Maximum password length - Mailing list pgsql-hackers

From Bossart, Nathan
Subject Maximum password length
Date
Msg-id 09512C4F-8CB9-4021-B455-EF4C4F0D55A0@amazon.com
Whole thread Raw
Responses Re: Maximum password length
List pgsql-hackers
Hello,

I recently noticed a few restrictions on exceptionally long passwords
that don't seem to be documented.  While scram-sha-256 has a limit of
1,024 characters [0], other password-based authentication mechanisms
do not seem to have a well-defined limit.  Furthermore, there is a
1,000 character restriction on password messages [1], which limits the
effective maximum length of the content of the message to 995
characters (due to the '\0' byte and 4 bytes for the length of the
message).  This 995 character restriction shouldn't impact md5 or
scram-sha-256 authentication, but it will impact "password"
authentication.  On top of all this, client utilities truncate
passwords provided via prompt to 99 characters, so longer passwords
must be provided via alternatives such as .pgpass and PGPASSWORD.

I suspect these limits are acceptable for the vast majority of users,
but it is presumably very confusing to users who attempt to use longer
passwords.  For example, the truncation performed by client utilities
like psql is done silently, specifying a scram-sha-256 password that
is too long will result in a "password too long" message, and
providing a password message longer than 995 characters will result in
a "server closed the connection" error and an "invalid message length"
log statement.

I've attached 2 patches in an effort to clarify the upper bounds on
password lengths:
    - 0001 refactors the hard-coded 100 character buffer size used for
      password prompts for client utilities into a
      PROMPT_MAX_PASSWORD_LENGTH macro in postgres_fe.h.
    - 0002 is an attempt at documenting the password length
      restrictions and suggested workarounds for longer passwords.

I've also attached a third patch that increases the maximum length of
password messages accepted by the server to 8,192 characters.  The
current limit of 1,000 characters can be insufficient for very long
passwords provided via "password" authentication.  IMO this server
message limit is especially confusing for scram-sha-256 passwords, as
they can be up to 1,024 characters long, but with "password"
authentication, only 995 characters can be used to connect to the
server.  Other forms of authentication similar to "password" (LDAP,
RADIUS, PAM, BSD) are likewise impacted by the server message limit
and may benefit from this increase.

I am submitting these patches for consideration in commitfest 2018-11.

Nathan

[0]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/common/saslprep.c;h=4cf574fed87ad830bcf8fdb105e37f8b4df0ee44;hb=HEAD#l42

[1]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/libpq/auth.c;h=85175655359829a2cf50dd883066bbb3d45e2286;hb=HEAD#l682


Attachment

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Make Windows print float exponents like everybody else?
Next
From: Stephen Frost
Date:
Subject: Re: Maximum password length