Nut upsuser - Jan 2023 - nut-monitor: Set password on [cyberpower@localhost] failed - got [ERR INVALID-ARGUMENT]

> Ah, dropping the ""s seems to have resolved it.
Interesting, which of the two places got it wrong? Sounds like a bug... I
think parser should ignore quotes (not take them as content - just treat
the insides as one token) unless escaped, in both config file contexts.

Gotta revise if NIT checks for that, it has several password combos in the
test suite, but maybe not one that (mis?)fired here... PRs welcome if you
beat me to it - holidays and all ;)

Jim

On Thu, Dec 29, 2022, 17:05 Orion Poplawski <orion at nwra.com> wrote:
> -rw-r-----. 1 root nut  2364 Feb  4  2022 upsd.users
> -rw-r-----. 1 root nut 20020 Dec 29 07:57 upsmon.conf
>
> upsd.users:
> [monmaster]
>      password = "PASSWORD"
>      upsmon primary
>
> upsmon.conf:
> MONITOR cyberpower at localhost 1 monmaster "PASSWORD" primary
>
> The passwords match.  This all worked previously with 2.7.3.  I've
> changed master -> primary as well but that didn't seem to make a
> difference.
>
> Ah, dropping the ""s seems to have resolved it.
>
>
> On 12/28/22 23:55, Jim Klimov wrote:
> > OTOH, is the `upsd.users` file set up right?
> >
> > * permissions for only nut OS account to read it
> > * upsmon primary/secondary role specified for that nut user section
> > * no typos in password :)
> >
> > Jim
> >
> >
> > On Thu, Dec 29, 2022, 01:04 Orion Poplawski via Nut-upsuser
> > <nut-upsuser at alioth-lists.debian.net
> > <mailto:nut-upsuser at alioth-lists.debian.net>> wrote:
> >
> >     With nut 2.8.0 I seem to be getting the following messages:
> >
> >     Dec 28 15:37:49  upsd[192157]: [D2] mainloop: polling 4
> filedescriptors
> >     Dec 28 15:37:49  upsd[192157]: [D6] Entering check_command:
STARTTLS
> >     Dec 28 15:37:49  upsd[192157]: [D6] check_command: Calling command
> >     handler for STARTTLS
> >     Dec 28 15:37:49  upsd[192157]: [D2] write: [destfd=9] [len=12] [OK
> >     STARTTLS]
> >     Dec 28 15:37:49  upsd[192157]: [D3] SSL connected (TLSv1.2)
> >     Dec 28 15:37:49  nut-monitor[194125]: Connected to NUT server
> localhost
> >     in SSL
> >     Dec 28 15:37:49  nut-monitor[194125]: Certificate verification is
> >     disabled
> >     Dec 28 15:37:49  nut-monitor[194125]: 0.014249        Set password
on
> >     [cyberpower at localhost] failed - got [ERR INVALID-ARGUMENT]
> >     Dec 28 15:37:49  nut-monitor[194125]: 0.014268        [D3] Current
> >     power
> >     value: 1
> >     Dec 28 15:37:49  nut-monitor[194125]: 0.014280        [D3] Minimum
> >     power
> >     value: 1
> >     Dec 28 15:37:49  nut-server[192157]: 395.800300        [D3] SSL
> >     connected (TLSv1.2)
> >     Dec 28 15:37:49  nut-server[192157]: 395.800339        [D2]
mainloop:
> >     polling 4 filedescriptors
> >     Dec 28 15:37:49  nut-server[192157]: 395.800547        [D6]
Entering
> >     check_command: USERNAME
> >     Dec 28 15:37:49  nut-server[192157]: 395.800570        [D6]
> >     check_command: Calling command handler for USERNAME
> >     Dec 28 15:37:49  nut-server[192157]: 395.800616        [D5]
> >     ssl_write ret=3
> >     Dec 28 15:37:49  nut-server[192157]: 395.800638        [D2] write:
> >     [destfd=9] [len=3] [OK]
> >     Dec 28 15:37:49  nut-server[192157]: 395.800657        [D2]
mainloop:
> >     polling 4 filedescriptors
> >     Dec 28 15:37:49  nut-server[192157]: 395.800696        [D6]
Entering
> >     check_command: PASSWORD
> >     Dec 28 15:37:49  nut-server[192157]: 395.800716        [D6]
> >     check_command: Calling command handler for PASSWORD
> >     Dec 28 15:37:49  nut-server[192157]: 395.800751        [D4]
Sending
> >     error [INVALID-ARGUMENT] to client 127.0.0.1
> >     Dec 28 15:37:49  nut-server[192157]: 395.800794        [D5]
> >     ssl_write ret=21
> >     Dec 28 15:37:49  nut-server[192157]: 395.800814        [D2] write:
> >     [destfd=9] [len=21] [ERR INVALID-ARGUMENT]
> >     Dec 28 15:37:49  nut-server[192157]: 395.800834        [D2]
mainloop:
> >     polling 4 filedescriptors
> >     Dec 28 15:37:49  upsd[192157]: [D2] mainloop: polling 4
> filedescriptors
> >     Dec 28 15:37:49  upsd[192157]: [D6] Entering check_command:
USERNAME
> >     Dec 28 15:37:49  upsd[192157]: [D6] check_command: Calling command
> >     handler for USERNAME
> >     Dec 28 15:37:49  upsd[192157]: [D5] ssl_write ret=3
> >     Dec 28 15:37:49  upsd[192157]: [D2] write: [destfd=9] [len=3] [OK]
> >     Dec 28 15:37:49  upsd[192157]: [D2] mainloop: polling 4
> filedescriptors
> >     Dec 28 15:37:49  upsd[192157]: [D6] Entering check_command:
PASSWORD
> >     Dec 28 15:37:49  upsd[192157]: [D6] check_command: Calling command
> >     handler for PASSWORD
> >     Dec 28 15:37:49  upsd[192157]: [D4] Sending error
[INVALID-ARGUMENT]
> to
> >     client 127.0.0.1
> >     Dec 28 15:37:49  upsd[192157]: [D5] ssl_write ret=21
> >     Dec 28 15:37:49  upsd[192157]: [D2] write: [destfd=9] [len=21]
[ERR
> >     INVALID-ARGUMENT]
> >     Dec 28 15:37:49  upsd[192157]: [D2] mainloop: polling 4
> filedescriptors
> >
> >
> >
> >     Do you know what is triggering this?
> >
> >     --
> >     Orion Poplawski
> >     he/him/his  - surely the least important thing about me
> >     IT Systems Manager                         720-772-5637
> >     NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> >     3380 Mitchell Lane orion at nwra.com <mailto:orion at
nwra.com>
> >     Boulder, CO 80301 https://www.nwra.com/
<https://www.nwra.com/>
> >     _______________________________________________
> >     Nut-upsuser mailing list
> >     Nut-upsuser at alioth-lists.debian.net
> >     <mailto:Nut-upsuser at alioth-lists.debian.net>
> >    
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/nut-upsuser
> >     <
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/nut-upsuser>
> >
>
> --
> Orion Poplawski
> he/him/his  - surely the least important thing about me
> IT Systems Manager                         720-772-5637
> NWRA, Boulder/CoRA Office             FAX: 303-415-9702
> 3380 Mitchell Lane                       orion at nwra.com
> Boulder, CO 80301                 https://www.nwra.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://alioth-lists.debian.net/pipermail/nut-upsuser/attachments/20221229/35274381/attachment.htm>

On Thu, 29 Dec 2022, Jim Klimov via Nut-upsuser wrote:
> >?Ah, dropping the ""s seems to have resolved it.
> 
> I think parser should ignore quotes (not take them as content -
> just treat the insides as one token) unless escaped, in both config file
contexts.
Surely if the password is say "!@#"!@*&" then all 10
characters are part of the
password.  It is not for NUT to guess.   Roger

> Surely if the password is say "!@#"!@*&" then all 10
characters are part
of the password.  It is not for NUT to guess.

So I've run some experiments... and it seems to work as I OTOH-described
earlier.

In the new NIT tests, there are methods for `upsmon` configuration to be
created but it is not tested yet. Passwords for upsmon roles are used from
API clients however (Python, C++) and they succeed whether it is enclosed
in double-quotes or not in the `upsd.users` file.

In a live setup, identical password strings with or without doublequotes
worked for `upsmon.conf` and `upsd.conf`, also if only one is quoted.

Escaped doublequotes inside a password also worked, e.g. pass\"word or
"pass\"word"; however spaces (escaped or hidden in doublequotes)
did not
work since the NUT protocol did not allow for that extra token on assumed
request line => ERR INVALID-ARGUMENT.

Then it gets a bit complicated for "invalid" spellings:
* upsd.users may define a pass"word (one unescaped quote in the middle) but
upsmon.conf must have it properly quoted and escaped as
"pass\"word"
(otherwise it is a very long token I guess, and the MONITOR role is
defaulted as a secondary since the requested primary role is not parsed as
such).
* upsd.users may define a "pass"word" (three unescaped quotes)
but
effectively the token is cut at the second quote, rest being ignored for
this line - so upsmon.conf must use it as "pass".

Similar effects are in place for `upsd.users` entries without an upsmon
role - quotes around work, unescaped quotes in the middle like pass"word do
not, escaped quotes in the middle do work, spaces cause ERR
PASSWORD-REQUIRED.

So passwords with spaces may be a problem, but otherwise everything seems
correct and predictable ;)

Hope this helps,
Jim Klimov

On Thu, Dec 29, 2022 at 9:11 PM Roger Price <roger at rogerprice.org>
wrote:
> On Thu, 29 Dec 2022, Jim Klimov via Nut-upsuser wrote:
>
> > > Ah, dropping the ""s seems to have resolved it.
> >
> > I think parser should ignore quotes (not take them as content -
> > just treat the insides as one token) unless escaped, in both config
file
> contexts.
>
> Surely if the password is say "!@#"!@*&" then all 10
characters are part
> of the
> password.  It is not for NUT to guess.
>  Roger_______________________________________________
> Nut-upsuser mailing list
> Nut-upsuser at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/nut-upsuser
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://alioth-lists.debian.net/pipermail/nut-upsuser/attachments/20230102/42b0f94e/attachment.htm>