Mercurial > dropbear
changeset 1831:0a3d02c66bf6
Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit
| author | Matt Johnston <matt@codeconstruct.com.au> |
|---|---|
| date | Tue, 12 Oct 2021 21:29:25 +0800 |
| parents | c32976db772f |
| children | a974a80f5f44 |
| files | sysoptions.h |
| diffstat | 1 files changed, 6 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/sysoptions.h Mon Oct 11 15:46:49 2021 +0800 +++ b/sysoptions.h Tue Oct 12 21:29:25 2021 +0800 @@ -86,6 +86,12 @@ /* Required for pubkey auth */ #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT)) +/* crypt(password) must take less time than the auth failure delay + (250ms set in svr-auth.c). On Linux the delay depends on + password length, 100 characters here was empirically derived. + + If a longer password is allowed Dropbear cannot compensate + for the crypt time which will expose which usernames exist */ #define DROPBEAR_MAX_PASSWORD_LEN 100 #define SHA1_HASH_SIZE 20