I have noticed during installs on 192-194 that ipfire would not take passwords longer then 32 to 47 characters lengths i prefer to use 64. Was there a change in way the passwords are handled?
Nothing has been changed with regard to the passwords for root and admin during the setup.
They are created with the bcrypt algorithm by htpasswd. The only length restriction that htpasswd has is if it is being run on a windows platform (which is not the case for IPFire) and then the length restriction for passwords is 255 characters.
I will try and see if I can make some time to test it out myself.
1 Like
really ? Thats odd since i have tried with all 3versions since it kept beeping once past the max
As I said, I will try and find some time to see if I can reproduce it.
look at:
cat /etc/login.defs
What is the ENCRYPT_METHOD ?
It is the same for everyone. It is set to YESCRYPT.
However that only applies to the root password.
For the admin password htpasswd is used with bcrypt.
@dan786 do you have the length limit problem for both root and admin or for only one of them?
1 Like
I haven’t looked at apache_auth_type, but I know the http_auth_form doesn’t have a maxlength set for the username or password field unless that was altered here.
But finding out if its just htaccess is the issue would be great.
System uses PAM as well, and its limit is 72 characters.
Its been a while since I dealt with PAM, but if the PAM_ATH is hash string plus salt then a 64 character password would fail.
So I spent some time testing out very long passwords with both the root and the admin entries.
What I found is that the window itself appears to limit the number of characters to 50 so the effect occurs with both root and admin.
With 50 characters used I could log in with both root at the console and the admin screen.
Also if I entered a password of 51 characters into the admin section and then ran the htpasswd verification check on the 51 characters it said the verification failed but if I only used the first 50 characters in the verification check, then htpasswd said that the password matched.
This means that htpasswd only ever received the 50 characters and not the 51st one. So this suggests that it is the window size affecting this.
However newt is the package that is used for setting the windows up in setup and that has not been updated since Core Update 185 in March 2024.
Also the code for getting the passwords has a string max length of 1024 characters, so that also would not limit the password length.
I will look at setting up a vm machine with CU191, as you indicate that you did not have this problem prior to CU192, and will see what happens with that.
3 Likes
It was root but i assumed both would have the same issue if the root was having it. the only way i found around it was install 188-189 then do a update to it
I just did an install of CU189 and that has the same limitation of a max of 50 characters for both admin and root. So I have not found any difference between CU189 and CU194.
If the password software itself was related then the two would not be the same as root uses shadow and admin uses htpasswd.
I have not been able to find any problem with a password less than 51 characters.
I don’t understand what you are meaning with this? Are you saying that with CU188 you could use a 64 character password and then after upgrading from CU188 to CU194 you can now use the 64 character password in CU194?
188/189 when i install it will accept 64 but starting 192 to current it will no longer take 64 i have not tried 190 and 191 . i have used 64 in the past and it worked but it no longer accept it even though i used it on 188 install. but when i first started using ipfire it was 50 then after while it was allowing 64 now it back to 47/50
Well I have been unable to reproduce a 64 char password being accepted with a CU189 install.
You are also indicating that sometimes a max of 47 is allowed and not 50 and originally you mentioned that the accepted length varies from 32 to 47 characters.
Every time I have tried it with CU194 and CU189 and for both the root and the admin passwords a 50 character password was accepted. 51 character was always not accepted.
From checking the admin password with the htpasswd verification option, I was able to confirm that 50 characters was the most that were ever passed to the htpasswd program, even if the password entered was longer.
This suggests that the limiter is the max number of characters accepted via the window used to accept the password. However the software that deals with that has not been updated for 18 months.
So I can’t think of any reason why you experience this problem, when I am unable to reproduce it.
1 Like
I thought it was 47. I didn’t count it till just now when i counted it. Was 48 at the max before it complains i don’t understand why when that is less then the 50 you have said. im not sure why it didn’t complain when i used 64. Has the root login from web browser been disabled?
It has never been coded to be used via the browser. The root login is only for use at the console or via an ssh terminal.
What do you mean by “complains”?
I have looked more closely into the passwords.c code used for the password section of the setup program.
rc = newtWinEntries(title, text,
65, 5, 5, 50, entries, _("OK"), _("Cancel"), NULL);
65 is the size of the text entry section for the password.
then there is a flexdown value of 5 and a flexup value of 5 and this looks to be that the physical size of the text entry box shown can be adjusted depending on the screen conditions I believe.
The last number of 50 is the datawidth, so this is what is limiting the size of the password that will be accepted.
You can type in a password probably between 60 and 70 characters long (based on the flexup and flexdown values) but irrespective the text box will only take the first 50 characters that are typed. The rest are just ignored.
I have gone back to Core Update 30 from nearly 16 years ago and the parameters at that time were 50, 5, 5, 20 and these were modified to 65, 5, 5, 50 in Core Update 40 from 15 years ago.
I also confirmed that it was still the same in Core Update 100 and 189.
So the max limit for the passwords for root and admin have been limited to 50 characters since 2010.
2 Likes
what i mean by complains it beeping once it gets to the max 50 at every character after 50.
So it is warning you that you have gone beyond the max number of characters (50).
1 Like
Its finding and altering PAM_MAX_RESP_SIZE in passverify.c of PAM however we do this. Because the first thing that would limit it, which is not using hash, is not an issue is it? looking at /etc/shadow it does look encrypted.
Other things that can cause it is if PAM is not using YESCRYPT and its using MD5, PAM will double hash causing the size to be 1024 bytes after so many characters is typed (which is probably 50).
Problem is troubleshooting this as some of these files are not in the same places as other distributions.
The only problem I see making huge passwords is allowing long data lengths of user input field big enough to inject code. So there should be limits, however, they need to be documented.