From 3c2436cd05a161aeac03d65ae85ebc9bdfdb3921 Mon Sep 17 00:00:00 2001
From: Matt Johnston <matt@codeconstruct.com.au>
Date: Tue, 12 Oct 2021 21:29:25 +0800
Subject: [PATCH] Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit

---
 sysoptions.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sysoptions.h b/sysoptions.h
index 3107a0e..0dbeca4 100644
--- a/sysoptions.h
+++ b/sysoptions.h
@@ -86,6 +86,12 @@
 /* Required for pubkey auth */
 #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT))
 
+/* crypt(password) must take less time than the auth failure delay
+   (250ms set in svr-auth.c). On Linux the delay depends on
+   password length, 100 characters here was empirically derived.
+
+   If a longer password is allowed Dropbear cannot compensate
+   for the crypt time which will expose which usernames exist */
 #define DROPBEAR_MAX_PASSWORD_LEN 100
 
 #define SHA1_HASH_SIZE 20