mirror of
https://git.savannah.gnu.org/git/emacs.git
synced 2024-11-25 07:28:20 +00:00
706 lines
25 KiB
Plaintext
706 lines
25 KiB
Plaintext
\input texinfo @c -*-texinfo-*-
|
|
|
|
@set VERSION 0.3
|
|
|
|
@setfilename ../../info/auth.info
|
|
@settitle Emacs auth-source Library @value{VERSION}
|
|
@include docstyle.texi
|
|
|
|
@copying
|
|
This file describes the Emacs auth-source library.
|
|
|
|
Copyright @copyright{} 2008--2024 Free Software Foundation, Inc.
|
|
|
|
@quotation
|
|
Permission is granted to copy, distribute and/or modify this document
|
|
under the terms of the GNU Free Documentation License, Version 1.3 or
|
|
any later version published by the Free Software Foundation; with no
|
|
Invariant Sections, with the Front-Cover Texts being ``A GNU Manual,''
|
|
and with the Back-Cover Texts as in (a) below. A copy of the license
|
|
is included in the section entitled ``GNU Free Documentation License''.
|
|
|
|
(a) The FSF's Back-Cover Text is: ``You have the freedom to copy and
|
|
modify this GNU manual.''
|
|
@end quotation
|
|
@end copying
|
|
|
|
@dircategory Emacs lisp libraries
|
|
@direntry
|
|
* Auth-source: (auth). The Emacs auth-source library.
|
|
@end direntry
|
|
|
|
@titlepage
|
|
@ifset WEBHACKDEVEL
|
|
@title Emacs auth-source Library (DEVELOPMENT VERSION)
|
|
@end ifset
|
|
@ifclear WEBHACKDEVEL
|
|
@title Emacs auth-source Library
|
|
@end ifclear
|
|
@author by Ted Zlatanov
|
|
@page
|
|
@vskip 0pt plus 1filll
|
|
@insertcopying
|
|
@end titlepage
|
|
|
|
@contents
|
|
|
|
@ifnottex
|
|
@node Top
|
|
@top Emacs auth-source
|
|
This manual describes the Emacs auth-source library.
|
|
|
|
It is a way for multiple applications to share a single configuration
|
|
(in Emacs and in files) for user convenience.
|
|
|
|
@insertcopying
|
|
|
|
@menu
|
|
* Overview:: Overview of the auth-source library.
|
|
* Help for users::
|
|
* Multiple GMail accounts with Gnus::
|
|
* Secret Service API::
|
|
* The Unix password store::
|
|
* Help for developers::
|
|
* GnuPG and EasyPG Assistant Configuration::
|
|
* GNU Free Documentation License:: The license for this documentation.
|
|
* Index::
|
|
* Function Index::
|
|
* Variable Index::
|
|
@end menu
|
|
@end ifnottex
|
|
|
|
@node Overview
|
|
@chapter Overview
|
|
|
|
The auth-source library is simply a way for Emacs and Gnus, among
|
|
others, to answer the old burning question ``What are my user name and
|
|
password?''
|
|
|
|
(This is different from the old question about burning ``Where is the
|
|
fire extinguisher, please?''.)
|
|
|
|
The auth-source library supports more than just the user name or the
|
|
password (known as the secret).
|
|
|
|
Similarly, the auth-source library supports multiple storage backend,
|
|
currently either the classic ``netrc'' backend, examples of which you
|
|
can see later in this document, JSON files, the Secret Service API, and pass, the
|
|
standard unix password manager. This is done with EIEIO-based
|
|
backends and you can write your own if you want.
|
|
|
|
@node Help for users
|
|
@chapter Help for users
|
|
|
|
``Netrc'' files are a de facto standard. They look like this:
|
|
|
|
@example
|
|
machine @var{mymachine} login @var{myloginname} password @var{mypassword} port @var{myport}
|
|
@end example
|
|
|
|
The @code{machine} is the server (either a DNS name or an IP address).
|
|
It's known as @var{:host} in @code{auth-source-search} queries.
|
|
|
|
The @code{port} is the connection port or protocol. It's known as
|
|
@var{:port} in @code{auth-source-search} queries.
|
|
|
|
The @code{user} is the user name. It's known as @var{:user} in
|
|
@code{auth-source-search} queries. You can also use @code{login} and
|
|
@code{account}.
|
|
|
|
Matching entries are usually used in the order they appear, so placing
|
|
the most specific entries first in the file is a good idea. For
|
|
instance:
|
|
|
|
@example
|
|
machine example.com login foobar password geheimnis port smtp
|
|
machine example.com login foobar password hemmelig
|
|
@end example
|
|
|
|
Here we're using one password for the @code{smtp} service, and a
|
|
different one for all the other services.
|
|
|
|
You can also use this file to specify client certificates to use when
|
|
setting up TLS connections. The format is:
|
|
|
|
@example
|
|
machine @var{mymachine} port @var{myport} key @var{key} cert @var{cert}
|
|
@end example
|
|
|
|
@var{key} and @var{cert} are filenames containing the key and
|
|
certificate to use respectively. In order to make network connections
|
|
use them automatically, either pass @code{:client-certificate t} to
|
|
@code{open-network-stream}, or customize
|
|
@code{network-stream-use-client-certificates} to @code{t}.
|
|
|
|
You can use spaces inside a password or other token by surrounding the
|
|
token with either single or double quotes.
|
|
|
|
You can use apostrophes inside a password or other token by
|
|
surrounding it with double quotes, e.g., @code{"he'llo"}. Similarly you
|
|
can use double quotes inside a password or other token by surrounding
|
|
it with apostrophes, e.g., @code{'he"llo'}. You can't mix both (so a
|
|
password or other token can't have both apostrophes and double quotes).
|
|
|
|
All this is optional. You could just say (but we don't recommend it,
|
|
we're just showing that it's possible)
|
|
|
|
@example
|
|
password @var{mypassword}
|
|
@end example
|
|
|
|
to use the same password everywhere. Again, @emph{DO NOT DO THIS} or
|
|
you will be pwned as the kids say.
|
|
|
|
``Netrc'' files are usually called @file{.authinfo} or @file{.netrc};
|
|
nowadays @file{.authinfo} seems to be more popular and the auth-source
|
|
library encourages this confusion by accepting both, as you'll see
|
|
later.
|
|
|
|
If you have problems with the search, set @code{auth-source-debug} to
|
|
@code{'trivia} and see what host, port, and user the library is
|
|
checking in the @file{*Messages*} buffer. Ditto for any other
|
|
problems, your first step is always to see what's being checked. The
|
|
second step, of course, is to write a blog entry about it and wait for
|
|
the answer in the comments.
|
|
|
|
You can customize the variable @code{auth-sources}. The following may
|
|
be needed if you are using an older version of Emacs or if the
|
|
auth-source library is not loaded for some other reason.
|
|
|
|
@lisp
|
|
(require 'auth-source) ;; probably not necessary
|
|
(customize-variable 'auth-sources) ;; optional, do it once
|
|
@end lisp
|
|
|
|
@defvar auth-sources
|
|
|
|
The @code{auth-sources} variable tells the auth-source library where
|
|
your netrc files, Secret Service API collection items, or your
|
|
password store live for a particular host and protocol. While you can
|
|
get fancy, the default and simplest configuration is:
|
|
|
|
@lisp
|
|
;;; old default: required :host and :port, not needed anymore
|
|
(setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
|
|
;;; mostly equivalent (see below about fallbacks) but shorter:
|
|
(setq auth-sources '((:source "~/.authinfo.gpg")))
|
|
;;; even shorter and the @emph{default}:
|
|
(setq auth-sources '("~/.authinfo.gpg" "~/.authinfo" "~/.netrc"))
|
|
;;; use the Secrets API @var{Login} collection
|
|
;;; (@pxref{Secret Service API})
|
|
(setq auth-sources '("secrets:Login"))
|
|
;;; use pass (@file{~/.password-store})
|
|
;;; (@pxref{The Unix password store})
|
|
(auth-source-pass-enable)
|
|
;;; JSON data in format [@{ "machine": "SERVER",
|
|
;;; "login": "USER", "password": "PASSWORD" @}...]
|
|
(setq auth-sources '("~/.authinfo.json.gpg"))
|
|
@end lisp
|
|
|
|
By adding multiple entries to @code{auth-sources} with a particular
|
|
host or protocol, you can have specific netrc files for that host or
|
|
protocol. Usually this is unnecessary but may make sense if you have
|
|
shared netrc files or some other unusual setup (90% of Emacs users
|
|
have unusual setups and the remaining 10% are @emph{really} unusual).
|
|
|
|
Here's a mixed example using two sources:
|
|
|
|
@lisp
|
|
(setq auth-sources '((:source (:secrets default)
|
|
:host "myserver" :user "joe")
|
|
"~/.authinfo.gpg"))
|
|
@end lisp
|
|
|
|
@end defvar
|
|
|
|
If you don't customize @code{auth-sources}, you'll have to live with
|
|
the defaults: the unencrypted netrc file @file{~/.authinfo} will be
|
|
used for any host and any port.
|
|
|
|
If that fails, any host and any port are looked up in the netrc file
|
|
@file{~/.authinfo.gpg}, which is a GnuPG encrypted file (@pxref{GnuPG
|
|
and EasyPG Assistant Configuration}).
|
|
|
|
Finally, the unencrypted netrc file @file{~/.netrc} will be used for
|
|
any host and any port.
|
|
|
|
The typical netrc line example is without a port.
|
|
|
|
@example
|
|
machine YOURMACHINE login YOU password YOURPASSWORD
|
|
@end example
|
|
|
|
This will match any authentication port. Simple, right? But what if
|
|
there's a SMTP server on port 433 of that machine that needs a
|
|
different password from the IMAP server?
|
|
|
|
@example
|
|
machine YOURMACHINE login YOU password SMTPPASSWORD port 433
|
|
machine YOURMACHINE login YOU password GENERALPASSWORD
|
|
@end example
|
|
|
|
If you wish to specify a particular SMTP authentication method to use
|
|
with a machine, you can use the @code{smtp-auth} keyword.
|
|
@xref{Authentication,, Authentication, smtpmail, Emacs SMTP Library},
|
|
for available methods.
|
|
|
|
For url-auth authentication (HTTP/HTTPS), you need to put this in your
|
|
netrc file:
|
|
|
|
@example
|
|
machine yourmachine.com:80 port http login testuser password testpass
|
|
@end example
|
|
|
|
This will match any realm and authentication method (basic or digest)
|
|
over HTTP@. HTTPS is set up similarly. If you want finer controls,
|
|
explore the url-auth source code and variables.
|
|
|
|
For Tramp authentication, use:
|
|
|
|
@example
|
|
machine yourmachine.com port scp login testuser password testpass
|
|
@end example
|
|
|
|
Note that the port denotes the Tramp connection method. When you
|
|
don't use a port entry, you match any Tramp method, as explained
|
|
earlier. Since Tramp has about 88 connection methods, this may be
|
|
necessary if you have an unusual (see earlier comment on those) setup.
|
|
|
|
The netrc format is directly translated into JSON, if you are into
|
|
that sort of thing. Just point to a JSON file with entries like this:
|
|
|
|
@example
|
|
[
|
|
@{ "machine": "yourmachine.com", "port": "http",
|
|
"login": "testuser", "password": "testpass" @}
|
|
]
|
|
@end example
|
|
|
|
@node Multiple GMail accounts with Gnus
|
|
@chapter Multiple GMail accounts with Gnus
|
|
|
|
For multiple GMail accounts with Gnus, you have to make two nnimap
|
|
entries in your @code{gnus-secondary-select-methods} with distinct
|
|
names:
|
|
|
|
@example
|
|
(setq gnus-secondary-select-methods '((nnimap "gmail"
|
|
(nnimap-address "imap.gmail.com"))
|
|
(nnimap "gmail2"
|
|
(nnimap-address "imap.gmail.com"))))
|
|
@end example
|
|
|
|
Your netrc entries will then be:
|
|
|
|
@example
|
|
machine gmail login account@@gmail.com password "account password" port imap
|
|
machine gmail2 login account2@@gmail.com password "account2 password" port imap
|
|
@end example
|
|
|
|
@node Secret Service API
|
|
@chapter Secret Service API
|
|
|
|
The @dfn{Secret Service API} is a standard from
|
|
@uref{https://www.freedesktop.org/wiki/Specifications/secret-storage-spec/,,freedesktop.org}
|
|
to securely store passwords and other confidential information. This
|
|
API is implemented by system daemons such as the GNOME Keyring and the
|
|
KDE Wallet (these are GNOME and KDE packages respectively and should
|
|
be available on most modern GNU/Linux systems). It has been tested
|
|
also with KeePassXC.
|
|
|
|
The auth-source library uses the @file{secrets.el} library to connect
|
|
through the Secret Service API@. You can also use that library in
|
|
other packages, it's not exclusive to auth-source.
|
|
|
|
@defvar secrets-enabled
|
|
After loading @file{secrets.el}, a non-@code{nil} value of this
|
|
variable indicates the existence of a daemon providing the Secret
|
|
Service API.
|
|
@end defvar
|
|
|
|
@deffn Command secrets-show-secrets
|
|
This command shows all collections, items, and their attributes.
|
|
@end deffn
|
|
|
|
The atomic objects managed by the Secret Service API are @dfn{secret
|
|
items}, which contain things an application wishes to store securely,
|
|
like a password. Secret items have a label (a name), the @dfn{secret}
|
|
(which is the string we want, like a password), and a set of lookup
|
|
attributes. The attributes can be used to search and retrieve a
|
|
secret item at a later date.
|
|
|
|
Secret items are grouped in @dfn{collections}. A collection is
|
|
sometimes called a @samp{keyring} or @samp{wallet} in GNOME Keyring
|
|
and KDE Wallet but it's the same thing, a group of secrets.
|
|
Collections are personal and protected so only the owner can open them.
|
|
|
|
The most common collection is called @code{"login"}.
|
|
|
|
A collection can have an alias. The alias @code{"default"} is
|
|
commonly used so the clients don't have to know the specific name of
|
|
the collection they open. Other aliases are not supported yet.
|
|
Since aliases are globally accessible, set the @code{"default"} alias
|
|
only when you're sure it's appropriate.
|
|
|
|
@defun secrets-list-collections
|
|
This function returns all the collection names as a list.
|
|
@end defun
|
|
|
|
@defun secrets-set-alias collection alias
|
|
Set @var{alias} as alias of collection labeled @var{collection}.
|
|
Currently only the alias @code{"default"} is supported.
|
|
@end defun
|
|
|
|
@defun secrets-get-alias alias
|
|
Return the collection name @var{alias} is referencing to.
|
|
Currently only the alias @code{"default"} is supported.
|
|
@end defun
|
|
|
|
Collections can be created and deleted by the functions
|
|
@code{secrets-create-collection} and @code{secrets-delete-collection}.
|
|
Usually, this is not done from within Emacs. Do not delete standard
|
|
collections such as @code{"login"}.
|
|
|
|
With GNOME Keyring, there exists a special collection called
|
|
@code{"session"}, which has the lifetime of the user being logged in.
|
|
Its data are not stored on disk and go away when the user logs out.
|
|
Therefore, it can be used to store and retrieve secret items
|
|
temporarily. The @code{"session"} collection is better than a
|
|
persistent collection when the secret items should not live
|
|
permanently. The @code{"session"} collection can be addressed either
|
|
by the string @code{"session"}, or by @code{nil}, whenever a
|
|
collection parameter is needed.
|
|
|
|
However, other Secret Service provider don't create this temporary
|
|
@code{"session"} collection. You shall check first that this
|
|
collection exists, before you use it.
|
|
|
|
@defun secrets-list-items collection
|
|
Returns all the item labels of @var{collection} as a list.
|
|
@end defun
|
|
|
|
@defun secrets-create-item collection item password &rest attributes
|
|
This function creates a new item in @var{collection} with label
|
|
@var{item} and password @var{password}. The label @var{item} does not
|
|
have to be unique in @var{collection}. @var{attributes} are key-value
|
|
pairs set for the created item. The keys are keyword symbols,
|
|
starting with a colon; values are strings. Example:
|
|
|
|
@example
|
|
;;; The collection is "session", the label is "my item"
|
|
;;; and the secret (password) is "geheim".
|
|
(secrets-create-item "session" "my item" "geheim"
|
|
:method "sudo" :user "joe" :host "remote-host")
|
|
@end example
|
|
|
|
The key @code{:xdg:schema} determines the scope of the item to be
|
|
generated, i.e.@: for which applications the item is intended for.
|
|
This is just a string like "org.freedesktop.NetworkManager.Mobile" or
|
|
"org.gnome.OnlineAccounts", the other required keys are determined by
|
|
this. If no @code{:xdg:schema} is given,
|
|
"org.freedesktop.Secret.Generic" is used by default.
|
|
@end defun
|
|
|
|
@defun secrets-get-secret collection item
|
|
Return the secret of item labeled @var{item} in @var{collection}. If
|
|
there are several items labeled @var{item}, it is undefined which one
|
|
is returned. If there is no such item, return @code{nil}.
|
|
@end defun
|
|
|
|
@defun secrets-delete-item collection item
|
|
This function deletes item @var{item} in @var{collection}. If there
|
|
are several items labeled @var{item}, it is undefined which one is
|
|
deleted.
|
|
@end defun
|
|
|
|
The lookup attributes, which are specified during creation of a
|
|
secret item, must be a key-value pair. Keys are keyword symbols,
|
|
starting with a colon; values are strings. They can be retrieved
|
|
from a given secret item and they can be used for searching of items.
|
|
|
|
@defun secrets-get-attribute collection item attribute
|
|
Returns the value of key @var{attribute} of item labeled @var{item} in
|
|
@var{collection}. If there are several items labeled @var{item}, it
|
|
is undefined which one is returned. If there is no such item, or the
|
|
item doesn't own this key, the function returns @code{nil}.
|
|
@end defun
|
|
|
|
@defun secrets-get-attributes collection item
|
|
Return the lookup attributes of item labeled @var{item} in
|
|
@var{collection}. If there are several items labeled @var{item}, it
|
|
is undefined which one is returned. If there is no such item, or the
|
|
item has no attributes, it returns @code{nil}. Example:
|
|
|
|
@example
|
|
(secrets-get-attributes "session" "my item")
|
|
@result{} ((:user . "joe") (:host . "remote-host"))
|
|
@end example
|
|
@end defun
|
|
|
|
@defun secrets-search-items collection &rest attributes
|
|
Search for the items in @var{collection} with matching
|
|
@var{attributes}. The @var{attributes} are key-value pairs, as used
|
|
in @code{secrets-create-item}. Example:
|
|
|
|
@example
|
|
(secrets-search-items "session" :user "joe")
|
|
@result{} ("my item" "another item")
|
|
@end example
|
|
@end defun
|
|
|
|
The auth-source library uses the @file{secrets.el} library and thus
|
|
the Secret Service API when you specify a source matching
|
|
@code{"secrets:COLLECTION"}. For instance, you could use
|
|
@code{"secrets:session"} to use the @code{"session"} collection, open only
|
|
for the lifetime of Emacs. Or you could use @code{"secrets:Login"} to
|
|
open the @code{"Login"} collection. As a special case, you can use the
|
|
symbol @code{default} in @code{auth-sources} (not a string, but a
|
|
symbol) to specify the @code{"default"} alias. Here is a contrived
|
|
example that sets @code{auth-sources} to search three collections and
|
|
then fall back to @file{~/.authinfo.gpg}.
|
|
|
|
@example
|
|
(setq auth-sources '(default
|
|
"secrets:session"
|
|
"secrets:Login"
|
|
"~/.authinfo.gpg"))
|
|
@end example
|
|
|
|
Attribute values in the auth-source spec, which are not strings (like
|
|
port numbers), are stringified prior calling the @file{secrets.el}
|
|
functions.
|
|
|
|
@node The Unix password store
|
|
@chapter The Unix password store
|
|
|
|
@uref{https://www.passwordstore.org,,The standard unix password
|
|
manager} (or just @code{pass}) stores your passwords in
|
|
@code{gpg}-protected files following the Unix philosophy. The store
|
|
location (any directory) must be specified in the
|
|
@code{auth-source-pass-filename} variable which defaults to
|
|
@file{~/.password-store}.
|
|
|
|
Emacs integration of @code{pass} follows the approach suggested by the
|
|
pass project itself for data organization to find data. In
|
|
particular, to store a password for the user @code{rms} on the host
|
|
@code{gnu.org} and port @code{22}, you should use one of the following
|
|
filenames.
|
|
|
|
@table @file
|
|
@item gnu.org.gpg
|
|
No username or port in the filename means that any username and port
|
|
will match.
|
|
|
|
@item gnu.org/rms.gpg
|
|
The username to match can be expressed as filename inside a directory
|
|
whose name matches the host. This is useful if the store has
|
|
passwords for several users on the same host.
|
|
|
|
@item rms@@gnu.org.gpg
|
|
The username can also be expressed as a prefix, separated from the
|
|
host with an at-sign (@code{@@}).
|
|
|
|
@item gnu.org:22.gpg
|
|
The port (aka. service) to match can only be expressed after the host
|
|
and separated with a colon (@code{:}). The separator can be changed
|
|
through the @code{auth-source-pass-port-separator} variable.
|
|
|
|
@item gnu.org:22/rms.gpg
|
|
|
|
@item rms@@gnu.org:22.gpg
|
|
|
|
@item a/b/gnu.org.gpg
|
|
Entries can be stored in arbitrary directories.
|
|
|
|
@item a/b/gnu.org/rms.gpg
|
|
|
|
@item a/b/rms@@gnu.org.gpg
|
|
|
|
@item a/b/gnu.org:22.gpg
|
|
|
|
@item a/b/gnu.org:22/rms.gpg
|
|
|
|
@item a/b/rms@@gnu.org:22.gpg
|
|
@end table
|
|
|
|
If several entries match, the one matching the most items (where an
|
|
``item'' is one of username, port or host) is preferred. For example,
|
|
while searching for an entry matching the @code{rms} user on host
|
|
@code{gnu.org} and port @code{22}, then the entry
|
|
@file{gnu.org:22/rms.gpg} is preferred over @file{gnu.org.gpg}.
|
|
However, such processing is not applied when the option
|
|
@code{auth-source-pass-extra-query-keywords} is set to @code{t}.
|
|
|
|
Users of @code{pass} may also be interested in functionality provided
|
|
by other Emacs packages:
|
|
|
|
@itemize
|
|
@item
|
|
@uref{https://git.zx2c4.com/password-store/tree/contrib/emacs/password-store.el,,password-store}: library wrapping @code{pass};
|
|
@item
|
|
@uref{https://github.com/NicolasPetton/pass,,pass}: major mode to manipulate the store and edit entries;
|
|
@item
|
|
@uref{https://github.com/jabranham/helm-pass,,helm-pass}: helm interface for pass.
|
|
@end itemize
|
|
|
|
@defvar auth-source-pass-filename
|
|
Set this variable to a string locating the password store on the disk.
|
|
Defaults to @file{~/.password-store}.
|
|
@end defvar
|
|
|
|
@defvar auth-source-pass-port-separator
|
|
Set this variable to a string that should separate an host name from a
|
|
port in an entry. Defaults to @samp{:}.
|
|
@end defvar
|
|
|
|
@defvar auth-source-pass-extra-query-keywords
|
|
This expands the selection of available keywords to include
|
|
@code{:max} and @code{:require} and tells more of them to accept a
|
|
list of query parameters as an argument. When searching, it also
|
|
favors the @samp{rms@@gnu.org.gpg} form for usernames over the
|
|
@samp{gnu.org/rms.gpg} form, regardless of whether a @code{:user}
|
|
param was provided.
|
|
|
|
In general, if you prefer idiosyncrasies traditionally exhibited by
|
|
this backend, such as prioritizing field count in a filename or
|
|
matching against subdomain labels, keep this option set to @code{nil}
|
|
(the default). But, if you experience problems predicting the outcome
|
|
of searches relative to other auth-source backends or encounter code
|
|
expecting to query multiple backends uniformly, try flipping it to
|
|
@code{t}.
|
|
@end defvar
|
|
|
|
@node Help for developers
|
|
@chapter Help for developers
|
|
|
|
The auth-source library lets you control logging output easily.
|
|
|
|
@defvar auth-source-debug
|
|
Set this variable to @code{'trivia} to see lots of output in
|
|
@file{*Messages*}, or set it to a function that behaves like
|
|
@code{message} to do your own logging.
|
|
@end defvar
|
|
|
|
The auth-source library only has a few functions for external use.
|
|
|
|
@defun auth-source-search &rest spec &key type max host user port secret require create delete &allow-other-keys
|
|
This function searches (or modifies) authentication backends according
|
|
to @var{spec}. See the function's doc-string for details.
|
|
@c TODO more details.
|
|
@end defun
|
|
|
|
Let's take a look at an example of using @code{auth-source-search}
|
|
from Gnus's @code{nnimap.el}.
|
|
|
|
@example
|
|
(defun nnimap-credentials (address ports)
|
|
(let* ((auth-source-creation-prompts
|
|
'((user . "IMAP user at %h: ")
|
|
(secret . "IMAP password for %u@@%h: ")))
|
|
(found (nth 0 (auth-source-search :max 1
|
|
:host address
|
|
:port ports
|
|
:require '(:user :secret)
|
|
:create t))))
|
|
(if found
|
|
(list (plist-get found :user)
|
|
(auth-info-password found)
|
|
(plist-get found :save-function))
|
|
nil)))
|
|
@end example
|
|
|
|
This call requires the user and password (secret) to be in the
|
|
results. It also requests that an entry be created if it doesn't
|
|
exist already. While the created entry is being assembled, the shown
|
|
prompts will be used to interact with the user. The caller can also
|
|
pass data in @code{auth-source-creation-defaults} to supply defaults
|
|
for any of the prompts.
|
|
|
|
Note that the password needs to be evaluated if it's a function. It's
|
|
wrapped in a function to provide some security.
|
|
|
|
Later, after a successful login, @code{nnimap.el} calls the
|
|
@code{:save-function} like so:
|
|
|
|
@example
|
|
(when (functionp (nth 2 credentials))
|
|
(funcall (nth 2 credentials)))
|
|
@end example
|
|
|
|
This will work whether the @code{:save-function} was provided or not.
|
|
@code{:save-function} will be provided only when a new entry was
|
|
created, so this effectively says ``after a successful login, save the
|
|
authentication information we just used, if it was newly created.''
|
|
|
|
After the first time it's called, the @code{:save-function} will not
|
|
run again (but it will log something if you have set
|
|
@code{auth-source-debug} to @code{'trivia}). This is so it won't ask
|
|
the same question again, which is annoying. This is so it won't ask
|
|
the same question again, which is annoying. This is so it won't ask
|
|
the same question again, which is annoying.
|
|
|
|
So the responsibility of the API user that specified @code{:create t}
|
|
is to call the @code{:save-function} if it's provided.
|
|
|
|
@defun auth-source-delete &rest spec &key delete &allow-other-keys
|
|
This function deletes entries matching @var{spec} from the
|
|
authentication backends. It returns the entries that were deleted.
|
|
The backend may not actually delete the entries.
|
|
@end defun
|
|
|
|
@defun auth-source-forget spec
|
|
This function forgets any cached data that exactly matches @var{spec}.
|
|
It returns @code{t} if it forget some data, and @code{nil} if no
|
|
matching data was found.
|
|
@end defun
|
|
|
|
@defun auth-source-forget+ &rest spec &allow-other-keys
|
|
This function forgets any cached data matching @var{spec}.
|
|
It returns the number of items forgotten.
|
|
@end defun
|
|
|
|
@defun auth-source-pick-first-password &rest spec
|
|
This function returns the password of the first record found by
|
|
applying @code{auth-source-search} to @var{spec}.
|
|
@end defun
|
|
|
|
@defun auth-info-password auth-info
|
|
This function extracts the password string from the @var{auth-info}
|
|
record.
|
|
@end defun
|
|
|
|
@node GnuPG and EasyPG Assistant Configuration
|
|
@appendix GnuPG and EasyPG Assistant Configuration
|
|
|
|
If the @code{auth-sources} variable contains @file{~/.authinfo.gpg}
|
|
before @file{~/.authinfo}, the auth-source library will try to
|
|
read the GnuPG encrypted @file{.gpg} file first, before
|
|
the unencrypted file.
|
|
|
|
The EasyPG Assistant, which comes bundled with Emacs, handles
|
|
decryption of encrypted files automatically, see @ref{Top, , Top, epa,
|
|
EasyPG Assistant User's Manual}. It is an Emacs user interface to
|
|
@acronym{GnuPG, GNU Privacy Guard}, see @ref{Top, , Top, gnupg, Using
|
|
the GNU Privacy Guard}. To get started with these quickly, see
|
|
@ref{Quick start, , Quick Start, epa, EasyPG Assistant User's Manual}.
|
|
|
|
@node GNU Free Documentation License
|
|
@appendix GNU Free Documentation License
|
|
@include doclicense.texi
|
|
|
|
@node Index
|
|
@unnumbered Index
|
|
@printindex cp
|
|
|
|
@node Function Index
|
|
@unnumbered Function Index
|
|
@printindex fn
|
|
|
|
@node Variable Index
|
|
@unnumbered Variable Index
|
|
@printindex vr
|
|
|
|
@bye
|
|
|
|
@c End:
|