1 \input texinfo @c -*-texinfo-*-
3 @include gnus-overrides.texi
5 @setfilename ../../info/auth
6 @settitle Emacs auth-source Library @value{VERSION}
11 This file describes the Emacs auth-source library.
13 Copyright @copyright{} 2008-2012 Free Software Foundation, Inc.
16 Permission is granted to copy, distribute and/or modify this document
17 under the terms of the GNU Free Documentation License, Version 1.3 or
18 any later version published by the Free Software Foundation; with no
19 Invariant Sections, with the Front-Cover texts being ``A GNU Manual,''
20 and with the Back-Cover Texts as in (a) below. A copy of the license
21 is included in the section entitled ``GNU Free Documentation License''
24 (a) The FSF's Back-Cover Text is: ``You have the freedom to copy and
25 modify this GNU manual. Buying copies from the FSF supports it in
26 developing GNU and promoting software freedom.''
28 This document is part of a collection distributed under the GNU Free
29 Documentation License. If you want to distribute this document
30 separately from the collection, you can do so by adding a copy of the
31 license to the document, as described in section 6 of the license.
35 @dircategory Emacs lisp libraries
37 * Auth-source: (auth). The Emacs auth-source library.
42 @title Emacs auth-source Library (DEVELOPMENT VERSION)
45 @title Emacs auth-source Library
47 @author by Ted Zlatanov
49 @vskip 0pt plus 1filll
57 @top Emacs auth-source
58 This manual describes the Emacs auth-source library.
60 It is a way for multiple applications to share a single configuration
61 (in Emacs and in files) for user convenience.
66 * Overview:: Overview of the auth-source library.
68 * Secret Service API::
69 * Help for developers::
70 * GnuPG and EasyPG Assistant Configuration::
80 The auth-source library is simply a way for Emacs and Gnus, among
81 others, to answer the old burning question ``What are my user name and
84 (This is different from the old question about burning ``Where is the
85 fire extinguisher, please?''.)
87 The auth-source library supports more than just the user name or the
88 password (known as the secret).
90 Similarly, the auth-source library supports multiple storage backend,
91 currently either the classic ``netrc'' backend, examples of which you
92 can see later in this document, or the Secret Service API. This is
93 done with EIEIO-based backends and you can write your own if you want.
96 @chapter Help for users
98 ``Netrc'' files are a de facto standard. They look like this:
100 machine @var{mymachine} login @var{myloginname} password @var{mypassword} port @var{myport}
103 The @code{machine} is the server (either a DNS name or an IP address).
104 It's known as @var{:host} in @code{auth-source-search} queries. You
105 can also use @code{host}.
107 The @code{port} is the connection port or protocol. It's known as
108 @var{:port} in @code{auth-source-search} queries.
110 The @code{user} is the user name. It's known as @var{:user} in
111 @code{auth-source-search} queries. You can also use @code{login} and
114 Spaces are always OK as far as auth-source is concerned (but other
115 programs may not like them). Just put the data in quotes, escaping
116 quotes as you'd expect with @samp{\}.
118 All these are optional. You could just say (but we don't recommend
119 it, we're just showing that it's possible)
122 password @var{mypassword}
125 to use the same password everywhere. Again, @emph{DO NOT DO THIS} or
126 you will be pwned as the kids say.
128 ``Netrc'' files are usually called @file{.authinfo} or @file{.netrc};
129 nowadays @file{.authinfo} seems to be more popular and the auth-source
130 library encourages this confusion by accepting both, as you'll see
133 If you have problems with the search, set @code{auth-source-debug} to
134 @code{'trivia} and see what host, port, and user the library is
135 checking in the @samp{*Messages*} buffer. Ditto for any other
136 problems, your first step is always to see what's being checked. The
137 second step, of course, is to write a blog entry about it and wait for
138 the answer in the comments.
140 You can customize the variable @code{auth-sources}. The following may
141 be needed if you are using an older version of Emacs or if the
142 auth-source library is not loaded for some other reason.
145 (require 'auth-source) ;; probably not necessary
146 (customize-variable 'auth-sources) ;; optional, do it once
151 The @code{auth-sources} variable tells the auth-source library where
152 your netrc files or Secret Service API collection items live for a
153 particular host and protocol. While you can get fancy, the default
154 and simplest configuration is:
157 ;;; old default: required :host and :port, not needed anymore
158 (setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
159 ;;; mostly equivalent (see below about fallbacks) but shorter:
160 (setq auth-sources '((:source "~/.authinfo.gpg")))
161 ;;; even shorter and the @emph{default}:
162 (setq auth-sources '("~/.authinfo.gpg" "~/.authinfo" "~/.netrc"))
163 ;;; use the Secrets API @var{Login} collection (@pxref{Secret Service API})
164 (setq auth-sources '("secrets:Login"))
167 By adding multiple entries to @code{auth-sources} with a particular
168 host or protocol, you can have specific netrc files for that host or
169 protocol. Usually this is unnecessary but may make sense if you have
170 shared netrc files or some other unusual setup (90% of Emacs users
171 have unusual setups and the remaining 10% are @emph{really} unusual).
173 Here's a mixed example using two sources:
176 (setq auth-sources '((:source (:secrets default) :host "myserver" :user "joe")
182 If you don't customize @code{auth-sources}, you'll have to live with
183 the defaults: the unencrypted netrc file @file{~/.authinfo} will be
184 used for any host and any port.
186 If that fails, any host and any port are looked up in the netrc file
187 @file{~/.authinfo.gpg}, which is a GnuPG encrypted file (@pxref{GnuPG
188 and EasyPG Assistant Configuration}).
190 Finally, the unencrypted netrc file @file{~/.netrc} will be used for
191 any host and any port.
193 The typical netrc line example is without a port.
196 machine YOURMACHINE login YOU password YOURPASSWORD
199 This will match any authentication port. Simple, right? But what if
200 there's a SMTP server on port 433 of that machine that needs a
201 different password from the IMAP server?
204 machine YOURMACHINE login YOU password SMTPPASSWORD port 433
205 machine YOURMACHINE login YOU password GENERALPASSWORD
208 For url-auth authentication (HTTP/HTTPS), you need to put this in your
212 machine yourmachine.com:80 port http login testuser password testpass
215 This will match any realm and authentication method (basic or digest)
216 over HTTP. HTTPS is set up similarly. If you want finer controls,
217 explore the url-auth source code and variables.
219 For Tramp authentication, use:
222 machine yourmachine.com port scp login testuser password testpass
225 Note that the port denotes the Tramp connection method. When you
226 don't use a port entry, you match any Tramp method, as explained
227 earlier. Since Tramp has about 88 connection methods, this may be
228 necessary if you have an unusual (see earlier comment on those) setup.
230 @node Secret Service API
231 @chapter Secret Service API
233 The @dfn{Secret Service API} is a standard from
234 @uref{http://www.freedesktop.org/wiki/Specifications/secret-storage-spec,,freedesktop.org}
235 to securely store passwords and other confidential information. This
236 API is implemented by system daemons such as the GNOME Keyring and the
237 KDE Wallet (these are GNOME and KDE packages respectively and should
238 be available on most modern GNU/Linux systems).
240 The auth-source library uses the @file{secrets.el} library to connect
241 through the Secret Service API. You can also use that library in
242 other packages, it's not exclusive to auth-source.
244 @defvar secrets-enabled
245 After loading @file{secrets.el}, a non-@code{nil} value of this
246 variable indicates the existence of a daemon providing the Secret
250 @deffn Command secrets-show-secrets
251 This command shows all collections, items, and their attributes.
254 The atomic objects managed by the Secret Service API are @dfn{secret
255 items}, which contain things an application wishes to store securely,
256 like a password. Secret items have a label (a name), the @dfn{secret}
257 (which is the string we want, like a password), and a set of lookup
258 attributes. The attributes can be used to search and retrieve a
259 secret item at a later date.
261 Secret items are grouped in @dfn{collections}. A collection is
262 sometimes called a @samp{keyring} or @samp{wallet} in GNOME Keyring
263 and KDE Wallet but it's the same thing, a group of secrets.
264 Collections are personal and protected so only the owner can open them.
266 The most common collection is called @code{"login"}.
268 A collection can have an alias. The alias @code{"default"} is
269 commonly used so the clients don't have to know the specific name of
270 the collection they open. Other aliases are not supported yet.
271 Since aliases are globally accessible, set the @code{"default"} alias
272 only when you're sure it's appropriate.
274 @defun secrets-list-collections
275 This function returns all the collection names as a list.
278 @defun secrets-set-alias collection alias
279 Set @var{alias} as alias of collection labeled @var{collection}.
280 Currently only the alias @code{"default"} is supported.
283 @defun secrets-get-alias alias
284 Return the collection name @var{alias} is referencing to.
285 Currently only the alias @code{"default"} is supported.
288 Collections can be created and deleted by the functions
289 @code{secrets-create-collection} and @code{secrets-delete-collection}.
290 Usually, this is not done from within Emacs. Do not delete standard
291 collections such as @code{"login"}.
293 The special collection @code{"session"} exists for the lifetime of the
294 corresponding client session (in our case, Emacs's lifetime). It is
295 created automatically when Emacs uses the Secret Service interface and
296 it is deleted when Emacs is killed. Therefore, it can be used to
297 store and retrieve secret items temporarily. The @code{"session"}
298 collection is better than a persistent collection when the secret
299 items should not live longer than Emacs. The session collection can
300 be specified either by the string @code{"session"}, or by @code{nil},
301 whenever a collection parameter is needed in the following functions.
303 @defun secrets-list-items collection
304 Returns all the item labels of @var{collection} as a list.
307 @defun secrets-create-item collection item password &rest attributes
308 This function creates a new item in @var{collection} with label
309 @var{item} and password @var{password}. @var{attributes} are
310 key-value pairs set for the created item. The keys are keyword
311 symbols, starting with a colon. Example:
314 ;;; The session "session", the label is "my item"
315 ;;; and the secret (password) is "geheim"
316 (secrets-create-item "session" "my item" "geheim"
317 :method "sudo" :user "joe" :host "remote-host")
321 @defun secrets-get-secret collection item
322 Return the secret of item labeled @var{item} in @var{collection}.
323 If there is no such item, return @code{nil}.
326 @defun secrets-delete-item collection item
327 This function deletes item @var{item} in @var{collection}.
330 The lookup attributes, which are specified during creation of a
331 secret item, must be a key-value pair. Keys are keyword symbols,
332 starting with a colon; values are strings. They can be retrieved
333 from a given secret item and they can be used for searching of items.
335 @defun secrets-get-attribute collection item attribute
336 Returns the value of key @var{attribute} of item labeled @var{item} in
337 @var{collection}. If there is no such item, or the item doesn't own
338 this key, the function returns @code{nil}.
341 @defun secrets-get-attributes collection item
342 Return the lookup attributes of item labeled @var{item} in
343 @var{collection}. If there is no such item, or the item has no
344 attributes, it returns @code{nil}. Example:
347 (secrets-get-attributes "session" "my item")
348 @result{} ((:user . "joe") (:host ."remote-host"))
352 @defun secrets-search-items collection &rest attributes
353 Search for the items in @var{collection} with matching
354 @var{attributes}. The @var{attributes} are key-value pairs, as used
355 in @code{secrets-create-item}. Example:
358 (secrets-search-items "session" :user "joe")
359 @result{} ("my item" "another item")
363 The auth-source library uses the @file{secrets.el} library and thus
364 the Secret Service API when you specify a source matching
365 @code{"secrets:COLLECTION"}. For instance, you could use
366 @code{"secrets:session"} to use the @code{"session"} collection, open only
367 for the lifetime of Emacs. Or you could use @code{"secrets:Login"} to
368 open the @code{"Login"} collection. As a special case, you can use the
369 symbol @code{default} in @code{auth-sources} (not a string, but a
370 symbol) to specify the @code{"default"} alias. Here is a contrived
371 example that sets @code{auth-sources} to search three collections and
372 then fall back to @file{~/.authinfo.gpg}.
375 (setq auth-sources '(default
381 @node Help for developers
382 @chapter Help for developers
384 The auth-source library lets you control logging output easily.
386 @defvar auth-source-debug
387 Set this variable to @code{'trivia} to see lots of output in
388 @samp{*Messages*}, or set it to a function that behaves like
389 @code{message} to do your own logging.
392 The auth-source library only has a few functions for external use.
394 @defun auth-source-search &rest spec &key type max host user port secret require create delete &allow-other-keys
395 This function searches (or modifies) authentication backends according
396 to @var{spec}. See the function's doc-string for details.
397 @c TODO more details.
400 Let's take a look at an example of using @code{auth-source-search}
401 from Gnus's @code{nnimap.el}.
404 (defun nnimap-credentials (address ports)
405 (let* ((auth-source-creation-prompts
406 '((user . "IMAP user at %h: ")
407 (secret . "IMAP password for %u@@%h: ")))
408 (found (nth 0 (auth-source-search :max 1
411 :require '(:user :secret)
414 (list (plist-get found :user)
415 (let ((secret (plist-get found :secret)))
416 (if (functionp secret)
419 (plist-get found :save-function))
423 This call requires the user and password (secret) to be in the
424 results. It also requests that an entry be created if it doesn't
425 exist already. While the created entry is being assembled, the shown
426 prompts will be used to interact with the user. The caller can also
427 pass data in @code{auth-source-creation-defaults} to supply defaults
428 for any of the prompts.
430 Note that the password needs to be evaluated if it's a function. It's
431 wrapped in a function to provide some security.
433 Later, after a successful login, @code{nnimap.el} calls the
434 @code{:save-function} like so:
437 (when (functionp (nth 2 credentials))
438 (funcall (nth 2 credentials)))
441 This will work whether the @code{:save-function} was provided or not.
442 @code{:save-function} will be provided only when a new entry was
443 created, so this effectively says ``after a successful login, save the
444 authentication information we just used, if it was newly created.''
446 After the first time it's called, the @code{:save-function} will not
447 run again (but it will log something if you have set
448 @code{auth-source-debug} to @code{'trivia}). This is so it won't ask
449 the same question again, which is annoying. This is so it won't ask
450 the same question again, which is annoying. This is so it won't ask
451 the same question again, which is annoying.
453 So the responsibility of the API user that specified @code{:create t}
454 is to call the @code{:save-function} if it's provided.
456 @defun auth-source-delete &rest spec &key delete &allow-other-keys
457 This function deletes entries matching @var{spec} from the
458 authentication backends. It returns the entries that were deleted.
459 The backend may not actually delete the entries.
462 @defun auth-source-forget spec
463 This function forgets any cached data that exactly matches @var{spec}.
464 It returns @code{t} if it forget some data, and @code{nil} if no
465 matching data was found.
468 @defun auth-source-forget+ &rest spec &allow-other-keys
469 This function forgets any cached data matching @var{spec}.
470 It returns the number of items forgotten.
473 @node GnuPG and EasyPG Assistant Configuration
474 @appendix GnuPG and EasyPG Assistant Configuration
476 If you don't customize @code{auth-sources}, the auth-source library
477 reads @file{~/.authinfo.gpg}, which is a GnuPG encrypted file. Then
478 it will check @file{~/.authinfo} but it's not recommended to use such
481 In Emacs 23 or later there is an option @code{auto-encryption-mode} to
482 automatically decrypt @file{*.gpg} files. It is enabled by default.
483 If you are using earlier versions of Emacs, you will need:
490 If you want your GnuPG passwords to be cached, set up @code{gpg-agent}
492 (@pxref{Caching Passphrases, , Caching Passphrases, epa}).
494 To quick start, here are some questions:
498 Do you use GnuPG version 2 instead of GnuPG version 1?
500 Do you use symmetric encryption rather than public key encryption?
502 Do you want to use gpg-agent?
505 Here are configurations depending on your answers:
507 @multitable {111} {222} {333} {configuration configuration configuration}
508 @item @b{1} @tab @b{2} @tab @b{3} @tab Configuration
509 @item Yes @tab Yes @tab Yes @tab Set up gpg-agent.
510 @item Yes @tab Yes @tab No @tab You can't, without gpg-agent.
511 @item Yes @tab No @tab Yes @tab Set up gpg-agent.
512 @item Yes @tab No @tab No @tab You can't, without gpg-agent.
513 @item No @tab Yes @tab Yes @tab Set up elisp passphrase cache.
514 @item No @tab Yes @tab No @tab Set up elisp passphrase cache.
515 @item No @tab No @tab Yes @tab Set up gpg-agent.
516 @item No @tab No @tab No @tab You can't, without gpg-agent.
519 To set up gpg-agent, follow the instruction in GnuPG manual
520 (@pxref{Invoking GPG-AGENT, , Invoking GPG-AGENT, gnupg}).
522 To set up elisp passphrase cache, set
523 @code{epa-file-cache-passphrase-for-symmetric-encryption}.
530 @chapter Function Index
534 @chapter Variable Index