# HG changeset patch # User Matt Johnston # Date 1634045365 -28800 # Node ID 0a3d02c66bf6ca606ca8899e0e6958cdafac1069 # Parent c32976db772fee6f3699a3524301dae7584bcd38 Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit diff -r c32976db772f -r 0a3d02c66bf6 sysoptions.h --- a/sysoptions.h Mon Oct 11 15:46:49 2021 +0800 +++ b/sysoptions.h Tue Oct 12 21:29:25 2021 +0800 @@ -86,6 +86,12 @@ /* Required for pubkey auth */ #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT)) +/* crypt(password) must take less time than the auth failure delay + (250ms set in svr-auth.c). On Linux the delay depends on + password length, 100 characters here was empirically derived. + + If a longer password is allowed Dropbear cannot compensate + for the crypt time which will expose which usernames exist */ #define DROPBEAR_MAX_PASSWORD_LEN 100 #define SHA1_HASH_SIZE 20