<div dir="auto">Also does not seem dictated in docs nor comments.<div dir="auto"><br></div><div dir="auto">De-facto it is a string pointer, in some code constrained by a SMALLBUF sized character array, where SMALLBUF is a macro currently defined to 512.</div><div dir="auto"><br></div><div dir="auto">Looking on a larger scale, it seems the server-client code currently passes it in the open (safety subject to ssl tunnel) and compares as strings.</div><div dir="auto"><br></div><div dir="auto">A valid future improvement (in code and protocol) could be to support transferring (and storing in config?) hashed values, one-time salt exchange, etc. similar to how a modern `passwd` does it. Just needs someone to design, implement and thoroughly yest it (in our many clients, libs, bindings...) and keeping in mind that if we keep a degree of backwards compatibility (would be good) without a toggle in clients and servers for only-safe auth exchange (would be folly), then a rogue server claiming to be an old NUT would easily collect plaintext servers by the legacy-compatible code.</div><div dir="auto"><br></div><div dir="auto">Not sure if the I-D should consider this from the start, even if we have no design or PoC for practical implementation (I mean, this wheel was invented many times so inspirations can be found, but at least myself won't commit to that in a short-mod term).</div><div dir="auto"><br></div><div dir="auto"> If someone well-versed can propose the usable protocol side for safe(r) password exchange with a way to reject plaintext auth eventually (new keyword instead of current PASSWORD sounds like a viable approach to have one or the other or both implemented or returning an ERR if not supported), that would be great. Current NUT would work in fallback auth protocol mode then, until the future dawns on it and we actually implement the new protocol :)</div><div dir="auto"><br></div><div dir="auto">Jim</div><div dir="auto"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 6, 2022, 09:39 Roger Price <<a href="mailto:roger@rogerprice.org">roger@rogerprice.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Is there a maximum length for a password in NUT? Should I specify 15 or 31 <br>
characters in the grammmar?<br>
<br>
The IETF are wedded to US ASCII, where character = byte, so I will ignore the <br>
question of multibyte characters.<br>
<br>
Roger<br>
<br>
_______________________________________________<br>
Nut-upsuser mailing list<br>
<a href="mailto:Nut-upsuser@alioth-lists.debian.net" target="_blank" rel="noreferrer">Nut-upsuser@alioth-lists.debian.net</a><br>
<a href="https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/nut-upsuser" rel="noreferrer noreferrer" target="_blank">https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/nut-upsuser</a><br>
</blockquote></div>