Ubuntu
sshfs-fuse package

sshfs cannot handle passwords longer than 64 characters from stdin

Bug #1406840 reported by mvaldez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sshfs-fuse (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

If sshfs is called with the "password_stdin" option (for example, when invoked with pam_mount) it will refuse to accept a password longer than 64 characters.

The limit is hardcoded in the sshfs.c file (line 3069 in version 2.3, line 3466 in version 2.5) with the variable named "max_password".

To reproduce, from the command-line you can use for example:

sshfs mvaldez@servername:/home/mvaldez/SHARE ./myfiles -o "reconnect,idmap=user,password_stdin"

then type the password (sshfs will wait for the password from stdin without prompt) and press Enter. If the password is longer than 64 characters it will fail with the message: "Password too long".

When used with pam_mount, the logs in /var/log/auth.log show the following messages:
pam_mount(mount.c:69): Messages from underlying mount program:
pam_mount(mount.c:73): Password too long
pam_mount(pam_mount.c:521): mount of sshfs#mvaldez@servername:/home/mvaldez/SHARE failed

This limit seems to be inherited from the first patches sent to the sshfs-fuse project (around 2008) for the password_stdin option, but it seems to be arbitrary. I have successfully changed the limit to 1024 without problems. Also, the function "read_password" which is used to capture the password from stdin is only used when using the "password_stdin" option (so any change in the allowed length won't affect any other part of the program).

This tests were done in Ubuntu 12.04.5 LTS but the limit is the same up to the latest sshfs-fuse version (2.5).

Revision history for this message
Andreas Olsson (andol) wrote :

I can confirm this with Vivid's sshfs version 2.5-1ubuntu1. Well, except for the detail that the problem didn't appear to be with passwords longer than 64 characters, but rather with passwords 64 characters (inclusive) or longer.

Not sure whatever to categorize it as a bug or not, given that the program strictly speaking is behaving as intended, even if I agree that it appear to be arbitrary.

My suggestion is to bring the case up with upstream. According to http://fuse.sourceforge.net/sshfs.html the suggested method is to send an e-mail to <email address hidden>.

Changed in sshfs-fuse (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
mvaldez (mario-mariovaldez) wrote :

I've sent a bug report to the fuse-sshfs email.

Revision history for this message
Daira Hopwood (daira) wrote :

The Tahoe-LAFS project would like to use password_stdin to pass a capability (opaque secret) in place of a password: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1356 . Strings representing capabilities are longer than 64 bytes.

Revision history for this message
mvaldez (mario-mariovaldez) wrote :

This bug was fixed in sshfs 2.8 which I think was included in Ubuntu 18.04 (I may be wrong about the version of Ubuntu). The max password lenght when using the "password_stdin" option was increased to 1024 characters.

Today I tested with Ubuntu 20.04 and it works correctly.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.