Re: auth-source source password lookup for ssh + sudo

[Kai Tetzlaff]

Michael Albinus <michael.albinus@gmx.de> writes:

Hi Michael,

sorry - it took a while to get my emacs config working with TRAMP from
git (savannah) in order to apply the patch [1].

>>>> I see. It is not a problem of multi-hop per se, but a general problem of
>>>> su(do) password prompts in Tramp. Will see what I could do.
>>>
>>> Ok, yes - but it's only a problem of the `sudo` method. For `su` the
>>> current behaviour is correct.
>>
>> And perhaps 'doas' on *BSD? Don't know.
>
> Finally, I believe we must support Tramp methods 'sudo', 'sudoedit' and
> 'doas'. I've prepared a patch (appended), could you pls check? The main
> idea is, that for these methods the password of the previous hop is
> reused. In case there is no "previous" hop, Tramp assumes a virtual one,
> in order not to mix with the root password.
>
> The patch is not polished yet, but I'd like to know whether it works in
> general outside my laptop.

The patch improves things. I've tried two different scenarios (both
using public key authentication for the SSH connection):

1. /ssh:remoteuser@host.example.com|sudo::/etc/passwd

   This triggers:

   a) an auth-source lookup for

          hostname="host.example.com", user="remoteuser", port="ssh"

   b) in case a) fails, a password prompt:

          `Password for /ssh:remoteuser@host.example.com: `

   => This looks pretty good. The auth-source lookup has the proper
      information to find a matching password. And if auth-source finds
      a matching entry, b) (password prompt) gets skipped.

      Just a minor issue: the `port="ssh"` is a bit misleading. The
      previous `port="sudo"` seemed clearer.

2. /ssh:host.example.com|sudo::/etc/passwd

   Which uses a host entry in ~/.ssh/config:

       Host host.example.com
           User remoteuser

   This triggers:

   a) an auth-source lookup for

          hostname="host.example.com", user="", port="ssh"

   b) a prompt for the user name:

          `ssh user name for host.example.com (default kai): `

      (the default seems to be the local (emacs session) username. So I
      changed that to `remoteuser`)

   c) a password prompt:

          `Password for /ssh:host.example.com: `

   => This one still has some issues.

      The auth-source lookup happens before b) (the prompt for the user
      name) and it is not repeated after obtaining the correct user
      name in b). So the lookup will typically fail.

      The password prompt in c)  doesn't show the user name entered in
      b).

      Is it possible to do b) (ask for the username) before a)
      (auth-source lookup)?

      An option to configure a connection specific sudo (default) user
      would be nice (or, even better, extract the user name from the ssh
      config).


Thanks & Best Regards,
Kai.



[1] First I had to figure out how to convince straight.el to load the
external version of TRAMP (from git@svannah). And then, I got errors
from emacs 28.0.91:

  Method ‘ssh’ is not supported for multi-hops.

which went away after switching to a fresh build of emacs 29.0.50 (aka
master).