Re: tramp-auto-auth.el --- TRAMP automatic authentication library

[Michael Albinus <michael.albinus@gmx.de>]

Bruno Félix Rezende Ribeiro <oitofelix@gnu.org> writes:

> Hello Emacs developers,

Hi Bruno,

> Please, find attached ‘tramp-auto-auth.el’.  Quoting from its commentary
> header section:
>
>   This library provides ‘tramp-auto-auth-mode’: a global minor mode
>   whose purpose is to automatically feed TRAMP sub-processes with
>   passwords for paths matching regexps.  This is useful in situations
>   where interactive user input is not desirable or feasible.  For
>   instance, in sub-nets with large number of hosts or whose hosts have
>   dynamic IPs assigned to them.  In those cases it’s not practical to
>   query passwords using the ‘auth-source’ library, since this would
>   require each host to be listed explicitly and immutably in a Netrc
>   file.  Another scenario where this mode is useful are non-interactive
>   Emacs sessions (like those used for batch processing or by evaluating
>   ‘:async’ Org Babel source blocks) in which it’s impossible for the
>   user to answer a password-asking prompt.

Thanks for this.

Frankly, I'm not enthusiastic adding cleartext passwords into
Tramp. This has all the security flaws you know, and is good for
problems. At least in core Tramp it shouldn't be propagated.

> This library has proved extremely useful for my work using Emacs to
> access remote machines in the aforementioned conditions and whose
> authentication policies I couldn’t change.  For quite some time, I’ve
> searched extensively for ways of accomplishing the same task with a
> practical setup, to no avail.  Perhaps you could comment on alternative
> approaches you had experience with but I failed to contemplate.

Emacs has the password infrastructure auth-source.el and
password-cache.el, which do their best to avoid password related
problems. If they do not fit your needs, they shall be extended.

The best approach would be if auth-source would support regular
expressions for the declarations of items. Instead of applying declaring

     machine MYMACHINE login MYLOGINNAME password MYPASSWORD port MYPORT

one would declare something like

     machine-regexp REGEXP login MYLOGINNAME password MYPASSWORD port MYPORT

I have used the netrc syntax, and I have add a new keyword; but any
other backend shall work also. I've shortly scanned debbugs; there
doesn't exist (yet) a request to support regular expressions. Maybe you
write a bug report about?

Another approach could be to use different Tramp methods. You could
declare

     password MYPASSWORD port method1
     password OTHERPASSWORD port method2

In Tramp, you would declare new methods method1 and method2, derived
from (for example) ssh. Then you can open /method1:host:/path/to/file
for a host which uses MYPASSWORD, and you can open
/method2:otherhost:/path/to/file for a host which uses OTHERPASSWORD.

> Thanks in advance,
> Bruno

Best regards, Michael.