From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/77158
Path: news.gmane.org!not-for-mail
From: Daiki Ueno <ueno@unixuser.org>
Newsgroups: gmane.emacs.gnus.general
Subject: Re: auth-sources asking for password 2 or 3 times
Date: Wed, 23 Feb 2011 16:20:48 +0900
Message-ID: <m3y657xlm7.fsf-ueno@unixuser.org>
References: <857hcumuuu.fsf@gmail.com> <87oc66kwih.fsf@gnus.org>
	<87k4gukw3m.fsf@gnus.org> <87vd0bwwut.fsf@lifelogs.com>
	<m3zkpnebva.fsf-ueno@unixuser.org> <87mxln1nqc.fsf@lifelogs.com>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: dough.gmane.org 1298445598 20792 80.91.229.12 (23 Feb 2011 07:19:58 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Wed, 23 Feb 2011 07:19:58 +0000 (UTC)
Cc: ding@gnus.org
To: Ted Zlatanov <tzz@lifelogs.com>
Original-X-From: ding-owner+M25491@lists.math.uh.edu Wed Feb 23 08:19:54 2011
Return-path: <ding-owner+M25491@lists.math.uh.edu>
Envelope-to: ding-account@gmane.org
Original-Received: from util0.math.uh.edu ([129.7.128.18])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <ding-owner+M25491@lists.math.uh.edu>)
	id 1Ps90q-0008Ju-Fz
	for ding-account@gmane.org; Wed, 23 Feb 2011 08:19:52 +0100
Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu)
	by util0.math.uh.edu with smtp (Exim 4.63)
	(envelope-from <ding-owner+M25491@lists.math.uh.edu>)
	id 1Ps90l-00006l-QZ; Wed, 23 Feb 2011 01:19:47 -0600
Original-Received: from mx2.math.uh.edu ([129.7.128.33])
	by util0.math.uh.edu with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.63)
	(envelope-from <ueno@unixuser.org>)
	id 1Ps90j-00006N-Vx
	for ding@lists.math.uh.edu; Wed, 23 Feb 2011 01:19:45 -0600
Original-Received: from quimby.gnus.org ([80.91.231.51])
	by mx2.math.uh.edu with esmtp (Exim 4.72)
	(envelope-from <ueno@unixuser.org>)
	id 1Ps90i-00020R-O5
	for ding@lists.math.uh.edu; Wed, 23 Feb 2011 01:19:45 -0600
Original-Received: from ivory4.scn-net.ne.jp ([219.117.176.192])
	by quimby.gnus.org with smtp (Exim 4.72)
	(envelope-from <ueno@unixuser.org>)
	id 1Ps90h-0000w9-AR
	for ding@gnus.org; Wed, 23 Feb 2011 08:19:43 +0100
Original-Received: from ([192.168.0.187]) (envelope sender: <ueno@unixuser.org>)
	by ivory4.scn-net.ne.jp with Active!Hunter esmtp server;
	Wed, 23 Feb 2011 16:19:37 +0900
Original-Received: Received: from well-done.deisui.org (g187018.scn-net.ne.jp [202.83.187.18])
	(authenticated)
	by blue17.scn-net.ne.jp (unknown) with ESMTP id p1N7Jbjk021839;
	Wed, 23 Feb 2011 16:19:37 +0900
In-Reply-To: <87mxln1nqc.fsf@lifelogs.com> (Ted Zlatanov's message of "Tue, 22
	Feb 2011 20:36:11 -0600")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (gnu/linux)
X-Spam-Score: -1.9 (-)
List-ID: <ding.gnus.org>
Precedence: bulk
Xref: news.gmane.org gmane.emacs.gnus.general:77158
Archived-At: <http://permalink.gmane.org/gmane.emacs.gnus.general/77158>

Ted Zlatanov <tzz@lifelogs.com> writes:

> DU> Why auth-source/netrc tries to visit ~/.authinfo.gpg multiple times even
> DU> for only one connection?  My guess is that, auth-source/netrc tries to
> DU> open that file for each parameter (e.g. user, host, port, password),
> DU> right?  If so, it looks to me superfluous, since user/host/port are
> DU> generally not a secret information.
>
> I don't think that's the case, at least not anymore (I changed quite a
> bit today).

Then, that's good.  I will try later.

> DU> How about splitting ~/.authinfo.gpg into 2 files, one is for non-secret
> DU> information and another is for secret information?  The non-secret file
> DU> would be a plain text compatible with netrc, while the secret file would
> DU> be encrypted and the decrypted content is a simple 1:1 mapping from ID
> DU> (auth-source token?) to password.
>
> That's exactly why `auth-sources' defaults to the list "~/.authinfo.gpg"
> "~/.authinfo" "~/.netrc".  I'm not sure why I'd make the encrypted file
> in a different format, though.  That would make it hard to move entries
> between the two formats and would confuse users.  Can you explain if I
> misunderstood?

I agree with that it might be hard for users to maintain two files.

However, you seem to be missing the point of my idea, FWIW, here is the
detail:

If auth-source.el looks for several parameters (say,
user/host/port/password) to establish a connection, it needs to decrypt
~/.authinfo.gpg (at least) 4 times if cache is disabled (right?).

However, if we store user/host/port/token in a plain text file (say,
~/.netrc), and store token/password mapping in an encrypted file (say,
~/.passwords.gpg), auth-source.el needs to decrypt the latter file only
once.

In other words, my idea is to delay decryption until password is really
necessary.  This is useful when accessing password-less news servers
(e.g. gmane).  Currently, if I start Gnus with M-x gnus-no-server and
open news.gmane.org, it asks a password for ~/.authinfo.gpg.

> Don't forget auth-source.el supports the Secrets API as well, which has
> a completely different way to search and expand results.  I'll work on
> the 'secrets backend to make it connect with Chrome password entries,
> for instance.

After brief look at the secrets API, it also seems to consider lookup
attributes as non-secret information, and only passwords have to be
encrypted on the disk.

Regards,
-- 
Daiki Ueno