To avoid repeated prompts for passwords, consider native caching
mechanisms, such as ssh-agent
for ssh-like
methods, or pageant
for plink-like methods.
TRAMP offers alternatives when native solutions cannot meet the need.
The package auth-source.el, originally developed for No Gnus,
reads passwords from different sources, See (auth)auth-source. The default authentication file is
~/.authinfo.gpg, but this can be changed via the user option
auth-sources
.
A typical entry in the authentication file:
machine melancholia port scp login daniel password geheim
The port can take any TRAMP method (see Inline methods, see External methods). Omitting port values matches all TRAMP methods. Domain and ports, as used in TRAMP file name syntax, must be appended to the machine and login items:
machine melancholia#4711 port davs login daniel%BIZARRE password geheim
For the methods doas, sudo and sudoedit the password of the user requesting the connection is needed, and not the password of the target user. If these connections happen on the local host, an entry with the local user and local host is used:
machine host port sudo login user password secret
user and host are the strings returned by
(user-login-name)
and (system-name)
. If one of these
methods is connected via a multi hop (see Connecting to a remote host using multiple hops), the
credentials of the previous hop are used.
If no proper entry exists, the password is read
interactively. After successful login (verification of the password),
Emacs offers to save a corresponding entry for further use by
auth-source
backends which support this. This can be changed
by setting the user option auth-source-save-behavior
to nil
.
Set auth-source-debug
to t
to debug messages.
Note that auth-source.el is not used for ftp
connections, because TRAMP passes the work to Ange FTP. If
you want, for example, use your ~/.authinfo.gpg authentication
file, you must customize ange-ftp-netrc-filename
:
(customize-set-variable 'ange-ftp-netrc-filename "~/.authinfo.gpg")
In case you do not want to use an authentication file for TRAMP passwords, use connection-local variables like this:
(connection-local-set-profile-variables 'remote-without-auth-sources '((auth-sources . nil)))
(connection-local-set-profiles '(:application tramp) 'remote-without-auth-sources)
TRAMP can cache passwords as entered and reuse when needed for the same user or host name independent of the access method.
password-cache-expiry
sets the duration (in seconds) the
passwords are remembered. Passwords are never saved permanently nor
can they extend beyond the lifetime of the current Emacs session. Set
password-cache-expiry
to nil
to disable expiration.
Set password-cache
to nil
to disable password caching.