[Nut-upsuser] Maximum length of password

Jim Klimov jimklimov+nut at gmail.com
Wed Apr 6 10:08:12 BST 2022


Also does not seem dictated in docs nor comments.

De-facto it is a string pointer, in some code constrained by a SMALLBUF
sized character array, where SMALLBUF is a macro currently defined to 512.

Looking on a larger scale, it seems the server-client code currently passes
it in the open (safety subject to ssl tunnel) and compares as strings.

A valid future improvement (in code and protocol) could be to support
transferring (and storing in config?) hashed values, one-time salt
exchange, etc. similar to how a modern `passwd` does it. Just needs someone
to design, implement and thoroughly yest it (in our many clients, libs,
bindings...) and keeping in mind that if we keep a degree of backwards
compatibility (would be good) without a toggle in clients and servers for
only-safe auth exchange (would be folly), then a rogue server claiming to
be an old NUT would easily collect plaintext servers by the
legacy-compatible code.

Not sure if the I-D should consider this from the start, even if we have no
design or PoC for practical implementation (I mean, this wheel was invented
many times so inspirations can be found, but at least myself won't commit
to that in a short-mod term).

  If someone well-versed can propose the usable protocol side for safe(r)
password exchange with a way to reject plaintext auth eventually (new
keyword instead of current PASSWORD sounds like a viable approach to have
one or the other or both implemented or returning an ERR if not supported),
that would be great. Current NUT would work in fallback auth protocol mode
then, until the future dawns on it and we actually implement the new
protocol :)

Jim


On Wed, Apr 6, 2022, 09:39 Roger Price <roger at rogerprice.org> wrote:

> Is there a maximum length for a password in NUT?  Should I specify 15 or
> 31
> characters in the grammmar?
>
> The IETF are wedded to US ASCII, where character = byte, so I will ignore
> the
> question of multibyte characters.
>
> Roger
>
> _______________________________________________
> Nut-upsuser mailing list
> Nut-upsuser at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/nut-upsuser
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/nut-upsuser/attachments/20220406/ade48bda/attachment-0001.htm>


More information about the Nut-upsuser mailing list