Re: auth-sources asking for password 2 or 3 times

[Daiki Ueno <ueno@unixuser.org>]

Ted Zlatanov <tzz@lifelogs.com> writes:

> DU> Why auth-source/netrc tries to visit ~/.authinfo.gpg multiple times even
> DU> for only one connection?  My guess is that, auth-source/netrc tries to
> DU> open that file for each parameter (e.g. user, host, port, password),
> DU> right?  If so, it looks to me superfluous, since user/host/port are
> DU> generally not a secret information.
>
> I don't think that's the case, at least not anymore (I changed quite a
> bit today).

Then, that's good.  I will try later.

> DU> How about splitting ~/.authinfo.gpg into 2 files, one is for non-secret
> DU> information and another is for secret information?  The non-secret file
> DU> would be a plain text compatible with netrc, while the secret file would
> DU> be encrypted and the decrypted content is a simple 1:1 mapping from ID
> DU> (auth-source token?) to password.
>
> That's exactly why `auth-sources' defaults to the list "~/.authinfo.gpg"
> "~/.authinfo" "~/.netrc".  I'm not sure why I'd make the encrypted file
> in a different format, though.  That would make it hard to move entries
> between the two formats and would confuse users.  Can you explain if I
> misunderstood?

I agree with that it might be hard for users to maintain two files.

However, you seem to be missing the point of my idea, FWIW, here is the
detail:

If auth-source.el looks for several parameters (say,
user/host/port/password) to establish a connection, it needs to decrypt
~/.authinfo.gpg (at least) 4 times if cache is disabled (right?).

However, if we store user/host/port/token in a plain text file (say,
~/.netrc), and store token/password mapping in an encrypted file (say,
~/.passwords.gpg), auth-source.el needs to decrypt the latter file only
once.

In other words, my idea is to delay decryption until password is really
necessary.  This is useful when accessing password-less news servers
(e.g. gmane).  Currently, if I start Gnus with M-x gnus-no-server and
open news.gmane.org, it asks a password for ~/.authinfo.gpg.

> Don't forget auth-source.el supports the Secrets API as well, which has
> a completely different way to search and expand results.  I'll work on
> the 'secrets backend to make it connect with Chrome password entries,
> for instance.

After brief look at the secrets API, it also seems to consider lookup
attributes as non-secret information, and only passwords have to be
encrypted on the disk.

Regards,
-- 
Daiki Ueno