settings: revert "set MinPasswordLength to 14 for FIPS builds"

rickystewart · rickystewart · commit 38c2d5c36d74 · 2025-08-18T13:13:48.000-05:00
This reverts commit 26437b9. Epic: none Release not: None
diff --git a/pkg/ccl/securityccl/fipsccl/fipscclbase/BUILD.bazel b/pkg/ccl/securityccl/fipsccl/fipscclbase/BUILD.bazel
@@ -5,7 +5,6 @@ go_library(
     srcs = [
         "build_boring.go",  # keep
         "build_noboring.go",
-        "consts.go",
     ],
     cgo = True,
     importpath = "github.com/cockroachdb/cockroach/pkg/ccl/securityccl/fipsccl/fipscclbase",
diff --git a/pkg/ccl/securityccl/fipsccl/fipscclbase/consts.go b/pkg/ccl/securityccl/fipsccl/fipscclbase/consts.go
diff --git a/pkg/cli/clisqlclient/BUILD.bazel b/pkg/cli/clisqlclient/BUILD.bazel
@@ -22,7 +22,6 @@ go_library(
     visibility = ["//visibility:public"],
     deps = [
         "//pkg/build",
-        "//pkg/ccl/securityccl/fipsccl/fipscclbase",
         "//pkg/cli/clicfg",
         "//pkg/cli/clierror",
         "//pkg/security/pprompt",
diff --git a/pkg/cli/clisqlclient/conn.go b/pkg/cli/clisqlclient/conn.go
@@ -17,7 +17,6 @@ import (
 
 	"github.com/cockroachdb/cockroach-go/v2/crdb"
 	"github.com/cockroachdb/cockroach/pkg/build"
-	"github.com/cockroachdb/cockroach/pkg/ccl/securityccl/fipsccl/fipscclbase"
 	"github.com/cockroachdb/cockroach/pkg/cli/clierror"
 	"github.com/cockroachdb/cockroach/pkg/security/pprompt"
 	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode"
@@ -44,7 +43,7 @@ type sqlConn struct {
 	conn         *pgx.Conn
 	reconnecting bool
 
-	// passwordMissing is true if the url is missing a password.
+	// passwordMissing is true iff the url is missing a password.
 	passwordMissing bool
 
 	// alwaysInferResultTypes is true iff the client should always use the
@@ -184,10 +183,6 @@ func (c *sqlConn) EnsureConn(ctx context.Context) error {
 	if err != nil {
 		return wrapConnError(err)
 	}
-	// Under FIPS 140-3 mode, the password must be at least 14 characters long.
-	if fipscclbase.IsFIPSReady() && !c.passwordMissing && len(base.Password) < fipscclbase.FIPSMinPasswordLength {
-		return errors.Newf("password must be at least %d characters long", fipscclbase.FIPSMinPasswordLength)
-	}
 	// Add a notice handler - re-use the cliOutputError function in this case.
 	base.OnNotice = func(_ *pgconn.PgConn, notice *pgconn.Notice) {
 		c.handleNotice(notice)
@@ -774,10 +769,6 @@ func (c *sqlConn) fillPassword() error {
 	if err != nil {
 		return err
 	}
-	// Under FIPS 140-3 mode, the password must be at least 14 characters long.
-	if fipscclbase.IsFIPSReady() && len(pwd) < fipscclbase.FIPSMinPasswordLength {
-		return errors.Newf("password must be at least %d characters long", fipscclbase.FIPSMinPasswordLength)
-	}
 	connURL.User = url.UserPassword(connURL.User.Username(), pwd)
 	c.url = connURL.String()
 	c.passwordMissing = false
diff --git a/pkg/cli/democluster/demo_cluster.go b/pkg/cli/democluster/demo_cluster.go
@@ -7,7 +7,6 @@ package democluster
 
 import (
 	"context"
-	"crypto/rand"
 	gosql "database/sql"
 	"fmt"
 	"io"
@@ -380,12 +379,7 @@ func (c *transientCluster) Start(ctx context.Context) (err error) {
 		return err
 	}
 
-	st := c.firstServer.ClusterSettings()
-	minPasswordLength := security.MinPasswordLength.Get(&st.SV)
-	demoPassword, err := genDemoPassword(demoUsername, minPasswordLength)
-	if err != nil {
-		return errors.Wrap(err, "failed to generate demo password")
-	}
+	demoPassword := genDemoPassword(demoUsername)
 
 	// Step 8: initialize tenant servers, if enabled.
 	phaseCtx = logtags.AddTag(ctx, "phase", 8)
@@ -2127,21 +2121,10 @@ func (c *transientCluster) addDemoLoginToURL(uiURL *url.URL, includeTenantName b
 //
 // The password can be overridden via the env var
 // COCKROACH_DEMO_PASSWORD for the benefit of test automation.
-func genDemoPassword(username string, minPasswordLength int64) (string, error) {
-	if password := envutil.EnvOrDefaultString("COCKROACH_DEMO_PASSWORD", ""); password != "" {
-		if len(password) < int(minPasswordLength) {
-			return "", errors.Newf("password is too short: %s", password)
-		}
-		return password, nil
-	}
+func genDemoPassword(username string) string {
 	mypid := os.Getpid()
-	password := fmt.Sprintf("%s%d", username, mypid)
-	// If the password is too short, append random characters until it is long enough.
-	for len(password) < int(minPasswordLength) {
-		randText := strings.ToLower(rand.Text())
-		password += string(randText[0])
-	}
-	return password, nil
+	candidatePassword := fmt.Sprintf("%s%d", username, mypid)
+	return envutil.EnvOrDefaultString("COCKROACH_DEMO_PASSWORD", candidatePassword)
 }
 
 // lockDir uses a file lock to prevent concurrent writes to the
diff --git a/pkg/cli/interactive_tests/test_demo.tcl b/pkg/cli/interactive_tests/test_demo.tcl
@@ -169,11 +169,11 @@ eexpect eof
 end_test
 
 start_test "Check that the user can override the password."
-set ::env(COCKROACH_DEMO_PASSWORD) "hunter2hunter2hunter2hunter2"
+set ::env(COCKROACH_DEMO_PASSWORD) "hunter2"
 spawn $argv demo --no-line-editor --insecure=false --no-example-database --log-dir=logs
 eexpect "Connection parameters"
 eexpect "(sql)"
-eexpect "postgresql://demo:hunter2hunter2hunter2hunter2@"
+eexpect "postgresql://demo:hunter2@"
 eexpect "defaultdb>"
 send_eof
 eexpect eof
diff --git a/pkg/roachprod/install/cockroach.go b/pkg/roachprod/install/cockroach.go
@@ -752,7 +752,7 @@ const (
 	AuthRootCert
 
 	DefaultUser     = "roachprod"
-	DefaultPassword = "cockroachpassword"
+	DefaultPassword = "cockroachdb"
 
 	DefaultAuthModeEnv = "ROACHPROD_DEFAULT_AUTH_MODE"
 )
diff --git a/pkg/security/password.go b/pkg/security/password.go
@@ -11,7 +11,6 @@ import (
 	"runtime"
 	"sync"
 
-	"github.com/cockroachdb/cockroach/pkg/ccl/securityccl/fipsccl/fipscclbase"
 	"github.com/cockroachdb/cockroach/pkg/security/password"
 	"github.com/cockroachdb/cockroach/pkg/settings"
 	"github.com/cockroachdb/cockroach/pkg/util/envutil"
@@ -138,16 +137,6 @@ var AutoDetectPasswordHashes = settings.RegisterBoolSetting(
 	true,
 )
 
-// By default, the minimum password length is 1. In FIPS 140-3 mode, where HMAC
-// is required to have a key of at least 112 bits, the minimum password length
-// is 14 characters.
-var defaultMinPasswordLength = func() int64 {
-	if fipscclbase.IsFIPSReady() {
-		return fipscclbase.FIPSMinPasswordLength
-	}
-	return 1
-}()
-
 // MinPasswordLength is the cluster setting that configures the
 // minimum SQL password length.
 var MinPasswordLength = settings.RegisterIntSetting(
@@ -156,8 +145,8 @@ var MinPasswordLength = settings.RegisterIntSetting(
 	"the minimum length accepted for passwords set in cleartext via SQL. "+
 		"Note that a value lower than 1 is ignored: passwords cannot be empty in any case. "+
 		"This setting only applies when adding new users or altering an existing user's password; it will not affect existing logins.",
-	defaultMinPasswordLength,
-	settings.IntWithMinimum(defaultMinPasswordLength),
+	1,
+	settings.NonNegativeInt,
 	settings.WithPublic)
 
 // AutoUpgradePasswordHashes is the cluster setting that configures whether to

Original file line number	Diff line number	Diff line change
`@@ -752,7 +752,7 @@ const (`
`752`	`752`	`AuthRootCert`
`753`	`753`
`754`	`754`	`DefaultUser = "roachprod"`
`755`		`- DefaultPassword = "cockroachpassword"`
	`755`	`+ DefaultPassword = "cockroachdb"`
`756`	`756`
`757`	`757`	`DefaultAuthModeEnv = "ROACHPROD_DEFAULT_AUTH_MODE"`
`758`	`758`	`)`