Is there a maximum length for a password in NUT? Should I specify 15 or 31 characters in the grammmar? The IETF are wedded to US ASCII, where character = byte, so I will ignore the question of multibyte characters. Roger
Also does not seem dictated in docs nor comments. De-facto it is a string pointer, in some code constrained by a SMALLBUF sized character array, where SMALLBUF is a macro currently defined to 512. Looking on a larger scale, it seems the server-client code currently passes it in the open (safety subject to ssl tunnel) and compares as strings. A valid future improvement (in code and protocol) could be to support transferring (and storing in config?) hashed values, one-time salt exchange, etc. similar to how a modern `passwd` does it. Just needs someone to design, implement and thoroughly yest it (in our many clients, libs, bindings...) and keeping in mind that if we keep a degree of backwards compatibility (would be good) without a toggle in clients and servers for only-safe auth exchange (would be folly), then a rogue server claiming to be an old NUT would easily collect plaintext servers by the legacy-compatible code. Not sure if the I-D should consider this from the start, even if we have no design or PoC for practical implementation (I mean, this wheel was invented many times so inspirations can be found, but at least myself won't commit to that in a short-mod term). If someone well-versed can propose the usable protocol side for safe(r) password exchange with a way to reject plaintext auth eventually (new keyword instead of current PASSWORD sounds like a viable approach to have one or the other or both implemented or returning an ERR if not supported), that would be great. Current NUT would work in fallback auth protocol mode then, until the future dawns on it and we actually implement the new protocol :) Jim On Wed, Apr 6, 2022, 09:39 Roger Price <roger at rogerprice.org> wrote:> Is there a maximum length for a password in NUT? Should I specify 15 or > 31 > characters in the grammmar? > > The IETF are wedded to US ASCII, where character = byte, so I will ignore > the > question of multibyte characters. > > Roger > > _______________________________________________ > Nut-upsuser mailing list > Nut-upsuser at alioth-lists.debian.net > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/nut-upsuser >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://alioth-lists.debian.net/pipermail/nut-upsdev/attachments/20220406/ade48bda/attachment.htm>
On Wed, 6 Apr 2022, Jim Klimov wrote:> Also does not seem dictated in docs nor comments. De-facto it is a string > pointer, in some code constrained by a SMALLBUF sized character array, where > SMALLBUF is a macro currently defined to 512.I decided to fix arbitrary limits in the grammar based on the principle "Be strict in what you send, and generous in what you accept". UPS name maximum characters : 15 User name maximum characters : 15 Password maximum characters : 31 SET VAR <upsname> <varname> "<value>", <value> maximum characters : 63 Since the IETF's ABNF grammar rules are US-ASCII based, I added the note: Implementation note: The ANBF is written using the provisions of [RFC5234] [RFC7405] which are US-ASCII based. Implementors should be aware that NUT itself is Unicode based and that where the grammar specifies ALPHA = %x41-5A / %x61-7A ; A-Z / a-z an implementation should expect letters outside the range specified by ALPHA. For example a USERNAME value may contain accented letters. Comments, as always, are welcome. Roger
On Wednesday, 6 April 2022 03:39:19 EDT Roger Price wrote:> Is there a maximum length for a password in NUT? Should I specify 15 > or 31 characters in the grammmar? > > The IETF are wedded to US ASCII, where character = byte, so I will > ignore the question of multibyte characters. > > Roger >Coming from a user with an oar about the size of a toothpick, I would be far more concerned with the minimum size, make 'em work to find it if its a worthwhile target. Some random 3 or 4 word combo will be at least 15 chars, so thats the minimum, and 31 chars max will take, its been said, till the universe runs down. Advances in computer tech might cut that to 10 years in another 20 years time though. Hard and fast rules s/b in the eye of the beerholder so they should be optional. 40 chars would be ok for the ups backing up the control circuitry of a nuclear power plant, or one of the generating stations just west of Farmington NM. Either of those maliciously shut down would put 20 million in the dark. OTOH, mine isn't a big enough target to make it worhwhile so I don't think mine even needs a separate passwd. The guy in charge, with sudo rights, should be able to set that, or not, at install time. Take care and stay well everybody. Cheers, Gene Heskett. -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author, 1940) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis