Elisp:如何从init文件中排除敏感信息?(即登录凭据)


11

我想在初始化脚本中定义一个登录功能,但是我不想对我的登录凭证进行硬编码。我认为一个不错的解决方法是让我的初始化脚本从本地文件中读取我的登录凭据,并将这些值另存为变量。这样,我可以从git索引中排除该文件,从而确保我的登录凭据安全。

关于这种方法或将参数设置为文件中定义的值的方法有什么建议吗?

例如,我想在我的内容中使用以下内容init.el

;; Set up our login variables here:
(setq file-location "~/.emacs.d/.login")
(setq erc-username "default-name")
(setq erc-password "default-password")
(setq erc-url "default-url")
(setq erc-port "default-port")
(defun read-lines (filePath)
  "Return a list of lines of a file at filePath."
  (with-temp-buffer
    (insert-file-contents filePath)
    (split-string (buffer-string) "\n" t)))
(if (file-exists-p file-location)
    (progn (setq login-credentials (read-lines file-location))
           (setq erc-username (nth 0 login-credentials))
           (setq erc-password (nth 1 login-credentials))
           (setq erc-url (nth 2 login-credentials))
           (setq erc-port (nth 3 login-credentials)))
    (message "No ERC login credentials provided. Please add login credentials as '<username>\n<password>\n<url>\n<port>' in ~/.emacs.d/.login to activate ERC mode."))

;; These message the values from my file correctly.
;; Everything up to this point works as expected
(message erc-username) 
(message erc-password)
(message erc-url)
(message erc-port)

;; Use our login variables here 
;; This doesn't work because the 'quote' function prevents evaluation of my variables, and a 'backquote' did not resolve it either
(custom-set-variables
 ;; custom-set-variables was added by Custom.
 ;; If you edit it by hand, you could mess it up, so be careful.
 ;; Your init file should contain only one such instance.
 ;; If there is more than one, they won't work right.
 '(markdown-command "/usr/bin/pandoc")
 '(tls-program (quote ("openssl s_client -connect %h:%p -no_ssl2 -ign_eof -CAfile ~/.ssl/spi_ca.pem -cert ~/.ssl/znc.pem")))
 '(znc-servers (quote ((,erc-url ,erc-port t ((irc\.freenode\.net ,erc-username ,erc-password)))))))
(custom-set-faces
 ;; custom-set-faces was added by Custom.
 ;; If you edit it by hand, you could mess it up, so be careful.
 ;; Your init file should contain only one such instance.
 ;; If there is more than one, they won't work right.
 )

请注意,我的示例在此处使用了znc.el模块。我修改从Emacs的CONFIGS导致自动生成的代码和。M-x customize-group RET znc RETM-x customize-variable RET tls-program RET

上面的代码的问题是变量没有加载到我custom-set-variables上面的函数中。从文件中加载适当的值似乎可以正常工作,但是我似乎无法将它们用作参数。我认为这与quote功能有关,该功能无法评估其内容。我尝试使用“反引号”(,)进行强制评估,但它也不起作用。任何修复此错误或提供另一种方法的建议都将非常有帮助。

Answers:


11

Emacs附带了auth-source.el。我不会尝试推出自己的版本。

auth-source易于阅读~/.authinfo.gpg。好的程序已经支持authinfo。快速搜索表明ERC 可以使用authinfo

为了您随便从架子 MELPA程序,你可以很容易地使用AUTHINFO从取回密码~/.authinfo.gpg这样

(with-eval-after-load 'random-mode
  (require 'auth-source)
  (let ((auth (nth 0 (auth-source-search :host "secrets.com"
                                         :requires '(user secret)))))
    (setq random-psk (funcall (plist-get auth :secret))
          random-user (plist-get auth :user))))

其中~/.authinfo.gpg包含以下行:

## Used by random-mode.el
machine secrets.com login rasmus password my-secret-password

当然,安全感是一个谎言。您的密码现在以明文形式存储在变量中:

random-psk => "my-secret-password"

但是至少它不在某些git-repo或dropbox中!

如果您拥有某种类型的密钥环,则可以使用Secret Service API从那里获取凭据(请参阅参考资料(info "(auth) Secret Service API"))。


6

custom-set-variables很奇怪–我不是100%肯定它可以处理这种情况。您可以尝试一下(eval `(custom-set-variables … (erc-password … ,(special-value) …) …),但这使我感到震惊,因为它是一个肮脏的漏洞。

只需将额外信息放入带有gpg扩展名的文件中,将其保存,输入密码,然后加载该文件。加载文件时,您必须输入文件密码。

例如,创建一个sensitive.el.gpg包含以下内容的文件:

(message "Hello, there!")

保存文件,按(或在键上选择)[OK],然后输入密码。不用担心-在保存之前它将要求您进行确认。然后,在您的init文件中

(load "sensitive.el.gpg")

这将在启动时加载文件,要求您输入密码,以便Emacs可以解密文件。

如果您不想在启动时输入密码,请给该函数一个手动运行的名称:

(defun my:keys () (interactive) (load "sensitive.el.gpg"))
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.