1 \input texinfo @c -*-texinfo-*-
3 @include gnus-overrides.texi
5 @setfilename ../../info/auth
6 @settitle Emacs auth-source Library @value{VERSION}
11 This file describes the Emacs auth-source library.
13 Copyright @copyright{} 2008-2012 Free Software Foundation, Inc.
16 Permission is granted to copy, distribute and/or modify this document
17 under the terms of the GNU Free Documentation License, Version 1.3 or
18 any later version published by the Free Software Foundation; with no
19 Invariant Sections, with the Front-Cover texts being ``A GNU Manual,''
20 and with the Back-Cover Texts as in (a) below. A copy of the license
21 is included in the section entitled ``GNU Free Documentation License''
24 (a) The FSF's Back-Cover Text is: ``You have the freedom to copy and
25 modify this GNU manual. Buying copies from the FSF supports it in
26 developing GNU and promoting software freedom.''
28 This document is part of a collection distributed under the GNU Free
29 Documentation License. If you want to distribute this document
30 separately from the collection, you can do so by adding a copy of the
31 license to the document, as described in section 6 of the license.
35 @dircategory Emacs lisp libraries
37 * Auth-source: (auth). The Emacs auth-source library.
42 @title Emacs auth-source Library (DEVELOPMENT VERSION)
45 @title Emacs auth-source Library
47 @author by Ted Zlatanov
49 @vskip 0pt plus 1filll
57 @top Emacs auth-source
58 This manual describes the Emacs auth-source library.
60 It is a way for multiple applications to share a single configuration
61 (in Emacs and in files) for user convenience.
66 * Overview:: Overview of the auth-source library.
68 * Secret Service API::
69 * Help for developers::
70 * GnuPG and EasyPG Assistant Configuration::
80 The auth-source library is simply a way for Emacs and Gnus, among
81 others, to answer the old burning question ``What are my user name and
84 (This is different from the old question about burning ``Where is the
85 fire extinguisher, please?''.)
87 The auth-source library supports more than just the user name or the
88 password (known as the secret).
90 Similarly, the auth-source library supports multiple storage backend,
91 currently either the classic ``netrc'' backend, examples of which you
92 can see later in this document, or the Secret Service API. This is
93 done with EIEIO-based backends and you can write your own if you want.
96 @chapter Help for users
98 ``Netrc'' files are a de facto standard. They look like this:
100 machine @var{mymachine} login @var{myloginname} password @var{mypassword} port @var{myport}
103 The @code{machine} is the server (either a DNS name or an IP address).
104 It's known as @var{:host} in @code{auth-source-search} queries. You
105 can also use @code{host}.
107 The @code{port} is the connection port or protocol. It's known as
108 @var{:port} in @code{auth-source-search} queries.
110 The @code{user} is the user name. It's known as @var{:user} in
111 @code{auth-source-search} queries. You can also use @code{login} and
114 Spaces are always OK as far as auth-source is concerned (but other
115 programs may not like them). Just put the data in quotes, escaping
116 quotes as you'd expect with @samp{\}.
118 All these are optional. You could just say (but we don't recommend
119 it, we're just showing that it's possible)
122 password @var{mypassword}
125 to use the same password everywhere. Again, @emph{DO NOT DO THIS} or
126 you will be pwned as the kids say.
128 ``Netrc'' files are usually called @file{.authinfo} or @file{.netrc};
129 nowadays @file{.authinfo} seems to be more popular and the auth-source
130 library encourages this confusion by accepting both, as you'll see
133 If you have problems with the search, set @code{auth-source-debug} to
134 @code{'trivia} and see what host, port, and user the library is
135 checking in the @samp{*Messages*} buffer. Ditto for any other
136 problems, your first step is always to see what's being checked. The
137 second step, of course, is to write a blog entry about it and wait for
138 the answer in the comments.
140 You can customize the variable @code{auth-sources}. The following may
141 be needed if you are using an older version of Emacs or if the
142 auth-source library is not loaded for some other reason.
145 (require 'auth-source) ;; probably not necessary
146 (customize-variable 'auth-sources) ;; optional, do it once
151 The @code{auth-sources} variable tells the auth-source library where
152 your netrc files or Secret Service API collection items live for a
153 particular host and protocol. While you can get fancy, the default
154 and simplest configuration is:
157 ;;; old default: required :host and :port, not needed anymore
158 (setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
159 ;;; mostly equivalent (see below about fallbacks) but shorter:
160 (setq auth-sources '((:source "~/.authinfo.gpg")))
161 ;;; even shorter and the @emph{default}:
162 (setq auth-sources '("~/.authinfo.gpg" "~/.authinfo" "~/.netrc"))
163 ;;; use the Secrets API @var{Login} collection (@pxref{Secret Service API})
164 (setq auth-sources '("secrets:Login"))
167 By adding multiple entries to @code{auth-sources} with a particular
168 host or protocol, you can have specific netrc files for that host or
169 protocol. Usually this is unnecessary but may make sense if you have
170 shared netrc files or some other unusual setup (90% of Emacs users
171 have unusual setups and the remaining 10% are @emph{really} unusual).
173 Here's a mixed example using two sources:
176 (setq auth-sources '((:source (:secrets default) :host "myserver" :user "joe")
182 If you don't customize @code{auth-sources}, you'll have to live with
183 the defaults: any host and any port are looked up in the netrc
184 file @file{~/.authinfo.gpg}, which is a GnuPG encrypted file
185 (@pxref{GnuPG and EasyPG Assistant Configuration}).
187 If that fails, the unencrypted netrc files @file{~/.authinfo} and
188 @file{~/.netrc} will be used.
190 The typical netrc line example is without a port.
193 machine YOURMACHINE login YOU password YOURPASSWORD
196 This will match any authentication port. Simple, right? But what if
197 there's a SMTP server on port 433 of that machine that needs a
198 different password from the IMAP server?
201 machine YOURMACHINE login YOU password SMTPPASSWORD port 433
202 machine YOURMACHINE login YOU password GENERALPASSWORD
205 For url-auth authentication (HTTP/HTTPS), you need to put this in your
209 machine yourmachine.com:80 port http login testuser password testpass
212 This will match any realm and authentication method (basic or digest)
213 over HTTP. HTTPS is set up similarly. If you want finer controls,
214 explore the url-auth source code and variables.
216 For Tramp authentication, use:
219 machine yourmachine.com port scp login testuser password testpass
222 Note that the port denotes the Tramp connection method. When you
223 don't use a port entry, you match any Tramp method, as explained
224 earlier. Since Tramp has about 88 connection methods, this may be
225 necessary if you have an unusual (see earlier comment on those) setup.
227 @node Secret Service API
228 @chapter Secret Service API
230 The @dfn{Secret Service API} is a standard from
231 @uref{http://www.freedesktop.org/wiki/Specifications/secret-storage-spec,,freedesktop.org}
232 to securely store passwords and other confidential information. This
233 API is implemented by system daemons such as the GNOME Keyring and the
234 KDE Wallet (these are GNOME and KDE packages respectively and should
235 be available on most modern GNU/Linux systems).
237 The auth-source library uses the @file{secrets.el} library to connect
238 through the Secret Service API. You can also use that library in
239 other packages, it's not exclusive to auth-source.
241 @defvar secrets-enabled
242 After loading @file{secrets.el}, a non-@code{nil} value of this
243 variable indicates the existence of a daemon providing the Secret
247 @deffn Command secrets-show-secrets
248 This command shows all collections, items, and their attributes.
251 The atomic objects managed by the Secret Service API are @dfn{secret
252 items}, which contain things an application wishes to store securely,
253 like a password. Secret items have a label (a name), the @dfn{secret}
254 (which is the string we want, like a password), and a set of lookup
255 attributes. The attributes can be used to search and retrieve a
256 secret item at a later date.
258 Secret items are grouped in @dfn{collections}. A collection is
259 sometimes called a @samp{keyring} or @samp{wallet} in GNOME Keyring
260 and KDE Wallet but it's the same thing, a group of secrets.
261 Collections are personal and protected so only the owner can open them.
263 The most common collection is called @code{"login"}.
265 A collection can have an alias. The alias @code{"default"} is
266 commonly used so the clients don't have to know the specific name of
267 the collection they open. Other aliases are not supported yet.
268 Since aliases are globally accessible, set the @code{"default"} alias
269 only when you're sure it's appropriate.
271 @defun secrets-list-collections
272 This function returns all the collection names as a list.
275 @defun secrets-set-alias collection alias
276 Set @var{alias} as alias of collection labeled @var{collection}.
277 Currently only the alias @code{"default"} is supported.
280 @defun secrets-get-alias alias
281 Return the collection name @var{alias} is referencing to.
282 Currently only the alias @code{"default"} is supported.
285 Collections can be created and deleted by the functions
286 @code{secrets-create-collection} and @code{secrets-delete-collection}.
287 Usually, this is not done from within Emacs. Do not delete standard
288 collections such as @code{"login"}.
290 The special collection @code{"session"} exists for the lifetime of the
291 corresponding client session (in our case, Emacs's lifetime). It is
292 created automatically when Emacs uses the Secret Service interface and
293 it is deleted when Emacs is killed. Therefore, it can be used to
294 store and retrieve secret items temporarily. The @code{"session"}
295 collection is better than a persistent collection when the secret
296 items should not live longer than Emacs. The session collection can
297 be specified either by the string @code{"session"}, or by @code{nil},
298 whenever a collection parameter is needed in the following functions.
300 @defun secrets-list-items collection
301 Returns all the item labels of @var{collection} as a list.
304 @defun secrets-create-item collection item password &rest attributes
305 This function creates a new item in @var{collection} with label
306 @var{item} and password @var{password}. @var{attributes} are
307 key-value pairs set for the created item. The keys are keyword
308 symbols, starting with a colon. Example:
311 ;;; The session "session", the label is "my item"
312 ;;; and the secret (password) is "geheim"
313 (secrets-create-item "session" "my item" "geheim"
314 :method "sudo" :user "joe" :host "remote-host")
318 @defun secrets-get-secret collection item
319 Return the secret of item labeled @var{item} in @var{collection}.
320 If there is no such item, return @code{nil}.
323 @defun secrets-delete-item collection item
324 This function deletes item @var{item} in @var{collection}.
327 The lookup attributes, which are specified during creation of a
328 secret item, must be a key-value pair. Keys are keyword symbols,
329 starting with a colon; values are strings. They can be retrieved
330 from a given secret item and they can be used for searching of items.
332 @defun secrets-get-attribute collection item attribute
333 Returns the value of key @var{attribute} of item labeled @var{item} in
334 @var{collection}. If there is no such item, or the item doesn't own
335 this key, the function returns @code{nil}.
338 @defun secrets-get-attributes collection item
339 Return the lookup attributes of item labeled @var{item} in
340 @var{collection}. If there is no such item, or the item has no
341 attributes, it returns @code{nil}. Example:
344 (secrets-get-attributes "session" "my item")
345 @result{} ((:user . "joe") (:host ."remote-host"))
349 @defun secrets-search-items collection &rest attributes
350 Search for the items in @var{collection} with matching
351 @var{attributes}. The @var{attributes} are key-value pairs, as used
352 in @code{secrets-create-item}. Example:
355 (secrets-search-items "session" :user "joe")
356 @result{} ("my item" "another item")
360 The auth-source library uses the @file{secrets.el} library and thus
361 the Secret Service API when you specify a source matching
362 @code{"secrets:COLLECTION"}. For instance, you could use
363 @code{"secrets:session"} to use the @code{"session"} collection, open only
364 for the lifetime of Emacs. Or you could use @code{"secrets:Login"} to
365 open the @code{"Login"} collection. As a special case, you can use the
366 symbol @code{default} in @code{auth-sources} (not a string, but a
367 symbol) to specify the @code{"default"} alias. Here is a contrived
368 example that sets @code{auth-sources} to search three collections and
369 then fall back to @file{~/.authinfo.gpg}.
372 (setq auth-sources '(default
378 @node Help for developers
379 @chapter Help for developers
381 The auth-source library lets you control logging output easily.
383 @defvar auth-source-debug
384 Set this variable to @code{'trivia} to see lots of output in
385 @samp{*Messages*}, or set it to a function that behaves like
386 @code{message} to do your own logging.
389 The auth-source library only has a few functions for external use.
391 @defun auth-source-search &rest spec &key type max host user port secret require create delete &allow-other-keys
392 This function searches (or modifies) authentication backends according
393 to @var{spec}. See the function's doc-string for details.
394 @c TODO more details.
397 Let's take a look at an example of using @code{auth-source-search}
398 from Gnus's @code{nnimap.el}.
401 (defun nnimap-credentials (address ports)
402 (let* ((auth-source-creation-prompts
403 '((user . "IMAP user at %h: ")
404 (secret . "IMAP password for %u@@%h: ")))
405 (found (nth 0 (auth-source-search :max 1
408 :require '(:user :secret)
411 (list (plist-get found :user)
412 (let ((secret (plist-get found :secret)))
413 (if (functionp secret)
416 (plist-get found :save-function))
420 This call requires the user and password (secret) to be in the
421 results. It also requests that an entry be created if it doesn't
422 exist already. While the created entry is being assembled, the shown
423 prompts will be used to interact with the user. The caller can also
424 pass data in @code{auth-source-creation-defaults} to supply defaults
425 for any of the prompts.
427 Note that the password needs to be evaluated if it's a function. It's
428 wrapped in a function to provide some security.
430 Later, after a successful login, @code{nnimap.el} calls the
431 @code{:save-function} like so:
434 (when (functionp (nth 2 credentials))
435 (funcall (nth 2 credentials)))
438 This will work whether the @code{:save-function} was provided or not.
439 @code{:save-function} will be provided only when a new entry was
440 created, so this effectively says ``after a successful login, save the
441 authentication information we just used, if it was newly created.''
443 After the first time it's called, the @code{:save-function} will not
444 run again (but it will log something if you have set
445 @code{auth-source-debug} to @code{'trivia}). This is so it won't ask
446 the same question again, which is annoying. This is so it won't ask
447 the same question again, which is annoying. This is so it won't ask
448 the same question again, which is annoying.
450 So the responsibility of the API user that specified @code{:create t}
451 is to call the @code{:save-function} if it's provided.
453 @defun auth-source-delete &rest spec &key delete &allow-other-keys
454 This function deletes entries matching @var{spec} from the
455 authentication backends. It returns the entries that were deleted.
456 The backend may not actually delete the entries.
459 @defun auth-source-forget spec
460 This function forgets any cached data that exactly matches @var{spec}.
461 It returns @code{t} if it forget some data, and @code{nil} if no
462 matching data was found.
465 @defun auth-source-forget+ &rest spec &allow-other-keys
466 This function forgets any cached data matching @var{spec}.
467 It returns the number of items forgotten.
470 @node GnuPG and EasyPG Assistant Configuration
471 @appendix GnuPG and EasyPG Assistant Configuration
473 If you don't customize @code{auth-sources}, the auth-source library
474 reads @file{~/.authinfo.gpg}, which is a GnuPG encrypted file. Then
475 it will check @file{~/.authinfo} but it's not recommended to use such
478 In Emacs 23 or later there is an option @code{auto-encryption-mode} to
479 automatically decrypt @file{*.gpg} files. It is enabled by default.
480 If you are using earlier versions of Emacs, you will need:
487 If you want your GnuPG passwords to be cached, set up @code{gpg-agent}
489 (@pxref{Caching Passphrases, , Caching Passphrases, epa}).
491 To quick start, here are some questions:
495 Do you use GnuPG version 2 instead of GnuPG version 1?
497 Do you use symmetric encryption rather than public key encryption?
499 Do you want to use gpg-agent?
502 Here are configurations depending on your answers:
504 @multitable {111} {222} {333} {configuration configuration configuration}
505 @item @b{1} @tab @b{2} @tab @b{3} @tab Configuration
506 @item Yes @tab Yes @tab Yes @tab Set up gpg-agent.
507 @item Yes @tab Yes @tab No @tab You can't, without gpg-agent.
508 @item Yes @tab No @tab Yes @tab Set up gpg-agent.
509 @item Yes @tab No @tab No @tab You can't, without gpg-agent.
510 @item No @tab Yes @tab Yes @tab Set up elisp passphrase cache.
511 @item No @tab Yes @tab No @tab Set up elisp passphrase cache.
512 @item No @tab No @tab Yes @tab Set up gpg-agent.
513 @item No @tab No @tab No @tab You can't, without gpg-agent.
516 To set up gpg-agent, follow the instruction in GnuPG manual
517 (@pxref{Invoking GPG-AGENT, , Invoking GPG-AGENT, gnupg}).
519 To set up elisp passphrase cache, set
520 @code{epa-file-cache-passphrase-for-symmetric-encryption}.
527 @chapter Function Index
531 @chapter Variable Index