emacs/doc/misc/auth.texi

\input texinfo                  @c -*-texinfo-*-

@set VERSION 0.3

@setfilename ../../info/auth.info
@settitle Emacs auth-source Library @value{VERSION}
@include docstyle.texi

@copying
This file describes the Emacs auth-source library.

Copyright @copyright{} 2008--2024 Free Software Foundation, Inc.

@quotation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, with the Front-Cover Texts being ``A GNU Manual,''
and with the Back-Cover Texts as in (a) below.  A copy of the license
is included in the section entitled ``GNU Free Documentation License''.

(a) The FSF's Back-Cover Text is: ``You have the freedom to copy and
modify this GNU manual.''
@end quotation
@end copying

@dircategory Emacs lisp libraries
@direntry
* Auth-source: (auth).          The Emacs auth-source library.
@end direntry

@titlepage
@ifset WEBHACKDEVEL
@title Emacs auth-source Library (DEVELOPMENT VERSION)
@end ifset
@ifclear WEBHACKDEVEL
@title Emacs auth-source Library
@end ifclear
@author by Ted Zlatanov
@page
@vskip 0pt plus 1filll
@insertcopying
@end titlepage

@contents

@ifnottex
@node Top
@top Emacs auth-source
This manual describes the Emacs auth-source library.

It is a way for multiple applications to share a single configuration
(in Emacs and in files) for user convenience.

@insertcopying

@menu
* Overview::                    Overview of the auth-source library.
* Help for users::
* Multiple GMail accounts with Gnus::
* Secret Service API::
* The Unix password store::
* Help for developers::
* GnuPG and EasyPG Assistant Configuration::
* GNU Free Documentation License::  The license for this documentation.
* Index::
* Function Index::
* Variable Index::
@end menu
@end ifnottex

@node Overview
@chapter Overview

The auth-source library is simply a way for Emacs and Gnus, among
others, to answer the old burning question ``What are my user name and
password?''

(This is different from the old question about burning ``Where is the
fire extinguisher, please?''.)

The auth-source library supports more than just the user name or the
password (known as the secret).

Similarly, the auth-source library supports multiple storage backend,
currently either the classic ``netrc'' backend, examples of which you
can see later in this document, JSON files, the Secret Service API, and pass, the
standard unix password manager.  This is done with EIEIO-based
backends and you can write your own if you want.

@node Help for users
@chapter Help for users

``Netrc'' files are a de facto standard.  They look like this:

@example
machine @var{mymachine} login @var{myloginname} password @var{mypassword} port @var{myport}
@end example

The @code{machine} is the server (either a DNS name or an IP address).
It's known as @var{:host} in @code{auth-source-search} queries.

The @code{port} is the connection port or protocol.  It's known as
@var{:port} in @code{auth-source-search} queries.

The @code{user} is the user name.  It's known as @var{:user} in
@code{auth-source-search} queries.  You can also use @code{login} and
@code{account}.

Matching entries are usually used in the order they appear, so placing
the most specific entries first in the file is a good idea.  For
instance:

@example
machine example.com login foobar password geheimnis port smtp
machine example.com login foobar password hemmelig
@end example

Here we're using one password for the @code{smtp} service, and a
different one for all the other services.

You can also use this file to specify client certificates to use when
setting up TLS connections.  The format is:

@example
machine @var{mymachine} port @var{myport} key @var{key} cert @var{cert}
@end example

@var{key} and @var{cert} are filenames containing the key and
certificate to use respectively.  In order to make network connections
use them automatically, either pass @code{:client-certificate t} to
@code{open-network-stream}, or customize
@code{network-stream-use-client-certificates} to @code{t}.

You can use spaces inside a password or other token by surrounding the
token with either single or double quotes.

You can use apostrophes inside a password or other token by
surrounding it with double quotes, e.g., @code{"he'llo"}.  Similarly you
can use double quotes inside a password or other token by surrounding
it with apostrophes, e.g., @code{'he"llo'}.  You can't mix both (so a
password or other token can't have both apostrophes and double quotes).

All this is optional.  You could just say (but we don't recommend it,
we're just showing that it's possible)

@example
password @var{mypassword}
@end example

to use the same password everywhere.  Again, @emph{DO NOT DO THIS} or
you will be pwned as the kids say.

``Netrc'' files are usually called @file{.authinfo} or @file{.netrc};
nowadays @file{.authinfo} seems to be more popular and the auth-source
library encourages this confusion by accepting both, as you'll see
later.

If you have problems with the search, set @code{auth-source-debug} to
@code{'trivia} and see what host, port, and user the library is
checking in the @file{*Messages*} buffer.  Ditto for any other
problems, your first step is always to see what's being checked.  The
second step, of course, is to write a blog entry about it and wait for
the answer in the comments.

You can customize the variable @code{auth-sources}.  The following may
be needed if you are using an older version of Emacs or if the
auth-source library is not loaded for some other reason.

@lisp
(require 'auth-source)             ;; probably not necessary
(customize-variable 'auth-sources) ;; optional, do it once
@end lisp

@defvar auth-sources

The @code{auth-sources} variable tells the auth-source library where
your netrc files, Secret Service API collection items, or your
password store live for a particular host and protocol.  While you can
get fancy, the default and simplest configuration is:

@lisp
;;; old default: required :host and :port, not needed anymore
(setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
;;; mostly equivalent (see below about fallbacks) but shorter:
(setq auth-sources '((:source "~/.authinfo.gpg")))
;;; even shorter and the @emph{default}:
(setq auth-sources '("~/.authinfo.gpg" "~/.authinfo" "~/.netrc"))
;;; use the Secrets API @var{Login} collection
;;; (@pxref{Secret Service API})
(setq auth-sources '("secrets:Login"))
;;; use pass (@file{~/.password-store})
;;; (@pxref{The Unix password store})
(auth-source-pass-enable)
;;; JSON data in format [@{ "machine": "SERVER",
;;; "login": "USER", "password": "PASSWORD" @}...]
(setq auth-sources '("~/.authinfo.json.gpg"))
@end lisp

By adding multiple entries to @code{auth-sources} with a particular
host or protocol, you can have specific netrc files for that host or
protocol.  Usually this is unnecessary but may make sense if you have
shared netrc files or some other unusual setup (90% of Emacs users
have unusual setups and the remaining 10% are @emph{really} unusual).

Here's a mixed example using two sources:

@lisp
(setq auth-sources '((:source (:secrets default)
                      :host "myserver" :user "joe")
                     "~/.authinfo.gpg"))
@end lisp

@end defvar

If you don't customize @code{auth-sources}, you'll have to live with
the defaults: the unencrypted netrc file @file{~/.authinfo} will be
used for any host and any port.

If that fails, any host and any port are looked up in the netrc file
@file{~/.authinfo.gpg}, which is a GnuPG encrypted file (@pxref{GnuPG
and EasyPG Assistant Configuration}).

Finally, the unencrypted netrc file @file{~/.netrc} will be used for
any host and any port.

The typical netrc line example is without a port.

@example
machine YOURMACHINE login YOU password YOURPASSWORD
@end example

This will match any authentication port.  Simple, right?  But what if
there's a SMTP server on port 433 of that machine that needs a
different password from the IMAP server?

@example
machine YOURMACHINE login YOU password SMTPPASSWORD port 433
machine YOURMACHINE login YOU password GENERALPASSWORD
@end example

If you wish to specify a particular SMTP authentication method to use
with a machine, you can use the @code{smtp-auth} keyword.
@xref{Authentication,, Authentication, smtpmail, Emacs SMTP Library},
for available methods.

For url-auth authentication (HTTP/HTTPS), you need to put this in your
netrc file:

@example
machine yourmachine.com:80 port http login testuser password testpass
@end example

This will match any realm and authentication method (basic or digest)
over HTTP@.  HTTPS is set up similarly.  If you want finer controls,
explore the url-auth source code and variables.

For Tramp authentication, use:

@example
machine yourmachine.com port scp login testuser password testpass
@end example

Note that the port denotes the Tramp connection method.  When you
don't use a port entry, you match any Tramp method, as explained
earlier.  Since Tramp has about 88 connection methods, this may be
necessary if you have an unusual (see earlier comment on those) setup.

The netrc format is directly translated into JSON, if you are into
that sort of thing.  Just point to a JSON file with entries like this:

@example
[
 @{ "machine": "yourmachine.com", "port": "http",
    "login": "testuser", "password": "testpass" @}
]
@end example

@node Multiple GMail accounts with Gnus
@chapter Multiple GMail accounts with Gnus

For multiple GMail accounts with Gnus, you have to make two nnimap
entries in your @code{gnus-secondary-select-methods} with distinct
names:

@example
(setq gnus-secondary-select-methods '((nnimap "gmail"
                                         (nnimap-address "imap.gmail.com"))
                                      (nnimap "gmail2"
                                         (nnimap-address "imap.gmail.com"))))
@end example

Your netrc entries will then be:

@example
machine gmail login account@@gmail.com password "account password" port imap
machine gmail2 login account2@@gmail.com password "account2 password" port imap
@end example

@node Secret Service API
@chapter Secret Service API

The @dfn{Secret Service API} is a standard from
@uref{https://www.freedesktop.org/wiki/Specifications/secret-storage-spec/,,freedesktop.org}
to securely store passwords and other confidential information.  This
API is implemented by system daemons such as the GNOME Keyring and the
KDE Wallet (these are GNOME and KDE packages respectively and should
be available on most modern GNU/Linux systems).  It has been tested
also with KeePassXC.

The auth-source library uses the @file{secrets.el} library to connect
through the Secret Service API@.  You can also use that library in
other packages, it's not exclusive to auth-source.

@defvar secrets-enabled
After loading @file{secrets.el}, a non-@code{nil} value of this
variable indicates the existence of a daemon providing the Secret
Service API.
@end defvar

@deffn Command secrets-show-secrets
This command shows all collections, items, and their attributes.
@end deffn

The atomic objects managed by the Secret Service API are @dfn{secret
items}, which contain things an application wishes to store securely,
like a password.  Secret items have a label (a name), the @dfn{secret}
(which is the string we want, like a password), and a set of lookup
attributes.  The attributes can be used to search and retrieve a
secret item at a later date.

Secret items are grouped in @dfn{collections}.  A collection is
sometimes called a @samp{keyring} or @samp{wallet} in GNOME Keyring
and KDE Wallet but it's the same thing, a group of secrets.
Collections are personal and protected so only the owner can open them.

The most common collection is called @code{"login"}.

A collection can have an alias.  The alias @code{"default"} is
commonly used so the clients don't have to know the specific name of
the collection they open.  Other aliases are not supported yet.
Since aliases are globally accessible, set the @code{"default"} alias
only when you're sure it's appropriate.

@defun secrets-list-collections
This function returns all the collection names as a list.
@end defun

@defun secrets-set-alias collection alias
Set @var{alias} as alias of collection labeled @var{collection}.
Currently only the alias @code{"default"} is supported.
@end defun

@defun secrets-get-alias alias
Return the collection name @var{alias} is referencing to.
Currently only the alias @code{"default"} is supported.
@end defun

Collections can be created and deleted by the functions
@code{secrets-create-collection} and @code{secrets-delete-collection}.
Usually, this is not done from within Emacs.  Do not delete standard
collections such as @code{"login"}.

With GNOME Keyring, there exists a special collection called
@code{"session"}, which has the lifetime of the user being logged in.
Its data are not stored on disk and go away when the user logs out.
Therefore, it can be used to store and retrieve secret items
temporarily.  The @code{"session"} collection is better than a
persistent collection when the secret items should not live
permanently.  The @code{"session"} collection can be addressed either
by the string @code{"session"}, or by @code{nil}, whenever a
collection parameter is needed.

However, other Secret Service provider don't create this temporary
@code{"session"} collection.  You shall check first that this
collection exists, before you use it.

@defun secrets-list-items collection
Returns all the item labels of @var{collection} as a list.
@end defun

@defun secrets-create-item collection item password &rest attributes
This function creates a new item in @var{collection} with label
@var{item} and password @var{password}.  The label @var{item} does not
have to be unique in @var{collection}.  @var{attributes} are key-value
pairs set for the created item.  The keys are keyword symbols,
starting with a colon; values are strings.  Example:

@example
;;; The collection is "session", the label is "my item"
;;; and the secret (password) is "geheim".
(secrets-create-item "session" "my item" "geheim"
 :method "sudo" :user "joe" :host "remote-host")
@end example

The key @code{:xdg:schema} determines the scope of the item to be
generated, i.e.@: for which applications the item is intended for.
This is just a string like "org.freedesktop.NetworkManager.Mobile" or
"org.gnome.OnlineAccounts", the other required keys are determined by
this.  If no @code{:xdg:schema} is given,
"org.freedesktop.Secret.Generic" is used by default.
@end defun

@defun secrets-get-secret collection item
Return the secret of item labeled @var{item} in @var{collection}.  If
there are several items labeled @var{item}, it is undefined which one
is returned.  If there is no such item, return @code{nil}.
@end defun

@defun secrets-delete-item collection item
This function deletes item @var{item} in @var{collection}.  If there
are several items labeled @var{item}, it is undefined which one is
deleted.
@end defun

The lookup attributes, which are specified during creation of a
secret item, must be a key-value pair.  Keys are keyword symbols,
starting with a colon; values are strings.  They can be retrieved
from a given secret item and they can be used for searching of items.

@defun secrets-get-attribute collection item attribute
Returns the value of key @var{attribute} of item labeled @var{item} in
@var{collection}.  If there are several items labeled @var{item}, it
is undefined which one is returned.  If there is no such item, or the
item doesn't own this key, the function returns @code{nil}.
@end defun

@defun secrets-get-attributes collection item
Return the lookup attributes of item labeled @var{item} in
@var{collection}.  If there are several items labeled @var{item}, it
is undefined which one is returned.  If there is no such item, or the
item has no attributes, it returns @code{nil}.  Example:

@example
(secrets-get-attributes "session" "my item")
     @result{} ((:user . "joe") (:host . "remote-host"))
@end example
@end defun

@defun secrets-search-items collection &rest attributes
Search for the items in @var{collection} with matching
@var{attributes}.  The @var{attributes} are key-value pairs, as used
in @code{secrets-create-item}.  Example:

@example
(secrets-search-items "session" :user "joe")
     @result{} ("my item" "another item")
@end example
@end defun

The auth-source library uses the @file{secrets.el} library and thus
the Secret Service API when you specify a source matching
@code{"secrets:COLLECTION"}.  For instance, you could use
@code{"secrets:session"} to use the @code{"session"} collection, open only
for the lifetime of Emacs.  Or you could use @code{"secrets:Login"} to
open the @code{"Login"} collection.  As a special case, you can use the
symbol @code{default} in @code{auth-sources} (not a string, but a
symbol) to specify the @code{"default"} alias.  Here is a contrived
example that sets @code{auth-sources} to search three collections and
then fall back to @file{~/.authinfo.gpg}.

@example
(setq auth-sources '(default
                     "secrets:session"
                     "secrets:Login"
                     "~/.authinfo.gpg"))
@end example

Attribute values in the auth-source spec, which are not strings (like
port numbers), are stringified prior calling the @file{secrets.el}
functions.

@node The Unix password store
@chapter The Unix password store

@uref{https://www.passwordstore.org,,The standard unix password
manager} (or just @code{pass}) stores your passwords in
@code{gpg}-protected files following the Unix philosophy.  The store
location (any directory) must be specified in the
@code{auth-source-pass-filename} variable which defaults to
@file{~/.password-store}.

Emacs integration of @code{pass} follows the approach suggested by the
pass project itself for data organization to find data.  In
particular, to store a password for the user @code{rms} on the host
@code{gnu.org} and port @code{22}, you should use one of the following
filenames.

@table @file
@item gnu.org.gpg
No username or port in the filename means that any username and port
will match.

@item gnu.org/rms.gpg
The username to match can be expressed as filename inside a directory
whose name matches the host.  This is useful if the store has
passwords for several users on the same host.

@item rms@@gnu.org.gpg
The username can also be expressed as a prefix, separated from the
host with an at-sign (@code{@@}).

@item gnu.org:22.gpg
The port (aka. service) to match can only be expressed after the host
and separated with a colon (@code{:}).  The separator can be changed
through the @code{auth-source-pass-port-separator} variable.

@item gnu.org:22/rms.gpg

@item rms@@gnu.org:22.gpg

@item a/b/gnu.org.gpg
Entries can be stored in arbitrary directories.

@item a/b/gnu.org/rms.gpg

@item a/b/rms@@gnu.org.gpg

@item a/b/gnu.org:22.gpg

@item a/b/gnu.org:22/rms.gpg

@item a/b/rms@@gnu.org:22.gpg
@end table

If several entries match, the one matching the most items (where an
``item'' is one of username, port or host) is preferred.  For example,
while searching for an entry matching the @code{rms} user on host
@code{gnu.org} and port @code{22}, then the entry
@file{gnu.org:22/rms.gpg} is preferred over @file{gnu.org.gpg}.
However, such processing is not applied when the option
@code{auth-source-pass-extra-query-keywords} is set to @code{t}.

Users of @code{pass} may also be interested in functionality provided
by other Emacs packages:

@itemize
@item
@uref{https://git.zx2c4.com/password-store/tree/contrib/emacs/password-store.el,,password-store}: library wrapping @code{pass};
@item
@uref{https://github.com/NicolasPetton/pass,,pass}: major mode to manipulate the store and edit entries;
@item
@uref{https://github.com/jabranham/helm-pass,,helm-pass}: helm interface for pass.
@end itemize

@defvar auth-source-pass-filename
Set this variable to a string locating the password store on the disk.
Defaults to @file{~/.password-store}.
@end defvar

@defvar auth-source-pass-port-separator
Set this variable to a string that should separate an host name from a
port in an entry.  Defaults to @samp{:}.
@end defvar

@defvar auth-source-pass-extra-query-keywords
This expands the selection of available keywords to include
@code{:max} and @code{:require} and tells more of them to accept a
list of query parameters as an argument.  When searching, it also
favors the @samp{rms@@gnu.org.gpg} form for usernames over the
@samp{gnu.org/rms.gpg} form, regardless of whether a @code{:user}
param was provided.

In general, if you prefer idiosyncrasies traditionally exhibited by
this backend, such as prioritizing field count in a filename or
matching against subdomain labels, keep this option set to @code{nil}
(the default).  But, if you experience problems predicting the outcome
of searches relative to other auth-source backends or encounter code
expecting to query multiple backends uniformly, try flipping it to
@code{t}.
@end defvar

@node Help for developers
@chapter Help for developers

The auth-source library lets you control logging output easily.

@defvar auth-source-debug
Set this variable to @code{'trivia} to see lots of output in
@file{*Messages*}, or set it to a function that behaves like
@code{message} to do your own logging.
@end defvar

The auth-source library only has a few functions for external use.

@defun auth-source-search &rest spec &key type max host user port secret require create delete &allow-other-keys
This function searches (or modifies) authentication backends according
to @var{spec}.  See the function's doc-string for details.
@c TODO more details.
@end defun

Let's take a look at an example of using @code{auth-source-search}
from Gnus's @code{nnimap.el}.

@example
(defun nnimap-credentials (address ports)
  (let* ((auth-source-creation-prompts
          '((user  . "IMAP user at %h: ")
            (secret . "IMAP password for %u@@%h: ")))
         (found (nth 0 (auth-source-search :max 1
                                           :host address
                                           :port ports
                                           :require '(:user :secret)
                                           :create t))))
    (if found
        (list (plist-get found :user)
              (auth-info-password found)
              (plist-get found :save-function))
      nil)))
@end example

This call requires the user and password (secret) to be in the
results.  It also requests that an entry be created if it doesn't
exist already.  While the created entry is being assembled, the shown
prompts will be used to interact with the user.  The caller can also
pass data in @code{auth-source-creation-defaults} to supply defaults
for any of the prompts.

Note that the password needs to be evaluated if it's a function.  It's
wrapped in a function to provide some security.

Later, after a successful login, @code{nnimap.el} calls the
@code{:save-function} like so:

@example
(when (functionp (nth 2 credentials))
  (funcall (nth 2 credentials)))
@end example

This will work whether the @code{:save-function} was provided or not.
@code{:save-function} will be provided only when a new entry was
created, so this effectively says ``after a successful login, save the
authentication information we just used, if it was newly created.''

After the first time it's called, the @code{:save-function} will not
run again (but it will log something if you have set
@code{auth-source-debug} to @code{'trivia}).  This is so it won't ask
the same question again, which is annoying.  This is so it won't ask
the same question again, which is annoying.  This is so it won't ask
the same question again, which is annoying.

So the responsibility of the API user that specified @code{:create t}
is to call the @code{:save-function} if it's provided.

@defun auth-source-delete &rest spec &key delete &allow-other-keys
This function deletes entries matching @var{spec} from the
authentication backends.  It returns the entries that were deleted.
The backend may not actually delete the entries.
@end defun

@defun auth-source-forget spec
This function forgets any cached data that exactly matches @var{spec}.
It returns @code{t} if it forget some data, and @code{nil} if no
matching data was found.
@end defun

@defun auth-source-forget+ &rest spec &allow-other-keys
This function forgets any cached data matching @var{spec}.
It returns the number of items forgotten.
@end defun

@defun auth-source-pick-first-password &rest spec
This function returns the password of the first record found by
applying @code{auth-source-search} to @var{spec}.
@end defun

@defun auth-info-password auth-info
This function extracts the password string from the @var{auth-info}
record.
@end defun

@node GnuPG and EasyPG Assistant Configuration
@appendix GnuPG and EasyPG Assistant Configuration

If the @code{auth-sources} variable contains @file{~/.authinfo.gpg}
before @file{~/.authinfo}, the auth-source library will try to
read the GnuPG encrypted @file{.gpg} file first, before
the unencrypted file.

The EasyPG Assistant, which comes bundled with Emacs, handles
decryption of encrypted files automatically, see @ref{Top, , Top, epa,
EasyPG Assistant User's Manual}.  It is an Emacs user interface to
@acronym{GnuPG, GNU Privacy Guard}, see @ref{Top, , Top, gnupg, Using
the GNU Privacy Guard}.  To get started with these quickly, see
@ref{Quick start, , Quick Start, epa, EasyPG Assistant User's Manual}.

@node GNU Free Documentation License
@appendix GNU Free Documentation License
@include doclicense.texi

@node Index
@unnumbered Index
@printindex cp

@node Function Index
@unnumbered Function Index
@printindex fn

@node Variable Index
@unnumbered Variable Index
@printindex vr

@bye

@c End: