# HG changeset patch
# User Matt Johnston <matt@codeconstruct.com.au>
# Date 1634045365 -28800
# Node ID 0a3d02c66bf6ca606ca8899e0e6958cdafac1069
# Parent  c32976db772fee6f3699a3524301dae7584bcd38
Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit

diff -r c32976db772f -r 0a3d02c66bf6 sysoptions.h
--- a/sysoptions.h	Mon Oct 11 15:46:49 2021 +0800
+++ b/sysoptions.h	Tue Oct 12 21:29:25 2021 +0800
@@ -86,6 +86,12 @@
 /* Required for pubkey auth */
 #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT))
 
+/* crypt(password) must take less time than the auth failure delay
+   (250ms set in svr-auth.c). On Linux the delay depends on
+   password length, 100 characters here was empirically derived.
+
+   If a longer password is allowed Dropbear cannot compensate
+   for the crypt time which will expose which usernames exist */
 #define DROPBEAR_MAX_PASSWORD_LEN 100
 
 #define SHA1_HASH_SIZE 20