Problems with long passwords

[pbillen]

I am seeing issues with a long passwords. The following works:

services:
  postgresql:
    image: postgres:10
    ports:
    - 127.0.0.1:5432:5432
    environment:
    - POSTGRES_USER=admin
    - POSTGRES_PASSWORD=4csTU5CuCQk8TtSJWpjCWTy7fAbY

Now I can login with psql:

docker run -it --rm --network=host -e PGPASSWORD=4csTU5CuCQk8TtSJWpjCWTy7fAbY postgres:10 psql -h localhost -U admin

However, when I introduce a longer password, I cannot login anymore:

services:
  postgresql:
    image: postgres:10
    ports:
    - 127.0.0.1:5432:5432
    environment:
    - POSTGRES_USER=admin
    - POSTGRES_PASSWORD=4csTU5CuCQk8TtSJWpjCWTy7fAbY4csTU5CuCQk8TtSJWpjCWTy7fAbY4csTU5CuCQk8TtSJWpjCWTy7fAbY4csTU5CuCQk8TtSJWpjCWTy7fAbY

In psql:

docker run -it --rm --network=host -e PGPASSWORD=4csTU5CuCQk8TtSJWpjCWTy7fAbY4csTU5CuCQk8TtSJWpjCWTy7fAbY4csTU5CuCQk8TtSJWpjCWTy7fAbY4csTU5CuCQk8TtSJWpjCWTy7fAbY postgres:10 psql -h localhost -U admin

FATAL:  password authentication failed for user "admin"

Although I did not verify this, I believe this was introduced in 3f585c5.

[pbillen]

This is probably unrelated to the image, but to the behavior of initdb. More info to be found here: https://bugzilla.redhat.com/show_bug.cgi?id=785394.

Before 3f585c5, we did not use initdb but altered the role, so we did not face this limitation.

[tianon]

Interesting limitation! IMO, we should probably have the script check the password length and warn if it's over 100, with some comments/links to the limitation in initdb (specifically, a link to https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org is probably warranted).

[tianon]

Oh this is even more fun. initdb is fine, and gets the entire 101 character password (I was using 0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789a so it was trivial for me to verify I had the right number of characters), and psql works fine if I type that password at the prompt, but if I set it via PGPASSWORD it does not work. So a warning is 100% sufficient here (since it only will affect users of psql).

[pbillen]

Even more, if you first initialize the container with a short password, then login with psql, then alter role X with password '... long password ...', then psql with PGPASSWORD works again. Misteries.

I agree, a warning is granted here.

[Remigius2011]

Even more, if you first initialize the container with a short password, then login with psql, then alter role X with password '... long password ...', then psql with PGPASSWORD works again. Misteries.

Couldn't this be automated in the container's initialization (e.g. create the role with a random password of length < 100, then execute alter role...) - if not in the Dockerfile, then on first startup?

[tianon]

This all sounds to me like there's truncation happening somewhere -- I think a warning is appropriate until/if upstream fixes the truncation/limit issues.

[pbillen]

This all sounds to me like there's truncation happening somewhere -- I think a warning is appropriate until/if upstream fixes the truncation/limit issues.

I agree. I would be hesitant to introduce features/changes here which aren't backed by upstream components.

[gopackgo90]

Looks like this is no longer an issue since Postgres 14.0, see postgres/postgres@67a472d

https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=67a472d71c98c3d2fa322a1b4013080b20720b98

[tianon]

Nice, thanks for the pointer! I've opened #1166 to discuss further / adjust our warning 👍