4.13 Reusing passwords for several connections

To avoid repeated prompts for passwords, consider native caching mechanisms, such as ssh-agent for ssh-like methods, or pageant for plink-like methods.

TRAMP offers alternatives when native solutions cannot meet the need.

4.13.1 Using an authentication file

The package auth-source.el, originally developed for No Gnus, reads passwords from different sources, See (auth)auth-source. The default authentication file is ~/.authinfo.gpg, but this can be changed via the user option auth-sources.

A typical entry in the authentication file:

machine melancholia port scp login daniel password geheim

The port can take any TRAMP method (see Inline methods, see External methods). Omitting port values matches all TRAMP methods. Domain and ports, as used in TRAMP file name syntax, must be appended to the machine and login items:

machine melancholia#4711 port davs login daniel%BIZARRE password geheim

For the methods doas, sudo and sudoedit the password of the user requesting the connection is needed, and not the password of the target user. If these connections happen on the local host, an entry with the local user and local host is used:

machine host port sudo login user password secret

user and host are the strings returned by (user-login-name) and (system-name). If one of these methods is connected via a multi hop (see Connecting to a remote host using multiple hops), the credentials of the previous hop are used.

If no proper entry exists, the password is read interactively. After successful login (verification of the password), Emacs offers to save a corresponding entry for further use by auth-source backends which support this. This can be changed by setting the user option auth-source-save-behavior to nil.

Set auth-source-debug to t to debug messages.

Note that auth-source.el is not used for ftp connections, because TRAMP passes the work to Ange FTP. If you want, for example, use your ~/.authinfo.gpg authentication file, you must customize ange-ftp-netrc-filename:

(customize-set-variable 'ange-ftp-netrc-filename "~/.authinfo.gpg")

In case you do not want to use an authentication file for TRAMP passwords, use connection-local variables like this:

(connection-local-set-profile-variables
 'remote-without-auth-sources '((auth-sources . nil)))

(connection-local-set-profiles
 '(:application tramp) 'remote-without-auth-sources)

4.13.2 Caching passwords

TRAMP can cache passwords as entered and reuse when needed for the same user or host name independent of the access method.

password-cache-expiry sets the duration (in seconds) the passwords are remembered. Passwords are never saved permanently nor can they extend beyond the lifetime of the current Emacs session. Set password-cache-expiry to nil to disable expiration.

Set password-cache to nil to disable password caching.