[Question] invalid password with password length > 9 chars, is there a hardcoded limit?

[baylanger]

Somehow if the user's password with more than 9 chars , the integration returns :

ERROR (MainThread) [custom_components.mikrotik_router.mikrotikapi] Mikrotik gw.xxxxxxx.com error while connecting: invalid user name or password (6)

Per this link Mikrotik handles unlimited? password length :

MikroTik routers require password configuration, we suggest using a password generator tool to create secure and non-repeating passwords. With secure password we mean:

Minimum 12 characters; Include numbers, Symbols, Capital and lower case letters; Is not a Dictionary Word or Combination of Dictionary Words;

Is there a limit supported by this integration? I search for "password" in this repo and quickly couldn't see such a limit. If not, I wonder if this is a Mikrotik bug? My router has 7.12.1.

[tomaae]

No, there is no limits imposed by integration. Maybe it could be some special characters that are not accepted by API?

[baylanger]

Been there done that ;) In the end the password strictly had alpha-digits, not a single "special" char. At first my password had ~32 chars, went down to ~16 ... in the end 10 chars or more is failing.

I agree with you, it looks like it could be an API limit / bug on Mikrotik side. I wonder if this needs to be documented or not.. somehow perhaps I'm the only one that tried with 10+ chars but that can't be right.... right?

Authentication to the REST API is performed via HTTP Basic Auth. Provide your Username and password are the same as for the console user (by default "admin" with no password).

Quickly searching around I don't see a password length different for the API.

I'll leave this open in case others try and report back, otherwise I should close in coming days. Perhaps I'll end up opening a ticket w/ Mikrotik.

Thanx!

[tomaae]

I just tried to create user with 14 character length, including upper and lower case, numeric and special characters. Device was added without problem and working fine. I have been testing this with master, not last release tho.

[baylanger]

Interesting... which routeros version did you test this with?

I actually faced other issues when adding the new account dedicated for this integration. The account I now use over web with full policies access and the default admin account w/ web policy disable, both accounts became locked out while I was adding a new account for this integration. Both accounts had an assigned ssh pubkey, so I was able to login and reset the password. I had to do this ~3 times. I now wonder.... perhaps trying to set a password with more than 9 chars corrupted the password db? Not sure if it has to do with 7.12.1 or not? I will try again tomorrow to set a new account w/ more than 10 chars and see if the same issue shows up again. Will report back on this once tested.

[tomaae]

I have tested on 7.11.2

[baylanger]

I'm able to confirm this is a Mikrotik bug.

I changed the integration's dedicated account to 18 chars... pasting the previous password (9 chars) twice making it a length of 18. I did that and right after, I tried to login using the same admin account that I used to make the changes and the password for that account was changed... or something similar happened. I set back the integration's account to the password with 9 chars, I would have been surprised this fix the admin account password... and it did not.

Created a support request w/ Mikrotik SUP-143942.

[baylanger]

Closing since this appears to be a Mikrotik RouterOS bug.

Thank you for trying w/ 7.11.2 - I provided that info as well in the the support ticket and thank you your quick replies.

[baylanger]

FYI Mikrotik confirmed this bug, it is fixed in 7.14rc1. Like often they don't plan to fix it for previous releases... for now, I'll just stick with a 9 or less password length :)

Release note : *) webfig - fixed setting the user's password;

[baylanger]

In case anyone stumble on this, due to the fix’ description, I ask Mikrotik if the bug occurs only when using the web interface. Their reply says adding a user over cli doesn’t cause any issue, e.g.

/user/add name=user1 password=1234567891011121314151617181920 group=full

Long live long passwords :)

[tomaae]

oh wow, that one weird bug

[baylanger]

Yes indeed it is. I do wonder why a unit test didn’t catch it … it could potentially block access. I was lucky to have a ssh pubkey in place for the created admin account and the original one as well, otherwise I would have been screwed up.

It’s also not possible to reset just the admin password without resetting the config :( It’s a reminder that I should look into a way to automate a backup…. via a script / samba share? I look into this long time ago… is this something this integration could help?

Is it possible to implement sensors like:

. “last config change time” . “last backup time” . binary state “last backup has latest config”.

Currently I manually backup to mikrotik cloud service but only allowed 1 backup. It’s not because someone makes a change that a backup needs to happen right away. Obviously having a reminder via a sensor that the backup isn’t the latest config isn’t a bad thing to have… unless someone has good easy way to have a backup with rotation.