On Mon, 14 Dec 2020 10:41:41 +0100 Benjamin Baier <[email protected]> wrote:
> On Sun, 13 Dec 2020 14:47:26 -0700 > "Theo de Raadt" <[email protected]> wrote: > > > Jason McIntyre <[email protected]> wrote: > > > > > On Sun, Dec 13, 2020 at 05:58:08PM +0000, Brian Kelk wrote: > > > > Hi. > > > > > > > > The man page for passwd says that the length of a password must be > > > > less than a specified value. Less than or equal to would make more > > > > sense, surely? > > > > > > > > Brian Kelk > > > > > > > > > > hi. > > > > > > i'm kind of having to guess what exactly you are referring to. for > > > example, there are two passwd pages. a diff would have saved some > > > guesswork. > > > > > > anyway, i guess you are referring to this: > > > > > > The new password should be at least six characters long and > > > not purely alphabetic. Its total length must be less than > > > _PASSWORD_LEN (currently 128 characters). > > > > > > are you suggesting that the current text is incorrect (i.e. a 128 > > > character password is valid), or just that the phrasing is not to > > > your liking (and therefore that we should also adjust the documented > > > value to 127)? > > > > When it comes to strings, length implies characters, without NUL. > > > > 127+NUL < 128. > > > > The text is correct. > > > > Then this comment is wrong. > include/pwd.h:#define _PASSWORD_LEN 128 /* max length, not > counting NUL */ > And this? > lib/libc/gen/readpassphrase.c: static char buf[_PASSWORD_LEN + 1]; > And this? > lib/libc/crypt/bcrypt.c: char buf[_PASSWORD_LEN]; > lib/libc/crypt/cryptutil.c: char dummy[_PASSWORD_LEN]; > > Yet again a simple grep raises more questions than it answers. > To quote tedu from src/usr.bin/passwd/local_passwd.c Revision 1.52 _PASSWORD_LEN is length that comes out of crypt(), not a meaningful length for user entered passwords. And the +1 is just superstitious nonsense inherited from getpass() guts. Switch to a pleasing fixed size of 1024. So passwd(1) does support 1023+NUL long passwords... Index: passwd.1 =================================================================== RCS file: /var/cvs/src/usr.bin/passwd/passwd.1,v retrieving revision 1.46 diff -u -p -r1.46 passwd.1 --- passwd.1 23 Apr 2019 17:52:12 -0000 1.46 +++ passwd.1 14 Dec 2020 12:21:08 -0000 @@ -51,9 +51,6 @@ The new password must be entered twice t .Pp The new password should be at least six characters long and not purely alphabetic. -Its total length must be less than -.Dv _PASSWORD_LEN -(currently 128 characters). A mixture of both lower and uppercase letters, numbers, and meta-characters is encouraged. .Pp
