[linux-cifs-client] Re: [RFC/PATCH: 2/2]: CIFS: Add kernel warning
if password length exceeds limit
Suresh Jayaraman
sjayaraman at suse.de
Thu Jan 24 04:33:55 GMT 2008
Steve French wrote:
> On Jan 23, 2008 8:46 AM, Suresh Jayaraman <sjayaraman at suse.de> wrote:
>> Add a kernel warning if password length exceeds 16 bytes in case of
>> "sec=lanman". Also, add password length check as Windows passwords
>> are limited to 127 bytes.
>
> You can define passwords longer than 127 bytes in Windows, and the 16 byte
> length check is not correct for lanman (it is 14 for lanman).
> See below example of adding a user (cut from Windows XP command prompt)
Good catch. I think I was misled by the Windows help/Documentation which
says: "Windows passwords can be upto 127 characters long." Thanks for
confirming this.
> I have mixed feelings about giving any information on the password
> length, but I agree that mount.cifs should not restrict it.
Do you consider this printk has a potential information leak?
printk(KERN_WARNING "CIFS: password too" "long for lanman sec
mode\n");
Or may be we should just say:
printk(KERN_WARNING "CIFS: password too long\n");
Or making it as a debug messages (cFYI) would be better?
But, I think if we don't let the use know somehow that the password is
long, he will have no clue why mount is failing in case of sec=lanman.
Thanks,
--
Suresh Jayaraman
More information about the linux-cifs-client
mailing list