[9fans] Why ANAMELEN and the 27-character auth password limit?

[9fans] Why ANAMELEN and the 27-character auth password limit?

[quiekaizam]

[-- Attachment #1: Type: text/plain, Size: 1068 bytes --]

Hello 9fans,

I'm trying to understand whether there are technical reasons for us (9front) having a 27-character limit on auth passwords.

On 9front, this can be traced back to PASSWDLEN defined in authsrv.h. That constant was split off from ANAMELEN in commit 3c622887, and /doc/prog4.ms mentions that ANAMELEN is a vestige of when 9p used fixed 28-character buffers for paths, defined as NAMELEN.

And this is where the trail runs cold. I am unable to find out why ANAMELEN exists at all. Key derivation functions should be able to handle arbitrary length passwords, so ostensibly PASSWDLEN is not needed in principle. Is this just a historical quirk, or am I missing something?

I'm thinking it might be interesting to say something about this at iwp9, so any thoughts or discussion here is quite welcome.

Cheers,
B. Wilson

------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/Te7acf42f92a5d9b6-M765f2dce99ccd2a4c150f239
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

[-- Attachment #2: Type: text/html, Size: 1750 bytes --]

Re: [9fans] Why ANAMELEN and the 27-character auth password limit?

[hahahahacker2009]

[-- Attachment #1: Type: text/plain, Size: 1632 bytes --]

Also 14 character password limit for secstore password
when storing in nvram.

Vào 11:18, T.5, 29 Th1, 2026 <quiekaizam@wilsonb.com> đã viết:

> Hello 9fans,
>
> I'm trying to understand whether there are technical reasons for us
> (9front) having a 27-character limit on auth passwords.
>
> On 9front, this can be traced back to PASSWDLEN defined in authsrv.h. That
> constant was split off from ANAMELEN in commit 3c622887, and /doc/prog4.ms
> mentions that ANAMELEN is a vestige of when 9p used fixed 28-character
> buffers for paths, defined as NAMELEN.
>
> And this is where the trail runs cold. I am unable to find out why
> ANAMELEN exists at all. Key derivation functions should be able to handle
> arbitrary length passwords, so ostensibly PASSWDLEN is not needed in
> principle. Is this just a historical quirk, or am I missing something?
>
> I'm thinking it might be interesting to say something about this at iwp9,
> so any thoughts or discussion here is quite welcome.
>
> Cheers,
> B. Wilson
>
> *9fans <https://9fans.topicbox.com/latest>* / 9fans / see discussions
> <https://9fans.topicbox.com/groups/9fans> + participants
> <https://9fans.topicbox.com/groups/9fans/members> + delivery options
> <https://9fans.topicbox.com/groups/9fans/subscription> Permalink
> <https://9fans.topicbox.com/groups/9fans/Te7acf42f92a5d9b6-M765f2dce99ccd2a4c150f239>
>

------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/Te7acf42f92a5d9b6-M4e5d372824aa8248d4793b9a
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

[-- Attachment #2: Type: text/html, Size: 2315 bytes --]

Re: [9fans] Why ANAMELEN and the 27-character auth password limit?

[ori]

When you say arbitrary length, how many gigabytes, and what should the
system do when an attacker can force oom-kills in the auth server?

no, there needs to be a limit somewhere.

Quoth quiekaizam@wilsonb.com:
> Hello 9fans,
> 
> I'm trying to understand whether there are technical reasons for us (9front) having a 27-character limit on auth passwords.
> 
> On 9front, this can be traced back to PASSWDLEN defined in authsrv.h. That constant was split off from ANAMELEN in commit 3c622887, and /doc/prog4.ms mentions that ANAMELEN is a vestige of when 9p used fixed 28-character buffers for paths, defined as NAMELEN.
> 
> And this is where the trail runs cold. I am unable to find out why ANAMELEN exists at all. Key derivation functions should be able to handle arbitrary length passwords, so ostensibly PASSWDLEN is not needed in principle. Is this just a historical quirk, or am I missing something?
> 
> I'm thinking it might be interesting to say something about this at iwp9, so any thoughts or discussion here is quite welcome.
> 
> Cheers,
> B. Wilson

------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/Te7acf42f92a5d9b6-M3f8a03fdaeefb2b2c2825d76
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

Re: [9fans] Why ANAMELEN and the 27-character auth password limit?

[ori]

Quoth ori@eigenstate.org:
> When you say arbitrary length, how many gigabytes, and what should the
> system do when an attacker can force oom-kills in the auth server?
> 
> no, there needs to be a limit somewhere.

note, I'm not arguing that this, specifically, should be  the
limit, but not having a limit is problematic.


------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/Te7acf42f92a5d9b6-Mb774adce92dc29a65f95b343
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

Re: [9fans] Why ANAMELEN and the 27-character auth password limit?

[quiekaizam]

I'm not proposing anything here.

A limit of 4096 or even 256 would suggest limits for the reasons you mention. However, 28 bytes suggests more specific reasons. It's also short enough that diceware-like passwords [0] are untenable.

The question is whether there are technical reasons for choosing the value of 28 bytes, not whether we need a limit at all.

https://theworld.com/~reinhold/diceware.html

2026年1月29日 13:19:54 JST、ori@eigenstate.org より:
>When you say arbitrary length, how many gigabytes, and what should the
>system do when an attacker can force oom-kills in the auth server?
>
>no, there needs to be a limit somewhere.
>
>Quoth quiekaizam@wilsonb.com:
>> Hello 9fans,
>> 
>> I'm trying to understand whether there are technical reasons for us (9front) having a 27-character limit on auth passwords.
>> 
>> On 9front, this can be traced back to PASSWDLEN defined in authsrv.h. That constant was split off from ANAMELEN in commit 3c622887, and /doc/prog4.ms mentions that ANAMELEN is a vestige of when 9p used fixed 28-character buffers for paths, defined as NAMELEN.
>> 
>> And this is where the trail runs cold. I am unable to find out why ANAMELEN exists at all. Key derivation functions should be able to handle arbitrary length passwords, so ostensibly PASSWDLEN is not needed in principle. Is this just a historical quirk, or am I missing something?
>> 
>> I'm thinking it might be interesting to say something about this at iwp9, so any thoughts or discussion here is quite welcome.
>> 
>> Cheers,
>> B. Wilson

------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/Te7acf42f92a5d9b6-M3ac6222f182a11e0164ae6d3
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

Re: [9fans] Why ANAMELEN and the 27-character auth password limit?

[quiekaizam]

[-- Attachment #1: Type: text/plain, Size: 835 bytes --]

I'm not proposing anything here.

A limit of 4096 or even 256 would suggest limits for the reasons you mention. However, 28 bytes suggest something more specific. It's also short enough that diceware-like passwords [0] become untenable. Specifically note how we use ANAMELEN in many places to set buffers unrelated to password-length.

The question is whether there are technical reasons for choosing the value of 28 bytes, not whether we need a limit at all. A subsidiary question is why ANAMELEN is bundling multiple constraints into a single limit.

[0]:https://theworld.com/~reinhold/diceware.html
------------------------------------------
9fans: 9fans
Permalink: https://9fans.topicbox.com/groups/9fans/Te7acf42f92a5d9b6-M9a7356c10a5a1b7a8430a9e5
Delivery options: https://9fans.topicbox.com/groups/9fans/subscription

[-- Attachment #2: Type: text/html, Size: 1474 bytes --]