On Sun, 13 Dec 2020 14:47:26 -0700 "Theo de Raadt" <[email protected]> wrote:
> Jason McIntyre <[email protected]> wrote: > > > On Sun, Dec 13, 2020 at 05:58:08PM +0000, Brian Kelk wrote: > > > Hi. > > > > > > The man page for passwd says that the length of a password must be > > > less than a specified value. Less than or equal to would make more > > > sense, surely? > > > > > > Brian Kelk > > > > > > > hi. > > > > i'm kind of having to guess what exactly you are referring to. for > > example, there are two passwd pages. a diff would have saved some > > guesswork. > > > > anyway, i guess you are referring to this: > > > > The new password should be at least six characters long and > > not purely alphabetic. Its total length must be less than > > _PASSWORD_LEN (currently 128 characters). > > > > are you suggesting that the current text is incorrect (i.e. a 128 > > character password is valid), or just that the phrasing is not to > > your liking (and therefore that we should also adjust the documented > > value to 127)? > > When it comes to strings, length implies characters, without NUL. > > 127+NUL < 128. > > The text is correct. > Then this comment is wrong. include/pwd.h:#define _PASSWORD_LEN 128 /* max length, not counting NUL */ And this? lib/libc/gen/readpassphrase.c: static char buf[_PASSWORD_LEN + 1]; And this? lib/libc/crypt/bcrypt.c: char buf[_PASSWORD_LEN]; lib/libc/crypt/cryptutil.c: char dummy[_PASSWORD_LEN]; Yet again a simple grep raises more questions than it answers.
