Hi, thanks for your fast response!
Yes, the attached patch definitely fixes things for me. I've copied the definition of `auth-info-password` into my init.el for now. I'm also surprised to see that no additional `ethan@black-diamond` entry was created in GNOME Secrets.
I see that the `auth-source` docstring for `auth-source-search` says "The token's :secret key can hold a function. In that case you must call it to obtain the actual value." I guess it doesn't say you need to call it only once but that's how I interpreted it. I understand the first level of function comes from the lambda in `auth-source-secrets-search`; where does the second one come from?
Out of curiosity, how does fixing this fix the larger issue? I see that the successful tramp connection says `root@black-diamond`. Is there some kind of fallback behavior in either tramp or `auth-source` that tries `root@` after trying `ethan@`? I guess based on your use of the term "cascaded" that maybe `auth-source` knows it doesn't need to create a new entry because it found a different one, but I'm still surprised about it. I forgot to mention this in my original email last night, but when I tried doing `(auth-source-search :user "any-user-name" :host "black-diamond" :require '(:secret :user) :create t)`, I would get a "match", always with my same password visible in the response. I see that `auth-source-secrets-create` redoes the query using `host` and `port` but without `user` or any other parameters.. this seems a little strange? For sudo, I think using the user password "as" the root password makes sense, but if I had multiple accounts on a single host I would be surprised for their passwords to get mixed up.
Ethan