  (While convenient, it doesn't
> seem very safe.)

I found it!

My passwords were cached in ~/.authinfo.  After cleaning it, TRAMP asks
me the password again.

Now, this file is only mentioned once in the Emacs manual, and in
a different context.  I think not having it even mentioned in some other
place is a serious security bug in the docs.  Am I correct?  If so, I'll
gladly file a bug report.  (I won't try to fix it myself since I do not
know enough to be sure I'm doing it right.)

Best,

-- 
Marcin Borkowski
http://mbork.pl

Re: TRAMP sudo method not asking for password

[Michael Albinus]

Marcin Borkowski <mbork@mbork.pl> writes:

Hi all,

>>> I have a very strange problem: the TRAMP sudo method stopped asking me
>>> for the password.  How is that possible?  sudo in terminal behaves
>>> normally, so it cannot be some global setting I messed up.
>>>
>>> emacs -Q does TRT, i.e., asks for the password.
>>>
>>> I understand that I can bisect my init.el, but it is almost 2 klines
>>> long, so before I do that, I'd like to ask - maybe someone will know the
>>> answer off the top of their head?
>>>
>>> Note: deleting ~/.emacs.d/tramp didn't help.
>
> I found it!
>
> My passwords were cached in ~/.authinfo.  After cleaning it, TRAMP asks
> me the password again.
>
> Now, this file is only mentioned once in the Emacs manual, and in
> a different context.  I think not having it even mentioned in some other
> place is a serious security bug in the docs.  Am I correct?  If so, I'll
> gladly file a bug report.  (I won't try to fix it myself since I do not
> know enough to be sure I'm doing it right.)

In general, your password is written to .authinfo on demand only. That
is, either you add a respective line, or you confirm that the
auth-sources adds this once you have entered it interactively.

The latter feature has been added to Tramp some weeks ago in Emacs 27
(don't remember the commit date). But Tramp asks you for confirmation,
whether you agree to add the password to your .authinfo. So you have
answered "y"; likely by accident, w/o reading the question carefully.

And this IS documented. etc/NEWS says in the Tramp section

--8<---------------cut here---------------start------------->8---
*** Validated passwords are saved by auth-source backends which support this.
--8<---------------cut here---------------end--------------->8---

And in the Tramp manual, there is in (info "(tramp) Password handling")

--8<---------------cut here---------------start------------->8---
   If there doesn’t exist a proper entry, the password is read
interactively.  After successful login (verification of the password),
it is offered to save a corresponding entry for further use by
‘auth-source’ backends which support this.  This could be changed by
setting the user option ‘auth-source-save-behavior’ to ‘nil’.
--8<---------------cut here---------------end--------------->8---

> Best,

Best regards, Michael.

Re: TRAMP sudo method not asking for password

[Marcin Borkowski]

On 2019-01-12, at 19:44, Michael Albinus <michael.albinus@gmx.de> wrote:

> Marcin Borkowski <mbork@mbork.pl> writes:
>
> Hi all,
>
>>>> I have a very strange problem: the TRAMP sudo method stopped asking me
>>>> for the password.  How is that possible?  sudo in terminal behaves
>>>> normally, so it cannot be some global setting I messed up.
>>>>
>>>> emacs -Q does TRT, i.e., asks for the password.
>>>>
>>>> I understand that I can bisect my init.el, but it is almost 2 klines
>>>> long, so before I do that, I'd like to ask - maybe someone will know the
>>>> answer off the top of their head?
>>>>
>>>> Note: deleting ~/.emacs.d/tramp didn't help.
>>
>> I found it!
>>
>> My passwords were cached in ~/.authinfo.  After cleaning it, TRAMP asks
>> me the password again.
>>
>> Now, this file is only mentioned once in the Emacs manual, and in
>> a different context.  I think not having it even mentioned in some other
>> place is a serious security bug in the docs.  Am I correct?  If so, I'll
>> gladly file a bug report.  (I won't try to fix it myself since I do not
>> know enough to be sure I'm doing it right.)
>
> In general, your password is written to .authinfo on demand only. That
> is, either you add a respective line, or you confirm that the
> auth-sources adds this once you have entered it interactively.
>
> The latter feature has been added to Tramp some weeks ago in Emacs 27
> (don't remember the commit date). But Tramp asks you for confirmation,
> whether you agree to add the password to your .authinfo. So you have
> answered "y"; likely by accident, w/o reading the question carefully.

Probably w/o reading it at all - I guess I just used my muscle memory to
do something after I ssh'ed somewhere with TRAMP, and didn't even bother
looking at the screen.

> And this IS documented. etc/NEWS says in the Tramp section
>
> --8<---------------cut here---------------start------------->8---
> *** Validated passwords are saved by auth-source backends which support this.
> --8<---------------cut here---------------end--------------->8---
>
> And in the Tramp manual, there is in (info "(tramp) Password handling")
>
> --8<---------------cut here---------------start------------->8---
>    If there doesn’t exist a proper entry, the password is read
> interactively.  After successful login (verification of the password),
> it is offered to save a corresponding entry for further use by
> ‘auth-source’ backends which support this.  This could be changed by
> setting the user option ‘auth-source-save-behavior’ to ‘nil’.
> --8<---------------cut here---------------end--------------->8---

Well, I don't often read NEWS.  And the above is not very clear (it says
nothing about the .authinfo file, for instance).

Don't get me wrong - I'm not just complaining.  (Also, I'm very thankful
for your response!)  I just think that all this info was quite easy to
miss.

To sum it up.

1. Am I the only one that thinks that this change could be made a bit
more prominent?  Like using something like yes-or-no-p (as opposed to
y-or-n-p) by default, for example?  Saving passwords to a plain text
file is something big, which should not happen by accident, right?

2. If others agree, what can I do to help?

Best,

--
Marcin Borkowski
http://mbork.pl

Re: TRAMP sudo method not asking for password

[Michael Albinus]

Marcin Borkowski <mbork@mbork.pl> writes:

Hi Marcin,

>> And this IS documented. etc/NEWS says in the Tramp section
>>
>> --8<---------------cut here---------------start------------->8---
>> *** Validated passwords are saved by auth-source backends which support this.
>> --8<---------------cut here---------------end--------------->8---
>>
>> And in the Tramp manual, there is in (info "(tramp) Password handling")
>>
>> --8<---------------cut here---------------start------------->8---
>>    If there doesn’t exist a proper entry, the password is read
>> interactively.  After successful login (verification of the password),
>> it is offered to save a corresponding entry for further use by
>> ‘auth-source’ backends which support this.  This could be changed by
>> setting the user option ‘auth-source-save-behavior’ to ‘nil’.
>> --8<---------------cut here---------------end--------------->8---
>
> Well, I don't often read NEWS.  And the above is not very clear (it says
> nothing about the .authinfo file, for instance).

Why should it? Tramp uses auth-source, which has different backends. It
is not only the .authinfo file which gets the passwords, other backends
like the Secret Service API behave similar.

> 1. Am I the only one that thinks that this change could be made a bit
> more prominent?  Like using something like yes-or-no-p (as opposed to
> y-or-n-p) by default, for example?  Saving passwords to a plain text
> file is something big, which should not happen by accident, right?

Again, we don't speak about plain files only. And yes, yes-or-no-p might
fit better. This must be changed in auth-source.el.

Let's wait for some few days, and if nobody objects, I'll change
accordingly.

> Best,
>
> Marcin Borkowski

Best regards, Michael.

Re: TRAMP sudo method not asking for password

[Marcin Borkowski]

On 2019-01-16, at 23:42, Michael Albinus <michael.albinus@gmx.de> wrote:

> Marcin Borkowski <mbork@mbork.pl> writes:
>
> Hi Marcin,
>
>>> And this IS documented. etc/NEWS says in the Tramp section
>>>
>>> --8<---------------cut here---------------start------------->8---
>>> *** Validated passwords are saved by auth-source backends which support this.
>>> --8<---------------cut here---------------end--------------->8---
>>>
>>> And in the Tramp manual, there is in (info "(tramp) Password handling")
>>>
>>> --8<---------------cut here---------------start------------->8---
>>>    If there doesn’t exist a proper entry, the password is read
>>> interactively.  After successful login (verification of the password),
>>> it is offered to save a corresponding entry for further use by
>>> ‘auth-source’ backends which support this.  This could be changed by
>>> setting the user option ‘auth-source-save-behavior’ to ‘nil’.
>>> --8<---------------cut here---------------end--------------->8---
>>
>> Well, I don't often read NEWS.  And the above is not very clear (it says
>> nothing about the .authinfo file, for instance).
>
> Why should it? Tramp uses auth-source, which has different backends. It
> is not only the .authinfo file which gets the passwords, other backends
> like the Secret Service API behave similar.

Well, I didn't know anything about it.  (Perhaps not reading the TRAMP
manual was a mistake...  Still, just a mention of auth-source *might* be
a good idea when discussing TRAMP in the Emacs manual.  IDK.)

>> 1. Am I the only one that thinks that this change could be made a bit
>> more prominent?  Like using something like yes-or-no-p (as opposed to
>> y-or-n-p) by default, for example?  Saving passwords to a plain text
>> file is something big, which should not happen by accident, right?
>
> Again, we don't speak about plain files only. And yes, yes-or-no-p might
> fit better. This must be changed in auth-source.el.
>
> Let's wait for some few days, and if nobody objects, I'll change
> accordingly.

Thanks for the change (if it takes place), and for your time answering
my questions.

Best,

-- 
Marcin Borkowski
http://mbork.pl

Re: TRAMP sudo method not asking for password

[Michael Albinus]

Marcin Borkowski <mbork@mbork.pl> writes:

Hi Marcin,

>> Why should it? Tramp uses auth-source, which has different backends. It
>> is not only the .authinfo file which gets the passwords, other backends
>> like the Secret Service API behave similar.
>
> Well, I didn't know anything about it.  (Perhaps not reading the TRAMP
> manual was a mistake...  Still, just a mention of auth-source *might* be
> a good idea when discussing TRAMP in the Emacs manual.  IDK.)

There are several other packages using auth-source, none of them have a
respective hint in the Emacs manual. I don't see why Tramp needs an
exception.

Reading the Tramp manual shall be sufficient.

>>> 1. Am I the only one that thinks that this change could be made a bit
>>> more prominent?  Like using something like yes-or-no-p (as opposed to
>>> y-or-n-p) by default, for example?  Saving passwords to a plain text
>>> file is something big, which should not happen by accident, right?
>>
>> Again, we don't speak about plain files only. And yes, yes-or-no-p might
>> fit better. This must be changed in auth-source.el.
>>
>> Let's wait for some few days, and if nobody objects, I'll change
>> accordingly.
>
> Thanks for the change (if it takes place), and for your time answering
> my questions.

I've written the bug report (a feature request rather) bug#34145.

> Best,

Best regards, Michael.

Re: TRAMP sudo method not asking for password

[Marcin Borkowski]

On 2019-01-20, at 11:52, Michael Albinus <michael.albinus@gmx.de> wrote:

> Marcin Borkowski <mbork@mbork.pl> writes:
>
> Hi Marcin,
>
>>> Why should it? Tramp uses auth-source, which has different backends. It
>>> is not only the .authinfo file which gets the passwords, other backends
>>> like the Secret Service API behave similar.
>>
>> Well, I didn't know anything about it.  (Perhaps not reading the TRAMP
>> manual was a mistake...  Still, just a mention of auth-source *might* be
>> a good idea when discussing TRAMP in the Emacs manual.  IDK.)
>
> There are several other packages using auth-source, none of them have a
> respective hint in the Emacs manual. I don't see why Tramp needs an
> exception.

Until recently I had no idea about the existence of auth-source...

>
> Reading the Tramp manual shall be sufficient.

OK, I will do it and I'll see whether that helps.

>>>> 1. Am I the only one that thinks that this change could be made a bit
>>>> more prominent?  Like using something like yes-or-no-p (as opposed to
>>>> y-or-n-p) by default, for example?  Saving passwords to a plain text
>>>> file is something big, which should not happen by accident, right?
>>>
>>> Again, we don't speak about plain files only. And yes, yes-or-no-p might
>>> fit better. This must be changed in auth-source.el.
>>>
>>> Let's wait for some few days, and if nobody objects, I'll change
>>> accordingly.
>>
>> Thanks for the change (if it takes place), and for your time answering
>> my questions.
>
> I've written the bug report (a feature request rather) bug#34145.

Thanks, and best regards,

--
Marcin Borkowski
http://mbork.pl

Re: TRAMP sudo method not asking for password

[Michael Albinus]

Marcin Borkowski <mbork@mbork.pl> writes:

Hi Marcin,

>> There are several other packages using auth-source, none of them have a
>> respective hint in the Emacs manual. I don't see why Tramp needs an
>> exception.
>
> Until recently I had no idea about the existence of auth-source...

Indeed, the Emacs manual doesn't speak about authentication at all. I've
added a new section about to the manual, this might be a
beginner. Pushed to the emacs-26 branch.

> Thanks, and best regards,
>
> Marcin Borkowski

Best regards, Michael.

Re: TRAMP sudo method not asking for password

[Robert Pluim]

Michael Albinus <michael.albinus@gmx.de> writes:

> Marcin Borkowski <mbork@mbork.pl> writes:
>
> Hi Marcin,
>
>>> There are several other packages using auth-source, none of them have a
>>> respective hint in the Emacs manual. I don't see why Tramp needs an
>>> exception.
>>
>> Until recently I had no idea about the existence of auth-source...
>
> Indeed, the Emacs manual doesn't speak about authentication at all. I've
> added a new section about to the manual, this might be a
> beginner. Pushed to the emacs-26 branch.

It does talk about authentication, but the path is tortuous. It goes
from 'Sending Mail' to smtpmail to auth-source. Perhaps a link to the
auth-source 'Help for users' node would be best, as that describes the
.authinfo format extensively.

Robert

Re: TRAMP sudo method not asking for password

[Michael Albinus]

Robert Pluim <rpluim@gmail.com> writes:

Hi Robert,

>> Indeed, the Emacs manual doesn't speak about authentication at all. I've
>> added a new section about to the manual, this might be a
>> beginner. Pushed to the emacs-26 branch.
>
> It does talk about authentication, but the path is tortuous. It goes
> from 'Sending Mail' to smtpmail to auth-source. Perhaps a link to the
> auth-source 'Help for users' node would be best, as that describes the
> .authinfo format extensively.

The link was to the top node of auth.info, but you're right: 'Help for
users' is the better choice. I've updated.

The disadvantage is, that this node does not speak about the other auth
backends, but I guess we could live with this in the Emacs manual.

> Robert

Best regards, Michael.

Re: TRAMP sudo method not asking for password

[Marcin Borkowski]

On 2019-01-27, at 18:21, Michael Albinus <michael.albinus@gmx.de> wrote:

> Robert Pluim <rpluim@gmail.com> writes:
>
> Hi Robert,
>
>>> Indeed, the Emacs manual doesn't speak about authentication at all. I've
>>> added a new section about to the manual, this might be a
>>> beginner. Pushed to the emacs-26 branch.
>>
>> It does talk about authentication, but the path is tortuous. It goes
>> from 'Sending Mail' to smtpmail to auth-source. Perhaps a link to the
>> auth-source 'Help for users' node would be best, as that describes the
>> .authinfo format extensively.
>
> The link was to the top node of auth.info, but you're right: 'Help for
> users' is the better choice. I've updated.
>
> The disadvantage is, that this node does not speak about the other auth
> backends, but I guess we could live with this in the Emacs manual.

Thanks a lot to both of you!

Best,

-- 
Marcin Borkowski
http://mbork.pl