11

I tried using attic with a passphrase to backup my files from inside M-x shell. The shell exposed the passphrase as plain text in the buffer and made it available by typing M-r as well as by looking through the shell input history with C-c C-l.

When I closed the shell and re-opened the input history, I saw that at least it disappeared. Presumably, because the shell reads it's initial history from .bash_history and at least bash had the good sense not to write my passphrase there.

Do I really need to leave emacs to perform my attic backups, or is there a way I can configure it not to be careless?

I was able to reproduce the issue with a fresh emacs -Q session. I was confused before because Emacs correctly hides the passphrase in all cases except when I call 

 attic create --stats /path/to/backup::name ~/folders ~/backed ~/up

Then attic prompts as:

Enter passphrase for /path/to/backup::name:

The issue can be reproduced with this Python one-liner:

python -c 'import getpass; getpass.getpass("Hello")'

If the password prompt string is "Password:" then Emacs sees a password prompt, but not if the string is anything else.

How can I make Emacs recognize at least attic's password prompts?

Gilles 'SO- stop being evil'
  • 21,702
  • 4
  • 53
  • 89
wdkrnls
  • 3,657
  • 2
  • 27
  • 46

1 Answers1

16

In Shell mode, Emacs detects password prompts based on the prompt. If it sees Password: (or Enter new password:, or Passwort:, or Wachtwoord: or a number of variations), it assumes that you're prompted to enter a password and reads a string from the minibuffer (repeating the prompt); this string is not echoed and is not entered in any history list.

If Emacs doesn't recognize a prompt, you can achieve the same effect by calling M-x send-invisible (not bound to any key by default).

You can teach Emacs to recognize the password prompts you do see by customizing comint-password-prompt-regexp. Note that this regexp is searched on the current line, so it should start with ^ if you want to match text at the left margin, and it should end with \' if you don't want to allow arbitrary text afterwards.

To add another prompt format, add \|^…\' at the end of the existing regexp. For example, you could add this to your init file (remember to double backslashes between double quotes):

(setq comint-password-prompt-regexp
      (concat comint-password-prompt-regexp
              "\\|^Enter passphrase for .*:\\s *\\'"))
Gilles 'SO- stop being evil'
  • 21,702
  • 4
  • 53
  • 89