Ethan Glasser-Camp <ethan.glasser.c...@gmail.com> writes:
> Hi, thanks for your fast response!
Hi Ethan,
> Yes, the attached patch definitely fixes things for me. I've copied
> the definition of `auth-info-password` into my init.el for now.
Good, that it works for you. I have updated the declaration of
tramp-compat-auth-info-password such a way, that it uses Emacs' own
version of auth-info-password starting with Emacs 30. By this, you don't
need to guard yourself against this problem.
This will appear with Tramp 2.7.1 on GNU ELPA, which is scheduled for
release end of June. And of course with Emacs 30, but this is months
away.
> I'm also surprised to see that no additional `ethan@black-diamond`
> entry was created in GNOME Secrets.
Is that so? That means, you have only the `root@black-diamond` entry in
GNOME secrets? Perhaps this is due to your auth-sources config:
--8<---------------cut here---------------start------------->8---
(setq auth-sources
'(default
"secrets:session"
"secrets:Login"
"~/.authinfo.gpg"))
--8<---------------cut here---------------end--------------->8---
"secrets:session" is a temporary collection only, which is not kept
permanently.
> I see that the `auth-source` docstring for `auth-source-search` says
> "The token's :secret key can hold a function. In that case you must
> call it to obtain the actual value." I guess it doesn't say you need
> to call it only once but that's how I interpreted it. I understand the
> first level of function comes from the lambda in
> `auth-source-secrets-search`; where does the second one come from?
No idea. Perhaps it is a brittle implementation of the secrets.el
integration into auth-source.el, who knows ...
> Out of curiosity, how does fixing this fix the larger issue? I see
> that the successful tramp connection says `root@black-diamond`. Is
> there some kind of fallback behavior in either tramp or `auth-source`
> that tries `root@` after trying `ethan@`?
Tramp says `root@black-diamond` connection because this is what you have
told it to open for the sudo method. However, Tramp knows, that the sudo
method requires the password of the local user, and so it works with
`ethan@black-diamond`. Using `root@@black-diamond' doesn't make sense
for sudo.
Conceptually this is always right for sudo, but there was an error in
Tramp that it has asked auth-source-search for `root@black-diamond` in
the past. This was fixed in Tramp 2.6 (the version you get with Emacs
29), so an entry `root@black-diamond` was created likely using an older
Tramp version. See also the recent Tramp manual, which says in
(info "(tramp) Password handling")
--8<---------------cut here---------------start------------->8---
For the methods ‘doas’, ‘sudo’, ‘sudoedit’ and ‘nspawn’ the password
of the user requesting the connection is needed, and not the password of
the target user(1). If these connections happen on the local host, an
entry with the local user and local host is used:
machine HOST port sudo login USER password secret
--8<---------------cut here---------------end--------------->8---
It gives you an .authinfo style example, but the essence is the same for
secrets.el.
> I guess based on your use of the term "cascaded" that maybe
> `auth-source` knows it doesn't need to create a new entry because it
> found a different one, but I'm still surprised about it.
No.
> I forgot to mention this in my original email last
> night, but when I tried doing `(auth-source-search :user
> "any-user-name" :host "black-diamond" :require '(:secret :user) :
> create t)`, I would get a "match", always with my same password
> visible in the response. I see that `auth-source-secrets-create`
> redoes the query using `host` and `port` but without `user` or any
> other parameters.. this seems a little strange? For sudo, I think
> using the user password "as" the root password makes sense, but if I
> had multiple accounts on a single host I would be surprised for their
> passwords to get mixed up.
When Tramp creates a password entry for whatever auth-source.el backend,
it always uses the :port entry (which means the Tramp method, in
auth-source speech). So the entries are unique. When *searching*, it
tries first for an entry with all :host, :user and :port items, and if
this fails, it tries w/o :port, in case the user has created such an
entry manually.
> Ethan
Best regards, Michael.
