diff sysoptions.h @ 1831:0a3d02c66bf6

Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit
author Matt Johnston <matt@codeconstruct.com.au>
date Tue, 12 Oct 2021 21:29:25 +0800
parents 4b984c42372d
children a974a80f5f44
line wrap: on
line diff
--- a/sysoptions.h	Mon Oct 11 15:46:49 2021 +0800
+++ b/sysoptions.h	Tue Oct 12 21:29:25 2021 +0800
@@ -86,6 +86,12 @@
 /* Required for pubkey auth */
 #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT))
 
+/* crypt(password) must take less time than the auth failure delay
+   (250ms set in svr-auth.c). On Linux the delay depends on
+   password length, 100 characters here was empirically derived.
+
+   If a longer password is allowed Dropbear cannot compensate
+   for the crypt time which will expose which usernames exist */
 #define DROPBEAR_MAX_PASSWORD_LEN 100
 
 #define SHA1_HASH_SIZE 20