Re: auth-source source password lookup for ssh + sudo

[Michael Albinus]

Kai Tetzlaff <tramp@tetzco.de> writes:

> Hi Michael,

Hi Kai,

> sorry - it took a while to get my emacs config working with TRAMP from
> git (savannah) in order to apply the patch [1].

No problem, I could continue to work in parallel on the patch :-)

> 1. /ssh:remoteuser@host.example.com|sudo::/etc/passwd
>
>    This triggers:
>
>    a) an auth-source lookup for
>
>           hostname="host.example.com", user="remoteuser", port="ssh"
>
>    b) in case a) fails, a password prompt:
>
>           `Password for /ssh:remoteuser@host.example.com: `
>
>    => This looks pretty good. The auth-source lookup has the proper
>       information to find a matching password. And if auth-source finds
>       a matching entry, b) (password prompt) gets skipped.
>
>       Just a minor issue: the `port="ssh"` is a bit misleading. The
>       previous `port="sudo"` seemed clearer.

Fixed. It should ask now 'Password for /sudo:remoteuser@host.example.com: '

> 2. /ssh:host.example.com|sudo::/etc/passwd
>
>    Which uses a host entry in ~/.ssh/config:
>
>        Host host.example.com
>            User remoteuser
>
>    This triggers:
>
>    a) an auth-source lookup for
>
>           hostname="host.example.com", user="", port="ssh"
>
>    b) a prompt for the user name:
>
>           `ssh user name for host.example.com (default kai): `
>
>       (the default seems to be the local (emacs session) username. So I
>       changed that to `remoteuser`)
>
>    c) a password prompt:
>
>           `Password for /ssh:host.example.com: `
>
>    => This one still has some issues.
>
>       The auth-source lookup happens before b) (the prompt for the user
>       name) and it is not repeated after obtaining the correct user
>       name in b). So the lookup will typically fail.
>
>       The password prompt in c)  doesn't show the user name entered in
>       b).
>
>       Is it possible to do b) (ask for the username) before a)
>       (auth-source lookup)?

This is a general problem, not introduced recently. Tramp knows only
user names which have been told, it does not check ssh config files and
alike.

But according to my recent tests, auth-source lookup is started now w/o
user (because it is nil), so it should be better now. Step b) is
skipped. To be confirmed by you.

>       An option to configure a connection specific sudo (default) user
>       would be nice (or, even better, extract the user name from the ssh
>       config).

Oh, that exists already. See tramp-default-user-alist.

The adapted patch is appended, and it works (in my environment) for
local and remote sudo, for remote doas, and for local sudoedit.

Waiting for comments :-)

> Thanks & Best Regards,
> Kai.

Best regards, Michael.

txtiTt8XIPacL.txt
Description: Text Data