Re: providing imap_pass but not from ~/.muttrc
On 13Jun2019 17:10, Larry Rosenman wrote: On 06/13/2019 4:52 pm, Cameron Simpson wrote: On 13Jun2019 14:26, Larry Rosenman wrote: I do the following trick: source "gpg -q --textmode -d ~/.neomutt/passwords.gpg |" where the passwords.gpg file sets my_ vars for all my passwords. Doesn't that require interaction on each mutt startup? I appreciate that this has the password nicely encrypted when idle and doesn't display them on the command line or in environment variables. [snip] I have gpg-agent running so the key is available. I have some switch-identity stuff in the rest of my (neo)mutt rc files to switch between the identities. Ah, I wondered. My own gpg-agent timeout is short enough that I'd be prompted all the time :-( Cheers, Cameron Simpson
Re: providing imap_pass but not from ~/.muttrc
On 06/13/2019 4:52 pm, Cameron Simpson wrote: On 13Jun2019 14:26, Larry Rosenman wrote: I do the following trick: source "gpg -q --textmode -d ~/.neomutt/passwords.gpg |" where the passwords.gpg file sets my_ vars for all my passwords. Doesn't that require interaction on each mutt startup? I appreciate that this has the password nicely encrypted when idle and doesn't display them on the command line or in environment variables. [snip] I have gpg-agent running so the key is available. I have some switch-identity stuff in the rest of my (neo)mutt rc files to switch between the identities. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
Re: providing imap_pass but not from ~/.muttrc
On 13Jun2019 14:26, Larry Rosenman wrote:
I do the following trick:
source "gpg -q --textmode -d ~/.neomutt/passwords.gpg |"
where the passwords.gpg file sets my_ vars for all my
passwords.
Doesn't that require interaction on each mutt startup? I appreciate that
this has the password nicely encrypted when idle and doesn't display
them on the command line or in environment variables.
I've got various mail credentials in my .fetchmailrc (I now use getmail,
but whatever), so I've got scripts to fetch them from it. Should port it
to the getmail config some time.
So, the muttrc config line which presages accessing my phone IMAP
account:
source 'cs-mutt-imap-settings cs-iphone-cc'
cs-mutt-imap-settings is this script:
#!/bin/sh
#
# Read clause form .fetchmailrc, recite mutt IMAP settings.
# - Cameron Simpson 26sep2015
#
set -ue
clause=$1
shift
fetchmailclause "$clause" \
| awk '$1 == "user" { user=$2 }
$1 == "pass" { pass=$2 }
$1 == "via" { via=$2 }
END { print "set imap_user='\''" user "'\''"
print "set imap_pass='\''" pass "'\''"
print "set my_imap_host='\''" via "'\''"
}
'
and fetchmailclause is this script:
#!/bin/sh
#
# Pull out a single clause from a .fetchmailrc file.
# The parsing's a little simplistic but it works fairly well.
#- Cameron Simpson 09sep2003
#
rc=$HOME/.fetchmailrc
start=skip# vs poll
cmd=$0
usage="Usage: $cmd [-f fetchmailrc] [clause]"
badopts=
[ "x$1" = x-f ] && { rc=$2; shift; shift; }
[ $# = 0 ] && exec awk '$1 == "spoll" || $1 == "skip" { print $2 }' "$rc"
clause=$1; shift
[ $# = 0 ] || { echo "$cmd: extra arguments after clause: $*" >&2;
badopts=1; }
[ $badopts ] && { echo "$usage" >&2; exit 2; }
exec sed -ne '
y// /
s/$/ /
'"/^ *skip *$clause /b start
/^ *poll *$clause /b start
d
:start
n
y// /
s/ */ /g
s/^ //
s/ $//
/^#/b start
/^$/b start
/^skip /d
/^poll /d
p
b start" "$rc"
So if the OP already has the credentials sitting around elsewhere they
could automate getting them.
This approach does have the downside that credentials are still in files
in the clear though.
Cheers,
Cameron Simpson
Re: providing imap_pass but not from ~/.muttrc
On 06/13/2019 2:19 pm, Ben Boeckel wrote: On Thu, Jun 13, 2019 at 20:56:33 +0200, Matthias Apitz wrote: I often use SSH to connect to my rented VM space of my ISP (which gets me to a Linux server) and I do use mutt from there to check my mails or even to answer, esp. when I do not have my FreeBSD netbook with full Internet and all mails up. I do not want to set 'imap_pass=...' and such values in the ~/.muttrc on this VM. Is there any other way to provide such credentials without to key them in on start of mutt, for example based on an environment variable which I could route to the VM through the SSH session like: $ ssh -At www.unixarea.de imap_pass=abc bash --login Thu Jun 13 20:44:51 CEST 2019 ... sh4-5:~$ env | grep imap imap_pass=abc I don't think there's any mechanism in mutt. You might be able to have `mutt -F <(genmuttrc)` dump it out. It may also be worth just doing `set imap_pass=...` inside mutt once it has started. However, what's your threat model that having it in the file is not OK but the environment is OK? `/proc/foo/environ` is just as readable on Linux as muttrc is likely to be. How are you getting your sendmail password over in order to send email? Or is it trusted because it's coming from the ISP's VM? --Ben I do the following trick: source "gpg -q --textmode -d ~/.neomutt/passwords.gpg |" where the passwords.gpg file sets my_ vars for all my passwords. Just an idea. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106
Re: providing imap_pass but not from ~/.muttrc
On Thu, Jun 13, 2019 at 20:56:33 +0200, Matthias Apitz wrote: > I often use SSH to connect to my rented VM space of my ISP (which gets me to a > Linux server) and I do use mutt from there to check my mails or even to > answer, esp. when I do not have my FreeBSD netbook with full Internet and all > mails up. > > I do not want to set 'imap_pass=...' and such values in the ~/.muttrc on > this VM. Is there any other way to provide such credentials without to > key them in on start of mutt, for example based on an environment > variable which I could route to the VM through the SSH session like: > > $ ssh -At www.unixarea.de imap_pass=abc bash --login > Thu Jun 13 20:44:51 CEST 2019 > ... > sh4-5:~$ env | grep imap > imap_pass=abc I don't think there's any mechanism in mutt. You might be able to have `mutt -F <(genmuttrc)` dump it out. It may also be worth just doing `set imap_pass=...` inside mutt once it has started. However, what's your threat model that having it in the file is not OK but the environment is OK? `/proc/foo/environ` is just as readable on Linux as muttrc is likely to be. How are you getting your sendmail password over in order to send email? Or is it trusted because it's coming from the ISP's VM? --Ben
providing imap_pass but not from ~/.muttrc
I often use SSH to connect to my rented VM space of my ISP (which gets me to a Linux server) and I do use mutt from there to check my mails or even to answer, esp. when I do not have my FreeBSD netbook with full Internet and all mails up. I do not want to set 'imap_pass=...' and such values in the ~/.muttrc on this VM. Is there any other way to provide such credentials without to key them in on start of mutt, for example based on an environment variable which I could route to the VM through the SSH session like: $ ssh -At www.unixarea.de imap_pass=abc bash --login Thu Jun 13 20:44:51 CEST 2019 ... sh4-5:~$ env | grep imap imap_pass=abc Any other ideas? The SSH access is RSA based, i.e. without any password, and the private key comes from my OpenPGP card. Best solution would be to use this key as well for the IMAP authentication somehow. Thanks matthias -- Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub May, 9: Спаси́бо освободители! Thank you very much, Russian liberators! signature.asc Description: PGP signature
