Hello, A week or two ago there was a thread about how to secure one's .muttrc file if it has passwords sitting there in plaintext. A bit of tooling around has resulted in the following tip for those mutters working on OSX.
The goal is not to encrypt the .muttrc, but rather to cleanse it of vulnerable info. So we want to remove passwords from the muttrc file, but still not have to enter them in mutt when prompted. The solution is to let the OSX Keychain hold on to the passwords securely and give them to mutt when needed. The problem is how to make mutt interact with Keychain Acess.app. The solution is to (1) make sure Keychain Access.app ("KA") has your password, (2) invoke a middleman that's already on your computer, and (3) create another one that isn't. The already-there middleman is a cli utility called "security" that's part of OSX. security will ask KA for the relevant password, and give it to mutt. Once mutt has the password(s) it will have them until you quit mutt. The middleman you have to create is simply to get mutt to be able to ask security to ask KA for the password. This middleman is a shell script, which I called "vomit.sh". The script tells security to grab some info from KA, but KA gives security more than just the password. Hence there's a ruby command to pluck the password out from the rest. Here are the contents of vomit.sh: #!/bin/bash security 2>&1 >/dev/null find-internet-password -ga \ username|tee|ruby -e 'print $1 if STDIN.gets =~ /^password: \ "(.*)"$/' NOTE 0: Everything after the #! line should be one line. The single backslashes are just for email line break purposes. End note 0. NOTE 1: I made this script using a tip from this webpage: http://blog.macromates.com/2006/keychain-access-from-shell/. You should look at it for yourself, especially if you're not sure how to make sure that KA has your password to begin with. I don't know anything about bash *or* ruby, so have at it. I think this would be better if we didn't have to rely on ruby. End note 1. NOTE 2: I had to modify it a bit (note the tee in between the username and the ruby; without the tee I could not get security to properly pass the string it retrived from KA to ruby). End note 2. You can test the script by simply running it in the terminal and observing your password spit back out. Once this is working properly, you can do in your .muttrc: set imap_pass = `~/vomit.sh` # (or wherever you want to put vomit.sh) Note the backticks rather than apostrophes. This also worked for me for smtp_pass, so I assume it will work with POP, etc. NOTE 3: I tried for a while to get the command housed in vomit.sh to work properly when placed directly into my .muttrc between the backticks. I couldn't get it to work, so I resorted to the script. I'd bet I just don't know how to properly escape special characters. If someone knows, great. End note 3. I'm no expert, so if someone spies a hole here, let the list know. The 2>&1 >/dev/null part of the script, taken from the web page, is supposed to make it so the string from KA is not just left hanging around, if I understand correctly. This setup does *not* mean you won't have to type any passwords at all when using mutt. It only means you won't have to type any of your *email* passwords. You will be prompted (by OSX) for your *keychain* pw when you hit "mutt", unless of course you have your keychain pw the same as your OSX login pw *and* have it set to autounlock. (But presumably if you're worried about plaintext pw's sitting out there in .muttrc for all to see, you won't have such lax keychain preferences). -gmn