Package: emacs;
Reported by: Richard Sent <richard <at> freakingpenguin.com>
Date: Sat, 15 Jun 2024 20:28:02 UTC
Severity: normal
Found in version 29.3
To reply to this bug, email your comments to 71578 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
emacs-erc <at> gnu.org, bug-gnu-emacs <at> gnu.org
:bug#71578
; Package emacs
.
(Sat, 15 Jun 2024 20:28:02 GMT) Full text and rfc822 format available.Richard Sent <richard <at> freakingpenguin.com>
:emacs-erc <at> gnu.org, bug-gnu-emacs <at> gnu.org
.
(Sat, 15 Jun 2024 20:28:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Richard Sent <richard <at> freakingpenguin.com> To: bug-gnu-emacs <at> gnu.org Subject: 29.3; ERC 5.5.0.29.1: No documented support for setting server and nickserv authentication per-server Date: Sat, 15 Jun 2024 16:27:11 -0400
Hi all, When using ERC, various servers have different policies for nickserv identification and server authentication. For example, irc.libera.chat forwards the server password to nickserv, while irc.pine64.org ignores server password and nickserv is authenticated separately. By default, erc uses auth-source for server authetication (erc-auth-source-server-function), and can optionally use auth-source for nickserv identification (erc-use-auth-source-for-nickserv-password). These settings are global and affect every server. This causes problems where credentials may be needlessly double-decrypted using auth-source. This is particularly annoying when auth-sources needs to decrypt data and requires manual intervention (such as touching a yubikey). This occurs because the auth-source specification for server authentication and nickserv authentication do not necessarily match so the cached result is not returned. (For example, libera.chat has iridium.libera.chat, mercury.libera.chat, etc. which are passed in the spec for nickserv authentication, while irc.libera.chat is passed for server authentication.) Ideally ERC should have a documented method for disabling server authentication and nickserv authentication on a per-server basis. As a workaround I found the following methods currently work: --8<---------------cut here---------------start------------->8--- ;; Note that these must be "", not nil ;; Pass :password "" to disable server authentication (erc-tls :server "irc.pine64.org" :nick "freakingpenguin" :password "") ;; Set nickserv password to "" to disable nickserv authentication (setq erc-nickserv-passwords '((Libera.Chat (("freakingpenguin" . ""))))) --8<---------------cut here---------------end--------------->8--- As far as I'm aware this isn't documented anywhere officially so there's no guarantee it will continue to work in the future. This is intended as a tracking ticket following discussion on #erc. In GNU Emacs 29.3 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.41, cairo version 1.18.0) Windowing system distributor 'The X.Org Foundation', version 11.0.12101012 System Description: Guix System Configured using: 'configure CONFIG_SHELL=/gnu/store/rib9g2ig1xf3kclyl076w28parmncg4k-bash-minimal-5.1.16/bin/bash SHELL=/gnu/store/rib9g2ig1xf3kclyl076w28parmncg4k-bash-minimal-5.1.16/bin/bash --prefix=/gnu/store/alh6ljiqdyfmgdb9jia5pbga60ihi8r8-emacs-29.3 --enable-fast-install --with-cairo --with-modules --with-native-compilation=aot --disable-build-details' Configured features: ACL CAIRO DBUS FREETYPE GIF GLIB GMP GNUTLS GPM GSETTINGS HARFBUZZ JPEG JSON LCMS2 LIBOTF LIBSELINUX LIBSYSTEMD LIBXML2 M17N_FLT MODULES NATIVE_COMP NOTIFY INOTIFY PDUMPER PNG RSVG SECCOMP SOUND SQLITE3 THREADS TIFF TOOLKIT_SCROLL_BARS TREE_SITTER X11 XDBE XIM XINPUT2 XPM GTK3 ZLIB Important settings: value of $EMACSLOADPATH: /home/richard/.guix-home/profile/share/emacs/site-lisp:/gnu/store/alh6ljiqdyfmgdb9jia5pbga60ihi8r8-emacs-29.3/share/emacs/29.3/lisp value of $EMACSNATIVELOADPATH: /home/richard/.guix-home/profile/lib/emacs/native-site-lisp value of $LANG: en_US.utf8 locale-coding-system: utf-8-unix Major mode: Eshell Minor modes in effect: eshell-syntax-highlighting-global-mode: t eshell-syntax-highlighting-mode: t eshell-prompt-mode: t eshell-hist-mode: t eshell-pred-mode: t eshell-cmpl-mode: t erc-list-mode: t erc-menu-mode: t erc-autojoin-mode: t erc-ring-mode: t erc-pcomplete-mode: t erc-track-mode: t erc-track-minor-mode: t erc-match-mode: t erc-button-mode: t erc-fill-mode: t erc-stamp-mode: t erc-netsplit-mode: t erc-services-mode: t erc-irccontrols-mode: t erc-noncommands-mode: t erc-move-to-prompt-mode: t erc-readonly-mode: t erc-networks-mode: t beacon-mode: t all-the-icons-completion-mode: t which-key-mode: t display-time-mode: t marginalia-mode: t savehist-mode: t vertico-mode: t global-git-commit-mode: t magit-auto-revert-mode: t eshell-proc-mode: t eshell-arg-mode: t eat-eshell-mode: t eat--eshell-local-mode: t shell-dirtrack-mode: t server-mode: t global-auto-revert-mode: t delete-selection-mode: t override-global-mode: t tooltip-mode: t global-eldoc-mode: t eldoc-mode: t show-paren-mode: t electric-indent-mode: t mouse-wheel-mode: t file-name-shadow-mode: t global-font-lock-mode: t font-lock-mode: t blink-cursor-mode: t column-number-mode: t line-number-mode: t transient-mark-mode: t auto-composition-mode: t auto-encryption-mode: t auto-compression-mode: t Load-path shadows: /gnu/store/v8r6az9568lv4p8srgamrmsm92krn130-emacs-transient-0.6.0/share/emacs/site-lisp/transient-0.6.0/transient hides /gnu/store/alh6ljiqdyfmgdb9jia5pbga60ihi8r8-emacs-29.3/share/emacs/29.3/lisp/transient /gnu/store/ilfyjbpfsc1lbqwyllx0kzqg9h31zic3-emacs-project-0.10.0/share/emacs/site-lisp/project-0.10.0/project hides /gnu/store/alh6ljiqdyfmgdb9jia5pbga60ihi8r8-emacs-29.3/share/emacs/29.3/lisp/progmodes/project /gnu/store/w89y5r65d5d0gfp1pv522ylyfmhh0iv2-emacs-xref-1.6.3/share/emacs/site-lisp/xref-1.6.3/xref hides /gnu/store/alh6ljiqdyfmgdb9jia5pbga60ihi8r8-emacs-29.3/share/emacs/29.3/lisp/progmodes/xref /gnu/store/y42sbhcwppj5wzfd2cn4kwjpni301psh-emacs-soap-client-3.2.3/share/emacs/site-lisp/soap-client-3.2.3/soap-client hides /gnu/store/alh6ljiqdyfmgdb9jia5pbga60ihi8r8-emacs-29.3/share/emacs/29.3/lisp/net/soap-client /gnu/store/y42sbhcwppj5wzfd2cn4kwjpni301psh-emacs-soap-client-3.2.3/share/emacs/site-lisp/soap-client-3.2.3/soap-inspect hides /gnu/store/alh6ljiqdyfmgdb9jia5pbga60ihi8r8-emacs-29.3/share/emacs/29.3/lisp/net/soap-inspect Features: (shadow sort mail-extr emacsbug two-column eshell-syntax-highlighting em-unix em-term em-script em-prompt em-ls em-hist em-pred em-glob em-extpipe em-cmpl em-dirs em-basic em-banner em-alias eshell ace-window sh-script smie treesit executable goto-addr git-rebase vc-hg vc-bzr vc-src vc-sccs vc-svn vc-cvs vc-rcs log-view bug-reference vc-git avy embark-consult consult magit-bookmark bookmark misearch multi-isearch cl-print erc-ibuffer erc-log erc-notify erc-page erc-sound erc-speedbar speedbar ezimage dframe erc-xdcc erc-dcc mule-util embark-org embark ffap network-stream epa-file erc-list erc-menu erc-join erc-ring erc-pcomplete erc-track erc-match erc-button erc-fill erc-stamp erc-netsplit erc-services erc-goodies erc erc-backend erc-networks erc-common erc-compat erc-loaddefs diary-lib diary-loaddefs cal-iso oc-basic ol-eww eww url-queue mm-url ol-rmail ol-mhe ol-irc ol-info ol-gnus nnselect gnus-art mm-uu mml2015 mm-view mml-smime smime gnutls dig gnus-sum shr pixel-fill kinsoku url-file svg dom gnus-group gnus-undo gnus-start gnus-dbus gnus-cloud nnimap utf7 nnoo parse-time gnus-spec gnus-win ol-docview doc-view jka-compr image-mode exif ol-bibtex bibtex iso8601 ol-bbdb ol-w3m ol-doi org-link-doi face-remap org-agenda org-element org-persist xdg org-id avl-tree org-refile smartparens-org ob-plantuml org ob ob-tangle ob-ref ob-lob ob-table ob-exp org-macro org-src ob-comint org-pcomplete org-list org-footnote org-faces org-entities ob-emacs-lisp ob-core ob-eval org-cycle org-table org-keys oc org-loaddefs find-func cal-menu calendar cal-loaddefs ol org-fold org-fold-core org-compat org-version org-macs smartparens-config smartparens-text smartparens rainbow-delimiters hl-line rs-utils rs-ui beacon all-the-icons-completion all-the-icons all-the-icons-faces data-material data-weathericons data-octicons data-fileicons data-faicons data-alltheicons which-key diminish doom-dracula-theme doom-themes doom-themes-base moody time rs-tools ediff ediff-merg ediff-mult ediff-wind ediff-diff ediff-help ediff-init ediff-util daemons calc calc-loaddefs rect calc-macs rs-smtp smtpmail rs-skeleton rs-navigation marginalia orderless savehist vertico rs-media rs-magit magit-extras magit-submodule magit-blame magit-stash magit-reflog magit-bisect magit-push magit-pull magit-fetch magit-clone magit-remote magit-commit magit-sequence magit-notes magit-worktree magit-tag magit-merge magit-branch magit-reset magit-files magit-refs magit-status magit package url-handlers magit-repos magit-apply magit-wip magit-log which-func imenu magit-diff smerge-mode diff diff-mode git-commit log-edit pcvs-util add-log magit-core magit-autorevert magit-margin magit-transient magit-process with-editor magit-mode magit-git magit-base magit-section cursor-sensor crm rs-integrations debbugs soap-client url-http url-auth url-gw nsm rng-xsd rng-dt rng-util xsd-regexp rs-ibuffer rs-guix rs-project rs-eshell esh-var esh-mode esh-cmd esh-ext esh-opt esh-proc esh-io esh-arg esh-module esh-groups esh-util eat term disp-table ehelp shell pcomplete color rs-erc rs-epg rs-elfeed rs-editing rg files-x vc vc-dispatcher rg-info-hack advice rg-menu rg-ibuffer rg-result wgrep-rg rg-history rg-header ibuf-ext ibuffer ibuffer-loaddefs cus-edit wgrep grep rs-dired ls-lisp dired-x rs-core server autorevert filenotify delsel comp comp-cstr warnings rx exec-path-from-shell rs-constants battery dbus rs-auth-source auth-source-pass rs-scheme skeleton geiser-guile info-look info transient format-spec geiser geiser-debug geiser-repl geiser-image geiser-capf geiser-doc geiser-menu geiser-autodoc geiser-edit geiser-completion geiser-eval geiser-connection tq geiser-syntax scheme geiser-impl help-fns radix-tree geiser-log geiser-popup view geiser-custom geiser-base rs-rust rs-password-store rs-org plantuml-mode xml dash edmacro kmacro use-package-bind-key bind-key rs-docker rs-csharp rs-cl slime easy-mmode apropos compile etags fileloop generator xref project arc-mode archive-mode noutline outline icons pp comint ansi-osc ansi-color ring hyperspec thingatpt browse-url url url-proxy url-privacy url-expand url-methods url-history url-cookie generate-lisp-file url-domsuf url-util url-parse auth-source eieio eieio-core json map byte-opt url-vars rs-nnrss rs-gnus nnmail gnus-int mail-source gnus-range message sendmail mailcap yank-media puny dired dired-loaddefs rfc822 mml mml-sec password-cache epa derived epg rfc6068 epg-config mm-decode mm-bodies mm-encode mail-parse rfc2231 rfc2047 rfc2045 ietf-drums mailabbrev gmm-utils mailheader gnus nnheader gnus-util text-property-search time-date subr-x mail-utils range mm-util mail-prsvr wid-edit cus-load no-littering compat cl-macs gv cl-extra help-mode cl-seq use-package-core cl-loaddefs cl-lib bytecomp byte-compile lorem-ipsum-autoloads geiser-autoloads geiser-guile-autoloads xterm-color-autoloads rust-mode-autoloads xref-autoloads project-autoloads spinner-autoloads hydra-autoloads ht-autoloads lsp-mode-autoloads flycheck-autoloads rustic-autoloads password-store-autoloads pass-autoloads plantuml-mode-autoloads yaml-mode-autoloads docker-compose-mode-autoloads dockerfile-mode-autoloads web-mode-autoloads macrostep-autoloads slime-autoloads which-key-autoloads moody-autoloads doom-themes-autoloads shrink-path-autoloads nerd-icons-autoloads doom-modeline-autoloads diminish-autoloads beacon-autoloads all-the-icons-completion-autoloads memoize-autoloads all-the-icons-autoloads daemons-autoloads embark-autoloads consult-autoloads marginalia-autoloads orderless-autoloads vertico-autoloads popup-autoloads f-autoloads dumb-jump-autoloads avy-autoloads ace-window-autoloads tablist-autoloads pdf-tools-autoloads async-autoloads transient-autoloads magit-autoloads soap-client-autoloads debbugs-autoloads eshell-syntax-highlighting-autoloads eat-autoloads elfeed-autoloads s-autoloads rg-autoloads wgrep-autoloads rainbow-delimiters-autoloads markdown-mode-autoloads dash-autoloads smartparens-autoloads dirvish-autoloads exec-path-from-shell-autoloads compat-autoloads no-littering-autoloads guix-emacs rmc iso-transl tooltip cconv eldoc paren electric uniquify ediff-hook vc-hooks lisp-float-type elisp-mode mwheel term/x-win x-win term/common-win x-dnd tool-bar dnd fontset image regexp-opt fringe tabulated-list replace newcomment text-mode lisp-mode prog-mode register page tab-bar menu-bar rfn-eshadow isearch easymenu timer select scroll-bar mouse jit-lock font-lock syntax font-core term/tty-colors frame minibuffer nadvice seq simple cl-generic indonesian philippine cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech european ethiopic indian cyrillic chinese composite emoji-zwj charscript charprop case-table epa-hook jka-cmpr-hook help abbrev obarray oclosure cl-preloaded button loaddefs theme-loaddefs faces cus-face macroexp files window text-properties overlay sha1 md5 base64 format env code-pages mule custom widget keymap hashtable-print-readable backquote threads dbusbind inotify lcms2 dynamic-setting system-font-setting font-render-setting cairo move-toolbar gtk x-toolkit xinput2 x multi-tty make-network-process native-compile emacs) Memory information: ((conses 16 736637 84922) (symbols 48 48885 5) (strings 32 196059 11083) (string-bytes 1 6207371) (vectors 16 102534) (vector-slots 8 1693609 88877) (floats 8 1468 1512) (intervals 56 7256 3449) (buffers 984 41)) -- Take it easy, Richard Sent Making my computer weirder one commit at a time.
bug-gnu-emacs <at> gnu.org
:bug#71578
; Package emacs
.
(Mon, 17 Jun 2024 18:02:02 GMT) Full text and rfc822 format available.Message #8 received at 71578 <at> debbugs.gnu.org (full text, mbox):
From: "J.P." <jp <at> neverwas.me> To: Richard Sent <richard <at> freakingpenguin.com> Cc: 71578 <at> debbugs.gnu.org, emacs-erc <at> gnu.org Subject: Re: bug#71578: 29.3; ERC 5.5.0.29.1: No documented support for setting server and nickserv authentication per-server Date: Mon, 17 Jun 2024 11:00:51 -0700
Hi Richard, Thanks for opening this. Richard Sent <richard <at> freakingpenguin.com> writes: > Hi all, > > When using ERC, various servers have different policies for nickserv > identification and server authentication. For example, irc.libera.chat > forwards the server password to nickserv, while irc.pine64.org ignores > server password and nickserv is authenticated separately. > > By default, erc uses auth-source for server authetication > (erc-auth-source-server-function), and can optionally use auth-source > for nickserv identification (erc-use-auth-source-for-nickserv-password). > These settings are global and affect every server. > > This causes problems where credentials may be needlessly > double-decrypted using auth-source. This is particularly annoying when > auth-sources needs to decrypt data and requires manual intervention > (such as touching a yubikey). I agree that it's far from ideal to have `services' perform lookups whenever the options `erc-use-auth-source-for-nickserv-password' and `erc-auth-source-services-function' are non-nil. And arranging for an auth-source query to come up empty for connections you're not interested in isn't a viable solution because `erc-nickserv-identify' won't take no for an answer. Indeed, failing to provide a password when prompted currently earns you an error, as you've no doubt observed. I think the main issue here is that the global `services' module lacks sufficient per-session granularity, which extends to its auth-source integration. While auth-source is session aware by nature, ERC's integration is not, at least not in the sense that different values for the various `erc-auth-source-*-function' options can be specified per session. (Of course, you *can* set these options to function values that are themselves session aware, but that defeats the purpose of deferring to the framework to begin with.) All this echoes a familiar gripe among users regarding ERC's inability to apply existing options, like `erc-auth-source-join-function', in a targeted fashion that's limited to a specific context, such as a certain channel on a given network [1]. In fact, a long-term goal of this project is to address this in a more general way, possibly by proposing a change to Emacs' Custom machinery itself that would make user options relatable to arbitrary "contexts" in a manner somewhat reminiscent of connection-local variables, only more abstract. > This occurs because the auth-source specification for server > authentication and nickserv authentication do not necessarily match so > the cached result is not returned. (For example, libera.chat has > iridium.libera.chat, mercury.libera.chat, etc. which are passed in the > spec for nickserv authentication, while irc.libera.chat is passed for > server authentication.) I think disparities in query behavior across contexts is an overlapping concern best tackled independently. By default, ERC favors the network ID when matching against the `:host' parameter for all authentication opportunities except server passwords. This means you can specify an entry like machine Libera.Chat login MyNick password sEcReT instead of machine foo.libera.chat ... machine bar.libera.chat ... machine baz.libera.chat ... where "Libera.Chat" is the network ID. However, as you've likely discovered, this won't work for server passwords because ERC doesn't yet know the network ID when it sends the "PASS" command. As things currently stand, if you want to avoid a redundant machine irc.libera.chat ... you can invoke your entry point command from lisp with a session ID, like (erc-tls ... :id "Libera.Chat" ... ) which then takes precedence over any discovered network ID. (BTW, though this won't help with your issue, the manual for the latest release contains expanded coverage of ERC's auth-source integration [2].) Anyway, at present, folks bothered by this behavior will have to write their own lookup function, which is perhaps a bridge too far for relatively simple cases like the one you describe. I think the situation can be improved a bit by doing the following: 1. Add an option to reverse the ordering favored by `erc-auth-source-search', which is the default value of all `erc-auth-source-*-function' options. Basically, we'd want machine irc.libera.chat ... to always win over machine Libera.Chat ... so people can optionally only specify the (dialed) one. 2. Cache the value of `erc-auth-source-server-function' given at initial connection time for reuse when reconnecting, much like we do with `erc-session-password' and `erc-session-connector'. (The `sasl' module already does this for `erc-sasl-auth-source-function' because it's a so-called "local" module.) This should obviate the need for your :password "" workaround for those willing to let-bind `erc-auth-source-server-function' to nil around calls to `erc-tls'. > Ideally ERC should have a documented method for disabling server > authentication and nickserv authentication on a per-server basis. As a > workaround I found the following methods currently work: > > ;; Note that these must be "", not nil > > ;; Pass :password "" to disable server authentication > (erc-tls :server "irc.pine64.org" :nick "freakingpenguin" :password "") AFAICT, this makes ERC send an opening "PASS :" message. Although IRC syntax does allow for an empty trailing parameter, I couldn't find anything documenting how servers should treat an empty server password specifically. As such, if documenting :password "" as a workaround to suppress lookups of server passwords, we'd probably want to indicate that it's only known to work on certain servers. > ;; Set nickserv password to "" to disable nickserv authentication > (setq erc-nickserv-passwords '((Libera.Chat (("freakingpenguin" . ""))))) For some reason, this one gives me the familiar "Cannot find a password for nickname ..." error. Stepping through `erc-nickserv-get-password' on ERC 5.5, I see that it correctly determines the password to be "", but the line (not (string-empty-p (erc--unfun ret))) makes it return nil, which then triggers `erc-nickserv-identify' to signal the aforementioned error. > As far as I'm aware this isn't documented anywhere officially so there's > no guarantee it will continue to work in the future. Sadly, individual modules aren't yet documented in ERC's manual. I'd very much like to change that at some point (patches welcome). Anyway, I've distilled some thoughts on this issue cobbled together from various notes and earlier discussions: - Problem: ERC doesn't support connecting simultaneously to a server allowing only NickServ-based authentication and another requiring a different method, such as a server password. In essence, the `services' module cannot be enabled for only a subset of connections. - Workaround: shadow unwanted entries This only works when `erc-nickserv-identify-mode' is set to `both' (the default). For each network you *don't* want managed, add an entry, like: (setopt erc-nickserv-alist (cons (list 'foonet nil regexp-unmatchable "" "" nil nil nil) erc-nickserv-alist)) Or do the equivalent via Customize. Then connect as usual, and services will only attempt to authenticate to servers with non-shadowed entries. - Workaround: use the library but not the module That is, don't add `services' to `erc-modules' at all. Instead, load the library, and selectively mimic the module by adding only the hook members you need. For example, to force your way past a server that sends a "433 ... Nickname is reserved" response to an opening "NICK mynick" message (which induces ERC to ask for and be granted "mynick`" instead), ensure the relevant entry in `erc-nickserv-alist' has t for its 6th field so that ERC sends "NickServ IDENTIFY mynick mypass" instead of just "NickServ IDENTIFY mypass". (require 'erc-services) (setopt erc-nickserv-alist (cons '(foonet "irc.foonet.org" nil "NickServ" "IDENTIFY" t ; <- important nil "You're now logged in as ") erc-nickserv-alist)) (defun my-erc-identify-on-connect (server _my-backticked-nick) (when (string-suffix-p ".foonet.org" server) ;; Replace "mypass" with nil to defer to `erc-nickserv-get-password' (erc-nickserv-identify "mypass" "mynick"))) (add-hook 'erc-after-connect #'my-erc-identify-on-connect) (erc :server "127.0.0.1" :port 6667 :nick "mynick") - Solution: new "ignore" option A hypothetical `erc-nickserv-ignore-without-alist-entry' option, could address this issue by telling ERC to forgo authenticating to networks that don't have an entry in `erc-nickserv-alist'. - Solution: new `services-local' module Such a module would address this issue by only managing NickServ dialogues for connections that enable it during entry-point invocation. It could share options with the global `services' module or offer its own, simplified ones. Either way, it would act like other local modules in stashing a copy of its options when initializing and then reusing them when reconnecting. Users could then be free to let-bind different configurations around calls to `erc-tls'. > This is intended as a tracking ticket following discussion on #erc. Better (two decades) late than never! Cheers, J.P. P.S. You may be able to use the `sasl' module for Pine64.org because they appear to be running a relatively recent version of Unreal [3]. [1] https://lists.gnu.org/archive/html/erc-discuss/2012-05/msg00008.html [2] https://elpa.gnu.org/packages/doc/erc.html#auth_002dsource [3] After registering, I was able to authenticate successfully to Unreal's testnet with the following session-local configuration: (let ((erc-modules (cons 'sasl erc-modules))) (erc-tls :server "irc.unrealircd.org" :nick "mynick" :user "mynick" :password "mypass"))
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.