auth: Help for users
2 Help for users
****************
“Netrc” files are a de facto standard. They look like this:
machine MYMACHINE login MYLOGINNAME password MYPASSWORD port MYPORT
The ‘machine’ is the server (either a DNS name or an IP address).
It’s known as :HOST in ‘auth-source-search’ queries. You can also use
‘host’.
The ‘port’ is the connection port or protocol. It’s known as :PORT
in ‘auth-source-search’ queries.
The ‘user’ is the user name. It’s known as :USER in
‘auth-source-search’ queries. You can also use ‘login’ and ‘account’.
You can use spaces inside a password or other token by surrounding
the token with either single or double quotes.
You can use apostrophes inside a password or other token by
surrounding it with double quotes, e.g., ‘"he'llo"’. Similarly you can
use double quotes inside a password or other token by surrounding it
with apostrophes, e.g., ‘'he"llo'’. You can’t mix both (so a password
or other token can’t have both apostrophes and double quotes).
All this is optional. You could just say (but we don’t recommend it,
we’re just showing that it’s possible)
password MYPASSWORD
to use the same password everywhere. Again, _DO NOT DO THIS_ or you
will be pwned as the kids say.
“Netrc” files are usually called ‘.authinfo’ or ‘.netrc’; nowadays
‘.authinfo’ seems to be more popular and the auth-source library
encourages this confusion by accepting both, as you’ll see later.
If you have problems with the search, set ‘auth-source-debug’ to
‘'trivia’ and see what host, port, and user the library is checking in
the ‘*Messages*’ buffer. Ditto for any other problems, your first step
is always to see what’s being checked. The second step, of course, is
to write a blog entry about it and wait for the answer in the comments.
You can customize the variable ‘auth-sources’. The following may be
needed if you are using an older version of Emacs or if the auth-source
library is not loaded for some other reason.
(require 'auth-source) ;; probably not necessary
(customize-variable 'auth-sources) ;; optional, do it once
-- Variable: auth-sources
The ‘auth-sources’ variable tells the auth-source library where
your netrc files or Secret Service API collection items live for a
particular host and protocol. While you can get fancy, the default
and simplest configuration is:
;;; old default: required :host and :port, not needed anymore
(setq auth-sources '((:source "~/.authinfo.gpg" :host t :port t)))
;;; mostly equivalent (see below about fallbacks) but shorter:
(setq auth-sources '((:source "~/.authinfo.gpg")))
;;; even shorter and the _default_:
(setq auth-sources '("~/.authinfo.gpg" "~/.authinfo" "~/.netrc"))
;;; use the Secrets API LOGIN collection
;;; (Secret Service API)
(setq auth-sources '("secrets:Login"))
By adding multiple entries to ‘auth-sources’ with a particular host
or protocol, you can have specific netrc files for that host or
protocol. Usually this is unnecessary but may make sense if you
have shared netrc files or some other unusual setup (90% of Emacs
users have unusual setups and the remaining 10% are _really_
unusual).
Here’s a mixed example using two sources:
(setq auth-sources '((:source (:secrets default)
:host "myserver" :user "joe")
"~/.authinfo.gpg"))
If you don’t customize ‘auth-sources’, you’ll have to live with the
defaults: the unencrypted netrc file ‘~/.authinfo’ will be used for any
host and any port.
If that fails, any host and any port are looked up in the netrc file
‘~/.authinfo.gpg’, which is a GnuPG encrypted file (GnuPG and
EasyPG Assistant Configuration).
Finally, the unencrypted netrc file ‘~/.netrc’ will be used for any
host and any port.
The typical netrc line example is without a port.
machine YOURMACHINE login YOU password YOURPASSWORD
This will match any authentication port. Simple, right? But what if
there’s a SMTP server on port 433 of that machine that needs a different
password from the IMAP server?
machine YOURMACHINE login YOU password SMTPPASSWORD port 433
machine YOURMACHINE login YOU password GENERALPASSWORD
For url-auth authentication (HTTP/HTTPS), you need to put this in
your netrc file:
machine yourmachine.com:80 port http login testuser password testpass
This will match any realm and authentication method (basic or digest)
over HTTP. HTTPS is set up similarly. If you want finer controls,
explore the url-auth source code and variables.
For Tramp authentication, use:
machine yourmachine.com port scp login testuser password testpass
Note that the port denotes the Tramp connection method. When you
don’t use a port entry, you match any Tramp method, as explained
earlier. Since Tramp has about 88 connection methods, this may be
necessary if you have an unusual (see earlier comment on those) setup.