APT configuration files like sources.list(5) or apt.conf(5) need to be accessible for everyone using apt tools on the system to have access to all package-related information like the available packages in a repository. Login information needed to connect to a proxy or to download data from a repository on the other hand shouldn't always be accessible by everyone and can hence not be placed in a file with world-readable file permissions.
The APT auth.conf file /etc/apt/auth.conf, and .conf files inside /etc/apt/auth.conf.d can be used to store login information in a netrc-like format with restrictive file permissions.
The format defined here is similar to the format of the ~/.netrc file used by ftp(1) and similar programs interacting with servers. It is a simple token-based format with the following tokens being recognized; Unknown tokens will be ignored. Tokens may be separated by spaces, tabs or newlines.
machine [protocol://]hostname[:port][/path]
If protocol is not specified, the entry only matches https and tor+https.
login name
password string
Supplying login information for a user named apt with the password debian for the sources.list(5) entry
deb https://example.org/debian bullseye main
could be done in the entry directly:
deb https://apt:debian@example.org/debian bullseye main
Alternatively an entry like the following in the auth.conf file could be used:
machine example.org login apt password debian
Or alternatively within a single line:
machine example.org login apt password debian
If you need to be more specific all of these lines will also apply to the example entry:
machine example.org/deb login apt password debian machine example.org/debian login apt password debian machine example.org/debian/ login apt password debian
On the other hand neither of the following lines apply:
machine example.org:443 login apt password debian machine example.org/deb/ login apt password debian machine example.org/ubuntu login apt password debian machine example.orga login apt password debian machine example.net login apt password debian
Basic support for this feature is present since version 0.7.25, but was undocumented for years. The documentation was added in version 1.5 changing also the implementation slightly. For maximum backward compatibility you should avoid multiple machine tokens with the same hostname, but if you need multiple they should all have a path specified in the machine token.
Login information in auth.conf are more flexible than those in sources.list. For example, login information can be specified for parts of a repository only, or if the sources.list entry redirects elsewhere, login information for the redirect destination can be supplied.
/etc/apt/auth.conf
/etc/apt/auth.conf.d/*.conf
apt.conf(5) sources.list(5)
m[blue]APT bug pagem[][1]. If you wish to report a bug in APT, please see /usr/share/doc/debian/bug-reporting.txt or the reportbug(1) command.
APT team