Hi! Sorry, I forgot to respond to this for a couple days.
I don't have anything that looks wrong in my case per se. I am able to
access sudo fine with the existing `root@black-diamond` / `sudo` entry in
my Login keyring (i.e. it doesn't ask me for a password). I'm just curious
how that can work. `(secrets-get-secret "Login" "root@black-diamond")`
retrieves my password but `(secrets-get-secret "Login" "ethan@black-diamond")`
returns nil.
It sounds like there is some special logic in tramp that understands that
with `sudo`, we should use the local username even if we are trying to
access `root`. That makes sense.
It looks from the code like it's possible to get a password from a
completely different user when we are about to create a new secret in
`auth-source-secrets-create`. I think this could explain why it's able to
find a password. It seems like taht could lead to a bug if I was to try to
connect via ssh to the same host with multiple users, but that's just a
hypothesis so maybe you should disregard it until someone actually reports
it.
And my set up is working too, so that could be the end of it. I was just
wondering if I should be concerned that I have a `root@black-diamond`
secret instead of one with my username. Might that break at some future
point?
Ethan
On Thu, Jun 13, 2024 at 5:17 AM Michael Albinus <michael.albi...@gmx.de>
wrote:
> Michael Albinus <michael.albi...@gmx.de> writes:
>
> Hi Ethan,
>
> >> Is this the same subject? Both entries in GNOME Secrets have
> >> `root@black-diamond` as the "label" and `root` as the user.
> >>
> >> ...
> >>
> >> I was referring specifically to this line in
> >> `auth-source-secrets-create`:
> >>
> >> (let* (...
> >> (current-data (car (auth-source-search :max 1
> >> :host host
> >> :port port)))
> >>
> >> It seems like this would be liable to grab the secret for another user
> >> on the same host/port. For example, if I was using the `ssh` method,
> >> then `host` and `port` would not be unique, right? In my usage, with
> >> `sudo`, that's fine. Of course, I only skimmed the function and I may
> >> be misunderstanding.
> >
> > I will check both issues tomorrow. Too tired for now.
>
> OK, I have performed the following tests. I have used the "session"
> collection in order not to taint my "Login" collection. I've started
> with a vanilla Emacs 29, see the first line. Then, I have eveluated the
> expressions in the *scratch* buffer. Lines starting with ;; are comments
> I have added manually.
>
> --8<---------------cut here---------------start------------->8---
> # ~/src/emacs-29/src/emacs -Q --eval '(setq auth-sources (list
> "secrets:session") tramp-cache-read-persistent-data t)' -l tramp
>
> auth-sources
> ("secrets:session")
>
> ;; The following opens a "sudo" connection, asking for the password.
> (file-truename "/sudo::")
> ;; Interactive query of the password.
> Password for /sudo:albinus@gandalf: ********
> ;; auth-source wants to create a new item. It asks me for a label, which
> ;; is free text. I've confirmed with RET
> Enter label for albinus@gandalf (default albinus@gandalf):
> ;; Additional confirmation requested.
> Save auth info to secrets collection session? [y/n/N/?] y
> #("/sudo:root@gandalf:/root" 6 10 (tramp-default t) 11 18 (tramp-default
> t))
>
> ;; This checks for collections. "session" exists.
> (secrets-list-collections)
> ("Login" "92beed6268d728784e4d8b4aea8a5f96"
> "f8a6e281eeae95e2e77d9a4812a98580" "1c10f9798638f07b2c2f3f4af8542d4c"
> "session" "63b7238a9793ec9e2f1a1c917a5c8f4f"
> "5a0922a29941a3edef7af298e739489f")
>
> ;; This checks for items in "session". Just one item with the given label.
> (secrets-list-items "session")
> ("albinus@gandalf")
>
> ;; This asks for the item path, needed in next call.
> (secrets-item-path "session" "albinus@gandalf")
> "/org/freedesktop/secrets/collection/session/1"
>
> ;; This shows the properties. Everything looks fine.
> (secrets-get-item-properties
> "/org/freedesktop/secrets/collection/session/1")
> (("Locked") ("Attributes" ("host" "gandalf") ("port" "sudo") ("user"
> "albinus") ("xdg:schema" "org.freedesktop.Secret.Generic")) ("Label" .
> "albinus@gandalf") ("Type" . "org.freedesktop.Secret.Generic") ("Created"
> . 1718268741) ("Modified" . 1718268741))
>
> ;; This returns the password. As expected.
> (secrets-get-secret "session" "albinus@gandalf")
> "********"
> --8<---------------cut here---------------end--------------->8---
>
> So everything looks proper. What's wrong in your case?
>
> >> Thanks,
> >>
> >> Ethan
>
> Best regards, Michael.
>
