* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. [not found] <E1OwjUu-0007Om-00@quimby.gnus.org> @ 2010-09-18 6:19 ` Ted Zlatanov 2010-09-18 11:47 ` Lars Magne Ingebrigtsen ` (2 more replies) 0 siblings, 3 replies; 28+ messages in thread From: Ted Zlatanov @ 2010-09-18 6:19 UTC (permalink / raw) To: Ding Mailing List On Sat, 18 Sep 2010 00:33:36 +0200 Lars Magne Ingebrigtsen <larsi@quimbies.gnus.org> wrote: LMI> * auth-source.el (auth-sources): Add ~/.authinfo to the default, since LMI> that's probably most useful for users. LMI> -(defcustom auth-sources '((:source "~/.authinfo.gpg")) LMI> +(defcustom auth-sources '((:source "~/.authinfo.gpg") LMI> + (:source "~/.authinfo")) I was trying to discourage people from putting their password in an unencrypted file. So I'm sort of OK with making the unencrypted file the second choice, but I'd like to at least warn the user. WDYT? Ted ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-18 6:19 ` [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users Ted Zlatanov @ 2010-09-18 11:47 ` Lars Magne Ingebrigtsen 2010-09-20 2:30 ` Ted Zlatanov 2010-09-18 12:50 ` Sebastian Krause 2010-09-20 11:03 ` Robert Pluim 2 siblings, 1 reply; 28+ messages in thread From: Lars Magne Ingebrigtsen @ 2010-09-18 11:47 UTC (permalink / raw) To: ding Ted Zlatanov <tzz@lifelogs.com> writes: > I was trying to discourage people from putting their password in an > unencrypted file. So I'm sort of OK with making the unencrypted file > the second choice, but I'd like to at least warn the user. WDYT? If it could be done unobtrusively... I don't really like software that tells me that what I'm doing is stupid, even though it's right. :-) -- (domestic pets only, the antidote for overdose, milk.) larsi@gnus.org * Lars Magne Ingebrigtsen ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-18 11:47 ` Lars Magne Ingebrigtsen @ 2010-09-20 2:30 ` Ted Zlatanov 2010-09-20 8:14 ` Lars Magne Ingebrigtsen ` (2 more replies) 0 siblings, 3 replies; 28+ messages in thread From: Ted Zlatanov @ 2010-09-20 2:30 UTC (permalink / raw) To: ding On Sat, 18 Sep 2010 13:47:39 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: LMI> Ted Zlatanov <tzz@lifelogs.com> writes: >> I was trying to discourage people from putting their password in an >> unencrypted file. So I'm sort of OK with making the unencrypted file >> the second choice, but I'd like to at least warn the user. WDYT? LMI> If it could be done unobtrusively... I don't really like software that LMI> tells me that what I'm doing is stupid, even though it's right. :-) An unobtrusive warning? That's pretty useless, better not to bother the user. On Sat, 18 Sep 2010 14:50:38 +0200 Sebastian Krause <sebastian@realpath.org> wrote: SK> Personally, I don't like to enter my long GnuPG password every time SK> I start up Gnus. It's entered once per Emacs session. If that's too much use the Secrets API (KWallet or Gnome Seahorse). SK> It's safe enough anyway because I use full disk encryption with SK> LUKS. That's a completely different type of security, though it's useful too. Your passwords are in the clear to anything running in your environment, right? SK> Or maybe those passwords are not too important because they're only SK> for a simple Usenet server. So, warning users shouldn't be too noisy SK> because there might be good reasons of using the unencrypted file. It's a balancing act (and a familiar problem since I've been a sysadmin for a long time). I'll just be quiet about this as long as it's the second default choice. On Sat, 18 Sep 2010 17:40:23 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: LMI> And if there was a nice, painless road towards storing the passwords in LMI> ~/.authinfo.gpg, that would be nice. That is, if the user is queried LMI> for user name/password, then auth-source.el should store it encrypted, LMI> and not in the plain ~/.authinfo file. auth-source.el has nothing to do with it. All the work is done by EPA/EPG and I'm intentionally keeping auth-source.el agnostic of encryption issues beyond mentioning the .gpg extension. On Sat, 18 Sep 2010 23:29:01 +0200 Sebastian Krause <sebastian@realpath.org> wrote: SK> However, I just saw that even in case of an encrypted SK> ~/.authinfo.gpg it's pretty easy to find out my IMAP password if SK> Gnus is still running: It's simply shown in the *imap log* SK> buffer. It's probably because imap.gmail.com uses cleartext login SK> through SSL. Is there any way to not print out the password, but SK> some kind of placeholder instead? If the attacker has any access to Emacs, he can sniff the encryption passphrase from the auth-source.el cache. Sorry but ELisp (in Emacs or XEmacs) is just not a secure environment; auth-source.el tries to at least make it less necessary to store your passwords in an unencrypted location. Its main purpose is to provide a single place for all ELisp code to get authentication tokens. Ted ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 2:30 ` Ted Zlatanov @ 2010-09-20 8:14 ` Lars Magne Ingebrigtsen 2010-09-20 15:03 ` Ted Zlatanov 2010-09-20 10:47 ` [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users Sebastian Krause 2010-09-20 14:27 ` Richard Riley 2 siblings, 1 reply; 28+ messages in thread From: Lars Magne Ingebrigtsen @ 2010-09-20 8:14 UTC (permalink / raw) To: ding Ted Zlatanov <tzz@lifelogs.com> writes: > LMI> And if there was a nice, painless road towards storing the passwords in > LMI> ~/.authinfo.gpg, that would be nice. That is, if the user is queried > LMI> for user name/password, then auth-source.el should store it encrypted, > LMI> and not in the plain ~/.authinfo file. > > auth-source.el has nothing to do with it. All the work is done by > EPA/EPG and I'm intentionally keeping auth-source.el agnostic of > encryption issues beyond mentioning the .gpg extension. I don't know what EPA/EPG is. Will auth-source.el store the passwords that are queried anywhere? Like in the ~/.authinfo.gpg file? -- (domestic pets only, the antidote for overdose, milk.) larsi@gnus.org * Lars Magne Ingebrigtsen ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 8:14 ` Lars Magne Ingebrigtsen @ 2010-09-20 15:03 ` Ted Zlatanov 2010-09-25 12:47 ` Gijs Hillenius 0 siblings, 1 reply; 28+ messages in thread From: Ted Zlatanov @ 2010-09-20 15:03 UTC (permalink / raw) To: ding On Mon, 20 Sep 2010 10:14:22 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: LMI> Ted Zlatanov <tzz@lifelogs.com> writes: LMI> And if there was a nice, painless road towards storing the passwords in LMI> ~/.authinfo.gpg, that would be nice. That is, if the user is queried LMI> for user name/password, then auth-source.el should store it encrypted, LMI> and not in the plain ~/.authinfo file. >> >> auth-source.el has nothing to do with it. All the work is done by >> EPA/EPG and I'm intentionally keeping auth-source.el agnostic of >> encryption issues beyond mentioning the .gpg extension. LMI> I don't know what EPA/EPG is. It's a transparent encryption/decryption layer at the file handler level that comes with Emacs and gets triggered by the .gpg extension. See (info "(epa) Top") for more. I put some info in the auth-source.el manual as well, see (info "(auth) Help for users") LMI> Will auth-source.el store the passwords that are queried anywhere? LMI> Like in the ~/.authinfo.gpg file? It caches them but doesn't save them. Ted ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 15:03 ` Ted Zlatanov @ 2010-09-25 12:47 ` Gijs Hillenius 2010-09-25 13:56 ` Lars Magne Ingebrigtsen 2010-09-25 15:12 ` Ted Zlatanov 0 siblings, 2 replies; 28+ messages in thread From: Gijs Hillenius @ 2010-09-25 12:47 UTC (permalink / raw) To: ding On 20 Sep 2010, Ted Zlatanov wrote: [...] >>> auth-source.el has nothing to do with it. All the work is done by >>> EPA/EPG and I'm intentionally keeping auth-source.el agnostic of >>> encryption issues beyond mentioning the .gpg extension. [...] > LMI> Will auth-source.el store the passwords that are queried anywhere? > LMI> Like in the ~/.authinfo.gpg file? > > It caches them but doesn't save them. Hello I wonder about this caching. I've been reading the manual, and wonder if I understand it correctly. I think I'm following 'the simple' example in the docs. my .authinfo.gpg contains two lines machine 1 (mail) machine 2 (usenet) And Gnus accesses three machines, news, mail and gmane (among others for reading this Ding here). Now, Gnus at start-up currently asks me *six* times to decrypt ~/.authinfo.gpg and twice more when I send an email / news. I have cache enabled, so I expected to be prompted just once, per Emacs session. Or something. in .emacs ,---- | (require 'epa-file) (epa-file-enable) | (setq epa-file-cache-passphrase-for-symmetric-encryption t) `---- in .gnus ,---- | (setq auth-sources '((:source "~/.authinfo.gpg"))) `---- -- Anyone who goes to a psychiatrist ought to have his head examined. -- Samuel Goldwyn ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-25 12:47 ` Gijs Hillenius @ 2010-09-25 13:56 ` Lars Magne Ingebrigtsen 2010-09-25 15:12 ` Ted Zlatanov 1 sibling, 0 replies; 28+ messages in thread From: Lars Magne Ingebrigtsen @ 2010-09-25 13:56 UTC (permalink / raw) To: ding Gijs Hillenius <gijs@hillenius.net> writes: > Now, Gnus at start-up currently asks me *six* times to decrypt > ~/.authinfo.gpg and twice more when I send an email / news. I have cache > enabled, so I expected to be prompted just once, per Emacs session. Or > something. > > in .emacs > ,---- > | (require 'epa-file) (epa-file-enable) > | (setq epa-file-cache-passphrase-for-symmetric-encryption t) > `---- I hadn't used the .gpg stuff before, so I just tried saving ~/.foo.gpg. It asked me for a passphrase, and then saved the file. If I've set the passphrase caching thing like you, I'm then only asked a single time per Emacs session for the phrase. (insert-file-contents "~/.foo.gpg") works fine, too. Are you sure that you're using the epa-file supplied with Emacs, and not... something else? -- (domestic pets only, the antidote for overdose, milk.) larsi@gnus.org * Lars Magne Ingebrigtsen ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-25 12:47 ` Gijs Hillenius 2010-09-25 13:56 ` Lars Magne Ingebrigtsen @ 2010-09-25 15:12 ` Ted Zlatanov [not found] ` <87mxr46gv9.fsf@hillenius.net> 1 sibling, 1 reply; 28+ messages in thread From: Ted Zlatanov @ 2010-09-25 15:12 UTC (permalink / raw) To: ding On Sat, 25 Sep 2010 14:47:23 +0200 Gijs Hillenius <gijs@hillenius.net> wrote: GH> Now, Gnus at start-up currently asks me *six* times to decrypt GH> ~/.authinfo.gpg and twice more when I send an email / news. I have cache GH> enabled, so I expected to be prompted just once, per Emacs session. Or GH> something. GH> in .emacs GH> ,---- GH> | (require 'epa-file) (epa-file-enable) GH> | (setq epa-file-cache-passphrase-for-symmetric-encryption t) GH> `---- There's two kinds of caching we're talking about, unfortunately. The one I mentioned in this thread was username and password caching, so authinfo doesn't have to parse the netrc repeatedly. The one giving you trouble is the EPA passphrase caching, which is external to auth-source.el. AFAIK it works and I use it daily, so you may want to check your EPA version (as Lars suggested) and possibly submit a bug for EPA. Ted ^ permalink raw reply [flat|nested] 28+ messages in thread
[parent not found: <87mxr46gv9.fsf@hillenius.net>]
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. [not found] ` <87mxr46gv9.fsf@hillenius.net> @ 2010-09-26 12:27 ` Ted Zlatanov 2010-09-26 12:38 ` tls.el I added '--insecure' (Was :Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.) Gijs Hillenius 0 siblings, 1 reply; 28+ messages in thread From: Ted Zlatanov @ 2010-09-26 12:27 UTC (permalink / raw) To: Gijs Hillenius; +Cc: Ding Mailing List On Sun, 26 Sep 2010 10:36:42 +0200 Gijs Hillenius <gijs@hillenius.net> wrote: GH> Doing this off-list, hope that is ok. i'll bring it there when I feel GH> confident my contribution is useful. No, please use the ding list. I use GMane so if you send me e-mail I may not notice it for a while, and you'll feel ignored :) I've done that unintentionally to a few people already. So I hope you don't mind but I've cc-ed ding back. GH> Yet, just now, all of a sudden, I realised: GH> In *Messages* I get: GH> Opening TLS connection to `mail.hillenius.net'... GH> Opening TLS connection with `gnutls-cli -p imaps mail.hillenius.net'...failed GH> Opening TLS connection with `gnutls-cli -p imaps mail.hillenius.net --protocols ssl3'...failed GH> Opening TLS connection with `openssl s_client -connect mail.hillenius.net:imaps -no_ssl2 -ign_eof'...done GH> That is two fails and a 'error but I'll ignore it". Could *that* explain GH> why my .authinfo.gpg gets accessed *three* times? So far my explanation GH> was that I'm accessing /three/ servers, a) xs4all 4 news, b) GH> hillenius.net 4 mail and c) gmane 4 ding... It should get opened once per server+port combination. But even that's not necessary: we should look at the file age and know if it needs to be reopened in auth-source. I want to fix the auth-source issues you and others have reported, now that the (broken) GnuTLS support is checked in, so I'll work on that over the next few days. Ted ^ permalink raw reply [flat|nested] 28+ messages in thread
* tls.el I added '--insecure' (Was :Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.) 2010-09-26 12:27 ` Ted Zlatanov @ 2010-09-26 12:38 ` Gijs Hillenius 2010-09-26 20:53 ` tls.el I added '--insecure' Ted Zlatanov 0 siblings, 1 reply; 28+ messages in thread From: Gijs Hillenius @ 2010-09-26 12:38 UTC (permalink / raw) To: ding On 26 Sep 2010, Ted Zlatanov wrote: [...] > > GH> In *Messages* I get: > > GH> Opening TLS connection to `mail.hillenius.net'... > GH> Opening TLS connection with `gnutls-cli -p imaps mail.hillenius.net'...failed > GH> Opening TLS connection with `gnutls-cli -p imaps mail.hillenius.net --protocols ssl3'...failed > GH> Opening TLS connection with `openssl s_client -connect mail.hillenius.net:imaps -no_ssl2 -ign_eof'...done Thanks Ted, for your explanation. I decided to change the tls.el file that comes with this gnus, adding a changing this line: ,---- | (defcustom tls-program '("gnutls-cli -p %p %h" `---- into ,---- | (defcustom tls-program '("gnutls-cli --insecure -p %p %h" `---- and byte-compile & load it. That "fixed" my `gnutls-cli -p imaps mail.hillenius.net'...error. Which means that now I'm back to my bigger problem, understanding why my gcc is not yet working. ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: tls.el I added '--insecure' 2010-09-26 12:38 ` tls.el I added '--insecure' (Was :Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.) Gijs Hillenius @ 2010-09-26 20:53 ` Ted Zlatanov 0 siblings, 0 replies; 28+ messages in thread From: Ted Zlatanov @ 2010-09-26 20:53 UTC (permalink / raw) To: ding On Sun, 26 Sep 2010 14:38:15 +0200 Gijs Hillenius <gijs@hillenius.net> wrote: GH> I decided to change the tls.el file that comes with this gnus, adding a GH> changing this line: GH> ,---- GH> | (defcustom tls-program '("gnutls-cli -p %p %h" GH> `---- GH> into GH> ,---- GH> | (defcustom tls-program '("gnutls-cli --insecure -p %p %h" GH> `---- GH> and byte-compile & load it. (sorry if I misunderstood, but I think you may not know about customize-variable) You can just do `M-x customize-variable tls-program' and it will do it correctly. The modified variable will be stored in your custom.el file, which Emacs will manage. Try it. Ted ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 2:30 ` Ted Zlatanov 2010-09-20 8:14 ` Lars Magne Ingebrigtsen @ 2010-09-20 10:47 ` Sebastian Krause 2010-09-20 14:59 ` Ted Zlatanov 2010-09-20 14:27 ` Richard Riley 2 siblings, 1 reply; 28+ messages in thread From: Sebastian Krause @ 2010-09-20 10:47 UTC (permalink / raw) To: ding Ted Zlatanov <tzz@lifelogs.com> wrote: > SK> Personally, I don't like to enter my long GnuPG password every time > SK> I start up Gnus. > > It's entered once per Emacs session. If that's too much use the Secrets > API (KWallet or Gnome Seahorse). Yes, that's too much. :) However, I'm running Gnome with Seahorse and it would be good alternative. Does Gnus support it and if so, how? ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 10:47 ` [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users Sebastian Krause @ 2010-09-20 14:59 ` Ted Zlatanov 2010-09-20 18:40 ` Michael Albinus 0 siblings, 1 reply; 28+ messages in thread From: Ted Zlatanov @ 2010-09-20 14:59 UTC (permalink / raw) To: ding On Mon, 20 Sep 2010 12:47:42 +0200 Sebastian Krause <sebastian@realpath.org> wrote: SK> Ted Zlatanov <tzz@lifelogs.com> wrote: SK> Personally, I don't like to enter my long GnuPG password every time SK> I start up Gnus. >> >> It's entered once per Emacs session. If that's too much use the Secrets >> API (KWallet or Gnome Seahorse). SK> Yes, that's too much. :) However, I'm running Gnome with Seahorse SK> and it would be good alternative. Does Gnus support it and if so, SK> how? The Secrets API is supported in recent builds on Seahorse AFAIK; I don't know how far back the support goes. To use it, customize `auth-sources'. This is not a Gnus function per se. auth-source.el is consulted by Gnus but is used by other packages as well, e.g. url.el and Tramp. Ted ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 14:59 ` Ted Zlatanov @ 2010-09-20 18:40 ` Michael Albinus 0 siblings, 0 replies; 28+ messages in thread From: Michael Albinus @ 2010-09-20 18:40 UTC (permalink / raw) To: Ted Zlatanov; +Cc: ding Ted Zlatanov <tzz@lifelogs.com> writes: > The Secrets API is supported in recent builds on Seahorse AFAIK; I don't > know how far back the support goes. Gnome 2.29, IIRC. > Ted Best regards, Michael. ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 2:30 ` Ted Zlatanov 2010-09-20 8:14 ` Lars Magne Ingebrigtsen 2010-09-20 10:47 ` [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users Sebastian Krause @ 2010-09-20 14:27 ` Richard Riley 2010-09-20 15:01 ` Ted Zlatanov 2 siblings, 1 reply; 28+ messages in thread From: Richard Riley @ 2010-09-20 14:27 UTC (permalink / raw) To: Ted Zlatanov; +Cc: ding Ted Zlatanov <tzz@lifelogs.com> writes: > On Sat, 18 Sep 2010 13:47:39 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: > > LMI> Ted Zlatanov <tzz@lifelogs.com> writes: >>> I was trying to discourage people from putting their password in an >>> unencrypted file. So I'm sort of OK with making the unencrypted file >>> the second choice, but I'd like to at least warn the user. WDYT? > > LMI> If it could be done unobtrusively... I don't really like software that > LMI> tells me that what I'm doing is stupid, even though it's right. :-) > > An unobtrusive warning? That's pretty useless, better not to bother the > user. > > On Sat, 18 Sep 2010 14:50:38 +0200 Sebastian Krause <sebastian@realpath.org> wrote: > > SK> Personally, I don't like to enter my long GnuPG password every time > SK> I start up Gnus. > > It's entered once per Emacs session. If that's too much use the Secrets > API (KWallet or Gnome Seahorse). I use gpg-agent and keychain. The whole seahorse thing is a tad confusing, certainly in Debian. But when I first start emacs and launch gnus I get promppted via gpg-agent pin entry for my password to unencrypt my .authinfo.gpg and thats that until the specified gpgagent timeout is reached. As a side note : my setting for auth-sources works in 23.2 with the shipped gnus but doesnt seem to properly authenticate my local dovecot nnimap accounts with nognus. ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 14:27 ` Richard Riley @ 2010-09-20 15:01 ` Ted Zlatanov 2010-09-20 15:29 ` Richard Riley 0 siblings, 1 reply; 28+ messages in thread From: Ted Zlatanov @ 2010-09-20 15:01 UTC (permalink / raw) To: ding On Mon, 20 Sep 2010 16:27:31 +0200 Richard Riley <rileyrg@googlemail.com> wrote: RR> As a side note : my setting for auth-sources works in 23.2 with the RR> shipped gnus but doesnt seem to properly authenticate my local dovecot RR> nnimap accounts with nognus. I could test it if you showed your `auth-sources', the relevant line of your authinfo file, and the messages in *Messages* produced by auth-source when it looks up the server by name. Thanks Ted ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 15:01 ` Ted Zlatanov @ 2010-09-20 15:29 ` Richard Riley 0 siblings, 0 replies; 28+ messages in thread From: Richard Riley @ 2010-09-20 15:29 UTC (permalink / raw) To: Ted Zlatanov; +Cc: ding Ted Zlatanov <tzz@lifelogs.com> writes: > On Mon, 20 Sep 2010 16:27:31 +0200 Richard Riley <rileyrg@googlemail.com> wrote: > > RR> As a side note : my setting for auth-sources works in 23.2 with the > RR> shipped gnus but doesnt seem to properly authenticate my local dovecot > RR> nnimap accounts with nognus. > > I could test it if you showed your `auth-sources', the relevant line of > your authinfo file, and the messages in *Messages* produced by > auth-source when it looks up the server by name. > The select method connects to a dovecot virtual user via the name part (here "riley") :- ,---- | (add-to-list 'gnus-secondary-select-methods | `(nnimap "riley" | (nnimap-address "offlineimap") | (nnir-search-engine imap) | (nnimap-stream network) | )) `---- The auth-sources value is :- ,---- | auth-sources is a variable defined in `auth-source.el'. | Its value is | ((:source "/home/shamrock/.emacs.d/.authinfo.gpg" :host t :protocol t)) `---- The relevant line in .authinfo.gpg is :- ,---- | machine riley login riley password pass1 `---- The relevant /etc/dovecot.pass entry is ,---- | riley:{plain}pass1 `---- The relevant auth default pass set up in dovecot.conf for virtual users ,---- | passdb passwd-file { | args = /etc/dovecot.pass | } | userdb static { | args = uid=1000 gid=1000 home=/home/shamrock/.Maildir/%u | } `---- All works with gnus in emacs 23.2 With nognus I dont see anything other than INBOX. ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-18 6:19 ` [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users Ted Zlatanov 2010-09-18 11:47 ` Lars Magne Ingebrigtsen @ 2010-09-18 12:50 ` Sebastian Krause 2010-09-18 15:40 ` Lars Magne Ingebrigtsen 2010-09-20 11:03 ` Robert Pluim 2 siblings, 1 reply; 28+ messages in thread From: Sebastian Krause @ 2010-09-18 12:50 UTC (permalink / raw) To: ding Ted Zlatanov <tzz@lifelogs.com> wrote: > I was trying to discourage people from putting their password in > an unencrypted file. So I'm sort of OK with making the > unencrypted file the second choice, but I'd like to at least warn > the user. WDYT? Personally, I don't like to enter my long GnuPG password every time I start up Gnus. It's safe enough anyway because I use full disk encryption with LUKS. Or maybe those passwords are not too important because they're only for a simple Usenet server. So, warning users shouldn't be too noisy because there might be good reasons of using the unencrypted file. ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-18 12:50 ` Sebastian Krause @ 2010-09-18 15:40 ` Lars Magne Ingebrigtsen 2010-09-18 21:29 ` Sebastian Krause 0 siblings, 1 reply; 28+ messages in thread From: Lars Magne Ingebrigtsen @ 2010-09-18 15:40 UTC (permalink / raw) To: ding Sebastian Krause <sebastian@realpath.org> writes: > Personally, I don't like to enter my long GnuPG password every time > I start up Gnus. It's safe enough anyway because I use full disk > encryption with LUKS. Or maybe those passwords are not too important > because they're only for a simple Usenet server. So, warning users > shouldn't be too noisy because there might be good reasons of using > the unencrypted file. Yup. If we're going to warn people about having "unsafe" passwords, it shouldn't be intrusive. And if there was a nice, painless road towards storing the passwords in ~/.authinfo.gpg, that would be nice. That is, if the user is queried for user name/password, then auth-source.el should store it encrypted, and not in the plain ~/.authinfo file. (At least it's not stored there when I try it, but I might just not have stuff set up correctly.) -- (domestic pets only, the antidote for overdose, milk.) larsi@gnus.org * Lars Magne Ingebrigtsen ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-18 15:40 ` Lars Magne Ingebrigtsen @ 2010-09-18 21:29 ` Sebastian Krause 2010-09-18 21:31 ` Lars Magne Ingebrigtsen 0 siblings, 1 reply; 28+ messages in thread From: Sebastian Krause @ 2010-09-18 21:29 UTC (permalink / raw) To: ding Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: > And if there was a nice, painless road towards storing the passwords in > ~/.authinfo.gpg, that would be nice. That is, if the user is queried > for user name/password, then auth-source.el should store it encrypted, > and not in the plain ~/.authinfo file. > > (At least it's not stored there when I try it, but I might just not have > stuff set up correctly.) However, I just saw that even in case of an encrypted ~/.authinfo.gpg it's pretty easy to find out my IMAP password if Gnus is still running: It's simply shown in the *imap log* buffer. It's probably because imap.gmail.com uses cleartext login through SSL. Is there any way to not print out the password, but some kind of placeholder instead? ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-18 21:29 ` Sebastian Krause @ 2010-09-18 21:31 ` Lars Magne Ingebrigtsen 0 siblings, 0 replies; 28+ messages in thread From: Lars Magne Ingebrigtsen @ 2010-09-18 21:31 UTC (permalink / raw) To: ding Sebastian Krause <sebastian@realpath.org> writes: > It's simply shown in the *imap log* buffer. That buffer won't be created once the initial nnimap problems have been ironed out. -- (domestic pets only, the antidote for overdose, milk.) larsi@gnus.org * Lars Magne Ingebrigtsen ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-18 6:19 ` [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users Ted Zlatanov 2010-09-18 11:47 ` Lars Magne Ingebrigtsen 2010-09-18 12:50 ` Sebastian Krause @ 2010-09-20 11:03 ` Robert Pluim 2010-09-20 14:10 ` Richard Riley 2010-09-20 15:26 ` Ted Zlatanov 2 siblings, 2 replies; 28+ messages in thread From: Robert Pluim @ 2010-09-20 11:03 UTC (permalink / raw) To: ding Ted Zlatanov <tzz@lifelogs.com> writes: > On Sat, 18 Sep 2010 00:33:36 +0200 Lars Magne Ingebrigtsen <larsi@quimbies.gnus.org> wrote: > > LMI> * auth-source.el (auth-sources): Add ~/.authinfo to the default, since > LMI> that's probably most useful for users. > > LMI> -(defcustom auth-sources '((:source "~/.authinfo.gpg")) > > LMI> +(defcustom auth-sources '((:source "~/.authinfo.gpg") > LMI> + (:source "~/.authinfo")) > > I was trying to discourage people from putting their password in an > unencrypted file. So I'm sort of OK with making the unencrypted file > the second choice, but I'd like to at least warn the user. WDYT? Apropos, I have a ~/.authinfo which contains machine myimapserver login myusername port imap machine myimapserver login myusername port 993 machine myimapserver login myusername port imaps And I *still* get prompted for both my username and password when connecting to imap. What magic incantation am I missing? (and no, I'm not going to be putting my password in that file). Regards Robert ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 11:03 ` Robert Pluim @ 2010-09-20 14:10 ` Richard Riley 2010-09-20 14:59 ` Robert Pluim 2010-09-20 15:26 ` Ted Zlatanov 1 sibling, 1 reply; 28+ messages in thread From: Richard Riley @ 2010-09-20 14:10 UTC (permalink / raw) To: Robert Pluim; +Cc: ding Robert Pluim <rpluim@gmail.com> writes: > Ted Zlatanov <tzz@lifelogs.com> writes: > >> On Sat, 18 Sep 2010 00:33:36 +0200 Lars Magne Ingebrigtsen <larsi@quimbies.gnus.org> wrote: >> >> LMI> * auth-source.el (auth-sources): Add ~/.authinfo to the default, since >> LMI> that's probably most useful for users. >> >> LMI> -(defcustom auth-sources '((:source "~/.authinfo.gpg")) >> >> LMI> +(defcustom auth-sources '((:source "~/.authinfo.gpg") >> LMI> + (:source "~/.authinfo")) >> >> I was trying to discourage people from putting their password in an >> unencrypted file. So I'm sort of OK with making the unencrypted file >> the second choice, but I'd like to at least warn the user. WDYT? > > Apropos, I have a ~/.authinfo which contains > > machine myimapserver login myusername port imap > > machine myimapserver login myusername port 993 > > machine myimapserver login myusername port imaps > > And I *still* get prompted for both my username and password when > connecting to imap. What magic incantation am I missing? (and no, I'm > not going to be putting my password in that file). > > Regards > > Robert > Hi Robert, Some suggestions : Change it to a .gpg file. Put it wherever you want and customise the auth-sources variable accordingly. (I would expect to be prompted for userid and password if you dont include passwords in a file thats supposed to include your authorities) EPA is pretty seamless in 23 onwards. No one should be using .authinfo IMO - .authinfo.gpg is the way forward since its publicly distributable (think free git repos) and not prey to accidental to chmods. ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 14:10 ` Richard Riley @ 2010-09-20 14:59 ` Robert Pluim 0 siblings, 0 replies; 28+ messages in thread From: Robert Pluim @ 2010-09-20 14:59 UTC (permalink / raw) To: ding Richard Riley <rileyrg@googlemail.com> writes: > Robert Pluim <rpluim@gmail.com> writes: >> And I *still* get prompted for both my username and password when >> connecting to imap. What magic incantation am I missing? (and no, I'm >> not going to be putting my password in that file). >> > > Hi Robert, > > Some suggestions : > > Change it to a .gpg file. Put it wherever you want and customise the > auth-sources variable accordingly. > > (I would expect to be prompted for userid and password if you dont > include passwords in a file thats supposed to include your authorities) > And I would expect to be prompted for the password if I don't supply it but do supply a username, which is what I'm pretty sure used to happen in the past when using imap (admittedly probably 2 years ago). No accounting for taste ;-) > EPA is pretty seamless in 23 onwards. > > No one should be using .authinfo IMO - .authinfo.gpg is the way forward > since its publicly distributable (think free git repos) and not prey to > accidental to chmods. I suppose I can investigate that, assuming I can get it to work under cygwin. Thanks Robert ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 11:03 ` Robert Pluim 2010-09-20 14:10 ` Richard Riley @ 2010-09-20 15:26 ` Ted Zlatanov 2010-09-20 15:43 ` Tibor Simko ` (2 more replies) 1 sibling, 3 replies; 28+ messages in thread From: Ted Zlatanov @ 2010-09-20 15:26 UTC (permalink / raw) To: ding On Mon, 20 Sep 2010 13:03:38 +0200 Robert Pluim <rpluim@gmail.com> wrote: RP> Apropos, I have a ~/.authinfo which contains RP> machine myimapserver login myusername port imap RP> machine myimapserver login myusername port 993 RP> machine myimapserver login myusername port imaps RP> And I *still* get prompted for both my username and password when RP> connecting to imap. What magic incantation am I missing? (and no, I'm RP> not going to be putting my password in that file). It assumes you have both or neither in the file. Can you try this version of nnimap-credentials (press `C-x C-e' after the closing parenthesis)? (defun nnimap-credentials (address ports) (let (port credentials) ;; Request the credentials from all ports, but only query on the ;; last port if all the previous ones have failed. (while (and (null credentials) (setq port (pop ports))) (setq credentials (or (auth-source-user-or-password '("login" "password") address port nil (null ports)) (auth-source-user-or-password '("login") address port nil (null ports))))) credentials)) I don't think the general solution is to return ("myusername" nil) in such cases. It seems to me that if the application asks for two authentication tokens, it expects them both to be valid. Thanks Ted ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 15:26 ` Ted Zlatanov @ 2010-09-20 15:43 ` Tibor Simko 2010-09-20 15:53 ` Robert Pluim 2010-09-21 16:19 ` Lars Magne Ingebrigtsen 2 siblings, 0 replies; 28+ messages in thread From: Tibor Simko @ 2010-09-20 15:43 UTC (permalink / raw) To: Ted Zlatanov; +Cc: ding On Mon, 20 Sep 2010, Ted Zlatanov wrote: > I don't think the general solution is to return ("myusername" nil) in > such cases. It seems to me that if the application asks for two > authentication tokens, it expects them both to be valid. BTW `smtpmail-auth-credentials' allows to use nil for the password in which case the user is prompted for one. Best regards -- Tibor Simko ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 15:26 ` Ted Zlatanov 2010-09-20 15:43 ` Tibor Simko @ 2010-09-20 15:53 ` Robert Pluim 2010-09-21 16:19 ` Lars Magne Ingebrigtsen 2 siblings, 0 replies; 28+ messages in thread From: Robert Pluim @ 2010-09-20 15:53 UTC (permalink / raw) To: ding Ted Zlatanov <tzz@lifelogs.com> writes: > version of nnimap-credentials (press `C-x C-e' after the closing > parenthesis)? > > (defun nnimap-credentials (address ports) > (let (port credentials) > ;; Request the credentials from all ports, but only query on the > ;; last port if all the previous ones have failed. > (while (and (null credentials) > (setq port (pop ports))) > (setq credentials > (or > (auth-source-user-or-password > '("login" "password") address port nil (null ports)) > (auth-source-user-or-password > '("login") address port nil (null ports))))) > credentials)) > > I don't think the general solution is to return ("myusername" nil) in > such cases. It seems to me that if the application asks for two > authentication tokens, it expects them both to be valid. That version of nnimap-credentials causes me to not get prompted for anything, and the connection to my imap server to fail. The *nnimap buffer contains: 1 NO LOGIN failed. Process *nnimap* kill so I either more code changes are required, or I should use authinfo.gpg (assuming the combination-from-hell of XEmacs & cygwin supports it). Thanks Robert ^ permalink raw reply [flat|nested] 28+ messages in thread
* Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users. 2010-09-20 15:26 ` Ted Zlatanov 2010-09-20 15:43 ` Tibor Simko 2010-09-20 15:53 ` Robert Pluim @ 2010-09-21 16:19 ` Lars Magne Ingebrigtsen 2 siblings, 0 replies; 28+ messages in thread From: Lars Magne Ingebrigtsen @ 2010-09-21 16:19 UTC (permalink / raw) To: ding Ted Zlatanov <tzz@lifelogs.com> writes: > (auth-source-user-or-password > '("login" "password") address port nil (null ports)) If the application asks for "login" and "password", but it can only find one of them in the files (etc), shouldn't it just prompt for the thing it can't find? In this case, it finds the login name in .authinfo, but not the password, so it should prompt for the password and then cache it. -- (domestic pets only, the antidote for overdose, milk.) larsi@gnus.org * Lars Magne Ingebrigtsen ^ permalink raw reply [flat|nested] 28+ messages in thread
end of thread, other threads:[~2010-09-26 20:53 UTC | newest] Thread overview: 28+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <E1OwjUu-0007Om-00@quimby.gnus.org> 2010-09-18 6:19 ` [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users Ted Zlatanov 2010-09-18 11:47 ` Lars Magne Ingebrigtsen 2010-09-20 2:30 ` Ted Zlatanov 2010-09-20 8:14 ` Lars Magne Ingebrigtsen 2010-09-20 15:03 ` Ted Zlatanov 2010-09-25 12:47 ` Gijs Hillenius 2010-09-25 13:56 ` Lars Magne Ingebrigtsen 2010-09-25 15:12 ` Ted Zlatanov [not found] ` <87mxr46gv9.fsf@hillenius.net> 2010-09-26 12:27 ` Ted Zlatanov 2010-09-26 12:38 ` tls.el I added '--insecure' (Was :Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.) Gijs Hillenius 2010-09-26 20:53 ` tls.el I added '--insecure' Ted Zlatanov 2010-09-20 10:47 ` [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users Sebastian Krause 2010-09-20 14:59 ` Ted Zlatanov 2010-09-20 18:40 ` Michael Albinus 2010-09-20 14:27 ` Richard Riley 2010-09-20 15:01 ` Ted Zlatanov 2010-09-20 15:29 ` Richard Riley 2010-09-18 12:50 ` Sebastian Krause 2010-09-18 15:40 ` Lars Magne Ingebrigtsen 2010-09-18 21:29 ` Sebastian Krause 2010-09-18 21:31 ` Lars Magne Ingebrigtsen 2010-09-20 11:03 ` Robert Pluim 2010-09-20 14:10 ` Richard Riley 2010-09-20 14:59 ` Robert Pluim 2010-09-20 15:26 ` Ted Zlatanov 2010-09-20 15:43 ` Tibor Simko 2010-09-20 15:53 ` Robert Pluim 2010-09-21 16:19 ` Lars Magne Ingebrigtsen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).