search

StackStorm / st2

StackStorm (aka "IFTTT for Ops") is event-driven automation for auto-remediation, incident responses, troubleshooting, deployments, and more for DevOps and SREs. Includes rules engine, workflow, 160 integration packs with 6000+ actions (see https://exchange.stackstorm.org) and ChatOps. Installer at https://docs.stackstorm.com/install/index.html
https://stackstorm.com/
Apache License 2.0
6.06k stars 746 forks source link

Username/password length #5279

Open amanda11 opened 3 years ago

amanda11 commented 3 years ago

With the introduction of https://github.com/StackStorm/st2web/pull/887 there is a username and password limit set, but there is no equivalent check in the CLI.

Some feedback from @m4dcoder "There's going to be some challenges there because the st2auth backends are not managed by st2 (i.e. htpasswd, LDAP, etc.). If those auth providers allow longer usernames and passwords, there's not much we can do other than throw an error that says username/passwords is beyond supported length when user login via the CLI."

nzlosh commented 3 years ago

htpasswd appears to support up to 255 characters for the username

These two locations hint at username < MAX_STRING_LEN - 1 https://github.com/apache/httpd/blob/21f16155c38e406e0a0daaa60a539d66128cf044/support/htpasswd.c#L91 https://github.com/apache/httpd/blob/21f16155c38e406e0a0daaa60a539d66128cf044/support/htpasswd.c#L239

MAX_STRING_LENGTH is set to 256 https://github.com/apache/httpd/blob/21f16155c38e406e0a0daaa60a539d66128cf044/support/passwd_common.h#L35

Linux systems appear to agree with this character limit (although not directly related to St2 Authentication) 256 is the limit for ubuntu, debian and centos

getconf LOGIN_NAME_MAX
256

I saw in some forums that AD has shorter constraints but St2 should allow the largest constraint IMO:

Active Directory has constraints Cn (Common-Name): 64 There is no attribute like 'fullname' the closest one is 'display-Name' and has a limit on 256