auth-sources: 8 password prompts for accessing one single imap server

auth-sources: 8 password prompts for accessing one single imap server

[Tassilo Horn]

Hi Ted,

I've just made my system a bit more secure by eventually encryting my
.authinfo file.  But now I have to enter my passwort for that file *8*
times per imap account!  Here's a typical "conversation":

--8<---------------cut here---------------start------------->8---
Opening TLS connection to `mail.uni-koblenz.de'...
Opening TLS connection with `gnutls-cli -p imaps mail.uni-koblenz.de'...done
Opening TLS connection to `mail.uni-koblenz.de'...done
auth-source-user-or-password: get (login password) for Uni (143) + user=nil
/home/horn/.authinfo: 0% (0/248)
/home/horn/.authinfo: 100% (248/248)
/home/horn/.authinfo: 0% (0/248)
/home/horn/.authinfo: 100% (248/248)
auth-source-user-or-password: get (login password) for Uni (993) + user=nil
/home/horn/.authinfo: 0% (0/248)
/home/horn/.authinfo: 100% (248/248)
/home/horn/.authinfo: 0% (0/248)
/home/horn/.authinfo: 100% (248/248)
auth-source-user-or-password: get (login password) for Uni (imap) + user=nil
/home/horn/.authinfo: 0% (0/248)
/home/horn/.authinfo: 100% (248/248)
/home/horn/.authinfo: 0% (0/248)
/home/horn/.authinfo: 100% (248/248)
auth-source-user-or-password: get (login password) for Uni (imaps) + user=nil
/home/horn/.authinfo: 0% (0/248)
/home/horn/.authinfo: 100% (248/248)
/home/horn/.authinfo: 0% (0/248)
/home/horn/.authinfo: 100% (248/248)
--8<---------------cut here---------------end--------------->8---

As you can see, 1) it queries for a password for each possible imap port
or port name.  And 2), for each of those, I have to type my password 2
times.

I think 1) is clearly a bug, but it makes Gnus pretty unusable for me.
I have 4 accounts that need passwords!

2) might be caused by the fact that my ~/.authinfo.gpg is only a symlink
to another file.

Bye,
Tassilo

Re: auth-sources: 8 password prompts for accessing one single imap server

[Vegard Vesterheim]

On Mon, 27 Sep 2010 02:09:24 +0200 Tassilo Horn <tassilo@member.fsf.org> wrote:

> Hi Ted,
>
> I've just made my system a bit more secure by eventually encryting my
> .authinfo file.  But now I have to enter my passwort for that file *8*
> times per imap account!  

I'm seeing similar behaviour, I have to enter my password 4
times. I have my credentials in .authinfo.gpg (no symlink)

Upon starting emacs (emacs23 -f gnus-no-server), I get 2 prompts for
password. I assume that is because I have different 2 IMAP accounts.

I have open IMAP connections at this stage, but if I now type '3 g' to
get email at level 3, I have to enter my password 2 times again. This
does not happen if I type '1 g' or '2 g'. Go figure.

I run gpg-agent, and I also have set
epa-file-cache-passphrase-for-symmetric-encryption.

 - Vegard V -

Re: auth-sources: 8 password prompts for accessing one single imap server

[Drew Hess]

On Sun, Sep 26, 2010 at 11:38 PM, Vegard Vesterheim
<vegard.vesterheim@uninett.no> wrote:
> On Mon, 27 Sep 2010 02:09:24 +0200 Tassilo Horn <tassilo@member.fsf.org> wrote:
>
>> Hi Ted,
>>
>> I've just made my system a bit more secure by eventually encryting my
>> .authinfo file.  But now I have to enter my passwort for that file *8*
>> times per imap account!
>
> I'm seeing similar behaviour, I have to enter my password 4
> times. I have my credentials in .authinfo.gpg (no symlink)
>
> Upon starting emacs (emacs23 -f gnus-no-server), I get 2 prompts for
> password. I assume that is because I have different 2 IMAP accounts.
>
> I have open IMAP connections at this stage, but if I now type '3 g' to
> get email at level 3, I have to enter my password 2 times again. This
> does not happen if I type '1 g' or '2 g'. Go figure.
>
> I run gpg-agent, and I also have set
> epa-file-cache-passphrase-for-symmetric-encryption.

Lars, I just confirmed that this is the same problem that I reported
earlier with .authinfo.gpg, only in my case I have to type my GPG
passphrase 10 times before I'm able to authenticate. I just didn't
have the patience that Tassilo did to keep trying, so I thought it
wasn't working at all.

d

Re: auth-sources: 8 password prompts for accessing one single imap server

[Lars Magne Ingebrigtsen]

Vegard Vesterheim <vegard.vesterheim@uninett.no> writes:

> I run gpg-agent, and I also have set
> epa-file-cache-passphrase-for-symmetric-encryption.

Perhaps this doesn't work in Emacs 22?

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: auth-sources: 8 password prompts for accessing one single imap server

[Lars Magne Ingebrigtsen]

Tassilo Horn <tassilo@member.fsf.org> writes:

> As you can see, 1) it queries for a password for each possible imap port
> or port name.  And 2), for each of those, I have to type my password 2
> times.

Ah, I get it.  I mean, it loops over the different port combinations,
and it gets both user name and password.  And the reason you get
prompted so many times is that it all ends up being queried from
netrc.el, which is very simple: You ask it for a user name and a
password, based on a machine/port specification.

So to avoid all these queries, we'd have to bypass auth-sources
altogether, or have netrc.el cache the data.

Or alter auth-sources so that it takes a list of ports to scan, and
calls netrc-credentials with that list.

I think the latter makes more sense.

Will it break any other packages if I alter the function signatures in
auth-sources.el to take a list of ports?

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: auth-sources: 8 password prompts for accessing one single imap server

[Vegard Vesterheim]

On Mon, 27 Sep 2010 18:49:33 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote:

> Vegard Vesterheim <vegard.vesterheim@uninett.no> writes:
>
>> I run gpg-agent, and I also have set
>> epa-file-cache-passphrase-for-symmetric-encryption.
>
> Perhaps this doesn't work in Emacs 22?

Probably not, but I *am* using emacs23 when testing the new IMAP stuff.

I guess you peeked at the User-Agent header in my message. I am still
using emacs22 for regular email. I am experiencing some strange
behaviour with emacs23, some of which may be related to my local setup.

 - Vegard V -

Re: auth-sources: 8 password prompts for accessing one single imap server

[Lars Magne Ingebrigtsen]

Vegard Vesterheim <vegard.vesterheim@uninett.no> writes:

>>> I run gpg-agent, and I also have set
>>> epa-file-cache-passphrase-for-symmetric-encryption.
>>
>> Perhaps this doesn't work in Emacs 22?
>
> Probably not, but I *am* using emacs23 when testing the new IMAP stuff.

Right.  Just to debug this, open the ~/.authinfo.gpg file in Emacs, kill
the buffer, and open it again.  If you're queried twice for the
passphrase, then something in your Emacs isn't working properly.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: auth-sources: 8 password prompts for accessing one single imap server

[Ted Zlatanov]

On Mon, 27 Sep 2010 18:54:23 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> Or alter auth-sources so that it takes a list of ports to scan, and
LMI> calls netrc-credentials with that list.

LMI> I think the latter makes more sense.

LMI> Will it break any other packages if I alter the function signatures in
LMI> auth-sources.el to take a list of ports?

I'd do it by allowing PROTOCOL to be a list or a single value, like MODE
in `auth-source-user-or-password'.  Same for HOST.  That way we won't
have to change all the packages that use `auth-source-user-or-password'
already.

Ted

Re: auth-sources: 8 password prompts for accessing one single imap server

[Lars Magne Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> I'd do it by allowing PROTOCOL to be a list or a single value, like MODE
> in `auth-source-user-or-password'.  Same for HOST.  That way we won't
> have to change all the packages that use `auth-source-user-or-password'
> already.

Yeah, that makes sense.  And it could use netrc-get-credentials, which
could also take a list of host names in addition to the list of ports.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: auth-sources: 8 password prompts for accessing one single imap server

[Ted Zlatanov]

On Mon, 27 Sep 2010 20:48:32 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> I'd do it by allowing PROTOCOL to be a list or a single value, like MODE
>> in `auth-source-user-or-password'.  Same for HOST.  That way we won't
>> have to change all the packages that use `auth-source-user-or-password'
>> already.

LMI> Yeah, that makes sense.  And it could use netrc-get-credentials, which
LMI> could also take a list of host names in addition to the list of ports.

Yes.  Feel free to make the change if you have the time and I'll
document it when I do the general auth-source.el rewrite later this
week.

Ted

Re: auth-sources: 8 password prompts for accessing one single imap server

[Tassilo Horn]

On Monday 27 September 2010 19:21:54 Lars Magne Ingebrigtsen wrote:
> Vegard Vesterheim <vegard.vesterheim@uninett.no> writes:
> >>> I run gpg-agent, and I also have set
> >>> epa-file-cache-passphrase-for-symmetric-encryption.
> >> 
> >> Perhaps this doesn't work in Emacs 22?
> > 
> > Probably not, but I *am* using emacs23 when testing the new IMAP
> > stuff.
> 
> Right.  Just to debug this, open the ~/.authinfo.gpg file in Emacs,
> kill the buffer, and open it again.  If you're queried twice for the
> passphrase, then something in your Emacs isn't working properly.

Now I've set epa-file-cache-passphrase-for-symmetric-encryption to t,
too.

I use an emacs 24 bzr build from yesterday.  When I find ~/.authinfo.gpg
which is a symlink for ~/repos/configs/dot-authinfo.gpg, I have to enter
the passphrase twice.  When I kill the buffer and find ~/.authinfo.gpg
again, I still have to enter it twice again.

When I find the real file (not the symlink) directly, I have to give my
password only once to open that file.  But after killing the buffer and
finding the file again, I'm again queried...

Bye,
Tassilo

Re: auth-sources: 8 password prompts for accessing one single imap server

[Lars Magne Ingebrigtsen]

Tassilo Horn <tassilo@member.fsf.org> writes:

> Now I've set epa-file-cache-passphrase-for-symmetric-encryption to t,
> too.

[...]

> When I find the real file (not the symlink) directly, I have to give my
> password only once to open that file.  But after killing the buffer and
> finding the file again, I'm again queried...

Works for me...

The symlink thing should be bug-rapported to the emacs-devel list.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: auth-sources: 8 password prompts for accessing one single imap server

[Ted Zlatanov]

On Mon, 27 Sep 2010 22:50:57 +0200 Tassilo Horn <tassilo@member.fsf.org> wrote: 

TH> I use an emacs 24 bzr build from yesterday.  When I find ~/.authinfo.gpg
TH> which is a symlink for ~/repos/configs/dot-authinfo.gpg, I have to enter
TH> the passphrase twice.  When I kill the buffer and find ~/.authinfo.gpg
TH> again, I still have to enter it twice again.

TH> When I find the real file (not the symlink) directly, I have to give my
TH> password only once to open that file.  But after killing the buffer and
TH> finding the file again, I'm again queried...

I looked and couldn't find the problem; epa-file.el says:

	(setq file (file-truename file))

before checking or caching the passphrase so it should Just Work.  Check
what `file-truename' says for your link but either way that seems like
an EPA bug.  Also look at the contents of `epa-file-passphrase-alist'
before and after the first failed passphrase entry, and after the second
successful one.

Ted

Re: auth-sources: 8 password prompts for accessing one single imap server

[Tassilo Horn]

On Monday 27 September 2010 23:01:45 Ted Zlatanov wrote:

Ok, I'm running a 30 minutes old bzr emacs.  The problem didn't change.

> I looked and couldn't find the problem; epa-file.el says:
> 
> 	(setq file (file-truename file))
> 
> before checking or caching the passphrase so it should Just Work.
> Check what `file-truename' says for your link but either way that
> seems like an EPA bug.

(file-truename "~/.authinfo.gpg")
=> "/home/horn/repos/configs/dot-authinfo.gpg"

So that's correct.

> Also look at the contents of `epa-file-passphrase-alist' before and
> after the first failed passphrase entry, and after the second
> successful one.

Ok, before trying to find the symlink the first time, the value is nil.
Hm, and even after finding it, it stays nil...

Ditto for finding the true file instead of the symlink.

`epa-file-passphrase-callback-function' seems not to be called at all.
At least I've tried edebugging it, but I was never put in the
edebugger...

Sorry, I'm currently on a biz trip, so I won't have time to debug that
issue before wednesday evening.

Bye,
Tassilo

Re: auth-sources: 8 password prompts for accessing one single imap server

[Gijs Hillenius]

On 27 Sep 2010, Ted Zlatanov wrote:

> On Mon, 27 Sep 2010 22:50:57 +0200 Tassilo Horn <tassilo@member.fsf.org> wrote:
>
> TH> I use an emacs 24 bzr build from yesterday.  When I find ~/.authinfo.gpg
> TH> which is a symlink for ~/repos/configs/dot-authinfo.gpg, I have to enter
> TH> the passphrase twice.  When I kill the buffer and find ~/.authinfo.gpg
> TH> again, I still have to enter it twice again.
>
> TH> When I find the real file (not the symlink) directly, I have to give my
> TH> password only once to open that file.  But after killing the buffer and
> TH> finding the file again, I'm again queried...
>
> I looked and couldn't find the problem; epa-file.el says:
>
> 	(setq file (file-truename file))
>
> before checking or caching the passphrase so it should Just Work.  Check
> what `file-truename' says for your link but either way that seems like
> an EPA bug.  Also look at the contents of `epa-file-passphrase-alist'
> before and after the first failed passphrase entry, and after the second
> successful one.

Here, on Debian Testing/Unstable using emacs-snapshot, I don't have /
see / can't find nor get a buffer called / "epa-file-passphrase-alist".

That would explain the repeated asking for a password, would it not?

Library is file /usr/share/emacs/24.0.50/lisp/epa-file.elc

Re: auth-sources: 8 password prompts for accessing one single imap server

[Lars Magne Ingebrigtsen]

Gijs Hillenius <gijs@hillenius.net> writes:

>> before checking or caching the passphrase so it should Just Work.  Check
>> what `file-truename' says for your link but either way that seems like
>> an EPA bug.  Also look at the contents of `epa-file-passphrase-alist'
>> before and after the first failed passphrase entry, and after the second
>> successful one.
>
> Here, on Debian Testing/Unstable using emacs-snapshot, I don't have /
> see / can't find nor get a buffer called / "epa-file-passphrase-alist".

It's not a buffer, it's a variable...

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: auth-sources: 8 password prompts for accessing one single imap server

[Gijs Hillenius]

On 28 Sep 2010, Lars Magne Ingebrigtsen wrote:

> Gijs Hillenius <gijs@hillenius.net> writes:

[...]

>> Here, on Debian Testing/Unstable using emacs-snapshot, I don't have /
>> see / can't find nor get a buffer called / "epa-file-passphrase-alist".
>
> It's not a buffer, it's a variable...

m-x describe-variable epa-file-passphrase-alist

epa-file-passphrase-alist is a variable defined in `epa-file.el'.
Its value is nil

Documentation:
Not documented as a variable.




Aha. (aha?)

Re: auth-sources: 8 password prompts for accessing one single imap server

[Dave Goldberg]

>> It's not a buffer, it's a variable...

> m-x describe-variable epa-file-passphrase-alist

> epa-file-passphrase-alist is a variable defined in `epa-file.el'.
> Its value is nil

> Documentation:
> Not documented as a variable.

> Aha. (aha?)

I bet the value of epa-file-cache-passphrase-for-symmetric-encryption
is nil.  If so, try setting that to t.


-- 
Dave Goldberg
david.goldberg6@verizon.net

Re: auth-sources: 8 password prompts for accessing one single imap server

[Gijs Hillenius]

[...]

Turns out I have gnupg2 installed here, Debian version 2.0.14-2, and
*that* is what is handling the decryption, not easypg. So
(setq epa-file-cache-passphrase-for-symmetric-encryption t) probably
works ;-) but is ignored.

here is what Daiki Ueno (author of epa-file et al) recommended me to do
(after asking if maybe had gpg2 installed...)

,----
| (setq epg-debug t) might be helpful.
| If it is set, the actual gpg command line will go into " *epg-debug*"
| buffer (note the first whitespace).
`----

and in that " *epg-debug* log you'll see stuff like:

[GNUPG:] DECRYPTION_OKAY
[GNUPG:] GOODMDC
[GNUPG:] END_DECRYPTION

Re: auth-sources: 8 password prompts for accessing one single imap server

[Gijs Hillenius]

On 28 Sep 2010, Gijs Hillenius wrote:


[...]

Turns out I have both gnupg and gnupg2 installed. 

And that adding 

|| (setq epg-gpg-program "/usr/bin/gpg") ;; to prevent mixing with gnupgp2

makes no difference. EasyPG uses gpg both with and without that.

So the problem is elsewhere.

Re: auth-sources: 8 password prompts for accessing one single imap server

[Tassilo Horn]

On Monday 27 September 2010 22:57:20 Lars Magne Ingebrigtsen wrote:

> > Now I've set epa-file-cache-passphrase-for-symmetric-encryption to
> > t, too.
> 
> [...]
> 
> > When I find the real file (not the symlink) directly, I have to give
> > my password only once to open that file.  But after killing the
> > buffer and finding the file again, I'm again queried...
> 
> Works for me...
> 
> The symlink thing should be bug-rapported to the emacs-devel list.

It is, #7130.  And we've already figured out how to reproduce the bug.
The target of the symlink has to be version controlled.  In that case,
emacs will query the user if she wants to follow a symlink to a version
controlled file, and after saying yes, she has to provide the password a
second time.

Bye,
Tassilo

Re: auth-sources: 8 password prompts for accessing one single imap server

[Ted Zlatanov]

On Thu, 30 Sep 2010 08:30:40 +0200 Tassilo Horn <tassilo@member.fsf.org> wrote: 

TH> On Monday 27 September 2010 22:57:20 Lars Magne Ingebrigtsen wrote:
>> > Now I've set epa-file-cache-passphrase-for-symmetric-encryption to
>> > t, too.
>> 
>> [...]
>> 
>> > When I find the real file (not the symlink) directly, I have to give
>> > my password only once to open that file.  But after killing the
>> > buffer and finding the file again, I'm again queried...
>> 
>> Works for me...
>> 
>> The symlink thing should be bug-rapported to the emacs-devel list.

TH> It is, #7130.  And we've already figured out how to reproduce the bug.
TH> The target of the symlink has to be version controlled.  In that case,
TH> emacs will query the user if she wants to follow a symlink to a version
TH> controlled file, and after saying yes, she has to provide the password a
TH> second time.

Ohhh, that's why I couldn't trigger it.  I actually used to have that
setup a while ago but now point directly to the VC-controlled file :)

Ted

Re: auth-sources: 8 password prompts for accessing one single imap server

[Tassilo Horn]

Ted Zlatanov <tzz@lifelogs.com> writes:

Hi Ted,

> TH> It is, #7130.  And we've already figured out how to reproduce the
> TH> bug.  The target of the symlink has to be version controlled.  In
> TH> that case, emacs will query the user if she wants to follow a
> TH> symlink to a version controlled file, and after saying yes, she
> TH> has to provide the password a second time.
>
> Ohhh, that's why I couldn't trigger it.  I actually used to have that
> setup a while ago but now point directly to the VC-controlled file :)

Well, it turned out, that wasn't the real issue.  The real problem was
that I use GnuPG2, and with that, there's no way to cache passwords on
the lisp level.  But when you set up the gpg-agent properly (exactly as
the docs state), then that will do the caching so that you are only
asked once per file (in a certain time frame).

Now, Gnus still accesses my ~/.authinfo.gpg a few dozen times when
starting up, but I have to provide the password only once.

Bye,
Tassilo

"epa (Caching Passphrases)"

[Daiki Ueno]

Tassilo Horn <tassilo@member.fsf.org> writes:

> The real problem was that I use GnuPG2, and with that, there's no way
> to cache passwords on the lisp level.  But when you set up the
> gpg-agent properly (exactly as the docs state), then that will do the
> caching so that you are only asked once per file (in a certain time
> frame).

I added some notes on (current) password caching mechanisms provided by
GnuPG2 and EasyPG Assistant, in (info "(epa) Caching Passphrases").

I think it would be nice to link to it from (info "(auth) Help for
users").  Since current doc is confusing nowadays:

     ;;; VERY important if you want symmetric encryption
     ;;; irrelevant if you don't
     (setq epa-file-cache-passphrase-for-symmetric-encryption t)

Regards,
--
Daiki Ueno

Re: "epa (Caching Passphrases)"

[Ted Zlatanov]

On Wed, 06 Oct 2010 16:20:27 +0900 Daiki Ueno <ueno@unixuser.org> wrote: 

DU> Tassilo Horn <tassilo@member.fsf.org> writes:
>> The real problem was that I use GnuPG2, and with that, there's no way
>> to cache passwords on the lisp level.  But when you set up the
>> gpg-agent properly (exactly as the docs state), then that will do the
>> caching so that you are only asked once per file (in a certain time
>> frame).

DU> I added some notes on (current) password caching mechanisms provided by
DU> GnuPG2 and EasyPG Assistant, in (info "(epa) Caching Passphrases").

DU> I think it would be nice to link to it from (info "(auth) Help for
DU> users").  Since current doc is confusing nowadays:

DU>      ;;; VERY important if you want symmetric encryption
DU>      ;;; irrelevant if you don't
DU>      (setq epa-file-cache-passphrase-for-symmetric-encryption t)

Unfortunately Gnus is distributed alone as well, so a info link would
not work everywhere.  Can you suggest a rewrite of that section in
addition to the link to help people in that situation?

Thanks
Ted

Re: "epa (Caching Passphrases)"

[Daiki Ueno]

Ted Zlatanov <tzz@lifelogs.com> writes:

> Unfortunately Gnus is distributed alone as well, so a info link would
> not work everywhere.  Can you suggest a rewrite of that section in
> addition to the link to help people in that situation?

GnuPG is also distributed alone but we refer to its info node with:
@pxref{Top, , Top, gnupg, Using the GNU Privacy Guard}
from the Emacs manual, etc.

What's the problem?

Regards,
-- 
Daiki Ueno

Re: "epa (Caching Passphrases)"

[Ted Zlatanov]

On Wed, 06 Oct 2010 21:38:52 +0900 Daiki Ueno <ueno@unixuser.org> wrote: 

DU> Ted Zlatanov <tzz@lifelogs.com> writes:
>> Unfortunately Gnus is distributed alone as well, so a info link would
>> not work everywhere.  Can you suggest a rewrite of that section in
>> addition to the link to help people in that situation?

DU> GnuPG is also distributed alone but we refer to its info node with:
DU> @pxref{Top, , Top, gnupg, Using the GNU Privacy Guard}
DU> from the Emacs manual, etc.

DU> What's the problem?

I explained the problem and said I'll put the link in.  What I requested
was a suggestion on rewording that section for those who don't have the
EPA manual available.

Ted

Re: "epa (Caching Passphrases)"

[Daiki Ueno]

[-- Attachment #1: Type: text/plain, Size: 642 bytes --]

Ted Zlatanov <tzz@lifelogs.com> writes:

>>> Unfortunately Gnus is distributed alone as well, so a info link would
>>> not work everywhere.  Can you suggest a rewrite of that section in
>>> addition to the link to help people in that situation?
>
> DU> GnuPG is also distributed alone but we refer to its info node with:
> DU> @pxref{Top, , Top, gnupg, Using the GNU Privacy Guard}
> DU> from the Emacs manual, etc.
>
> DU> What's the problem?
>
> I explained the problem and said I'll put the link in.  What I requested
> was a suggestion on rewording that section for those who don't have the
> EPA manual available.

Then how about this:


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: auth-epa.diff --]
[-- Type: text/x-diff, Size: 2946 bytes --]

=== modified file 'doc/misc/auth.texi'
--- doc/misc/auth.texi	2010-09-02 00:55:51 +0000
+++ doc/misc/auth.texi	2010-10-06 13:17:50 +0000
@@ -59,6 +59,7 @@
 * Help for users::              
 * Secret Service API::          
 * Help for developers::         
+* GnuPG and EasyPG Assistant Configuration::  
 * Index::                       
 * Function Index::              
 * Variable Index::              
@@ -176,16 +177,8 @@
 
 If you don't customize @code{auth-sources}, you'll have to live with
 the defaults: any host and any port are looked up in the netrc
-file @code{~/.authinfo.gpg}.  This is an encrypted file if and only if
-you set up EPA, which is strongly recommended.
-
-@lisp
-(require 'epa-file)
-(epa-file-enable)
-;;; VERY important if you want symmetric encryption
-;;; irrelevant if you don't
-(setq epa-file-cache-passphrase-for-symmetric-encryption t)
-@end lisp
+file @code{~/.authinfo.gpg}, which is a GnuPG encrypted file.
+@xref{GnuPG and EasyPG Assistant Configuration}.
 
 The simplest working netrc line example is one without a port.
 
@@ -271,6 +264,54 @@
 
 @end defun
 
+@node GnuPG and EasyPG Assistant Configuration
+@appendix GnuPG and EasyPG Assistant Configuration
+
+In Emacs 23 or later there is an option @code{auto-encryption-mode} to
+automatically decrypt @code{*.gpg} files and it is enabled by default
+so there is no setting is needed.  If you are using earlier versions
+of Emacs for some reason, you will need:
+
+@lisp
+(require 'epa-file)
+(epa-file-enable)
+@end lisp
+
+If you want your GnuPG passwords to be cached, setup @code{gpg-agent}
+or EasyPG Assitant
+@pxref{Caching Passphrases, , Caching Passphrases, epa}
+
+For those who are using older vesions of Emacs, here are some portion
+copied from the EasyPG Assitant manual:
+
+Here are some questions:
+
+@enumerate
+@item Do you use GnuPG version 2 instead of GnuPG version 1?
+@item Do you use symmetric encryption rather than public key encryption?
+@item Do you want to use gpg-agent?
+@end enumerate
+
+Here are configurations depending on your answers:
+
+@multitable {111} {222} {333} {configuration configuration configuration}
+@item @b{1} @tab @b{2} @tab @b{3} @tab Configuration
+@item Yes @tab Yes @tab Yes @tab Nothing to do.
+@item Yes @tab Yes @tab No @tab You can't, without gpg-agent.
+@item Yes @tab No @tab Yes @tab Nothing to do.
+@item Yes @tab No @tab No @tab You can't, without gpg-agent.
+@item No @tab Yes @tab Yes @tab Set up elisp passphrase cache.
+@item No @tab Yes @tab No @tab Set up elisp passphrase cache.
+@item No @tab No @tab Yes @tab Nothing to do.
+@item No @tab No @tab No @tab You can't, without gpg-agent.
+@end multitable
+
+To setup gpg-agent, follow the instruction in GnuPG manual.
+@pxref{Invoking GPG-AGENT, , Invoking GPG-AGENT, gnupg}.
+
+To set up elisp passphrase cache, set
+@code{epa-file-cache-passphrase-for-symmetric-encryption}.
+
 @node Index
 @chapter Index
 @printindex cp


[-- Attachment #3: Type: text/plain, Size: 15 bytes --]

-- 
Daiki Ueno

Re: "epa (Caching Passphrases)"

[Lars Magne Ingebrigtsen]

Daiki Ueno <ueno@unixuser.org> writes:

> Then how about this:

Looks good; please apply.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: "epa (Caching Passphrases)"

[Ted Zlatanov]

Thank you.  I applied the documentation patch as you wrote it.  It was
much clearer.

Ted

Re: auth-sources: 8 password prompts for accessing one single imap server

[Ted Zlatanov]

On Mon, 27 Sep 2010 00:59:28 -0700 Drew Hess <drew.hess@gmail.com> wrote: 

DH> On Sun, Sep 26, 2010 at 11:38 PM, Vegard Vesterheim
DH> <vegard.vesterheim@uninett.no> wrote:
>> On Mon, 27 Sep 2010 02:09:24 +0200 Tassilo Horn <tassilo@member.fsf.org> wrote:
>> 
>>> Hi Ted,
>>> 
>>> I've just made my system a bit more secure by eventually encryting my
>>> .authinfo file.  But now I have to enter my passwort for that file *8*
>>> times per imap account!
>> 
>> I'm seeing similar behaviour, I have to enter my password 4
>> times. I have my credentials in .authinfo.gpg (no symlink)
>> 
>> Upon starting emacs (emacs23 -f gnus-no-server), I get 2 prompts for
>> password. I assume that is because I have different 2 IMAP accounts.
>> 
>> I have open IMAP connections at this stage, but if I now type '3 g' to
>> get email at level 3, I have to enter my password 2 times again. This
>> does not happen if I type '1 g' or '2 g'. Go figure.
>> 
>> I run gpg-agent, and I also have set
>> epa-file-cache-passphrase-for-symmetric-encryption.

DH> Lars, I just confirmed that this is the same problem that I reported
DH> earlier with .authinfo.gpg, only in my case I have to type my GPG
DH> passphrase 10 times before I'm able to authenticate. I just didn't
DH> have the patience that Tassilo did to keep trying, so I thought it
DH> wasn't working at all.

This should be fixed now.  Thanks for your patience.

Ted