Comment on reason for DROPBEAR_MAX_PASSWORD_LEN limit

2025-01-31 10:57:01 +00:00 · 2021-10-12 21:29:25 +08:00 · 2021-10-12 21:29:25 +08:00 · 3c2436cd05
commit 3c2436cd05
parent f3b72bfd18
1 changed files with 6 additions and 0 deletions
--- a/sysoptions.h
+++ b/sysoptions.h
@ -86,6 +86,12 @@
 /* Required for pubkey auth */
 #define DROPBEAR_SIGNKEY_VERIFY ((DROPBEAR_SVR_PUBKEY_AUTH) || (DROPBEAR_CLIENT))

+/* crypt(password) must take less time than the auth failure delay
+   (250ms set in svr-auth.c). On Linux the delay depends on
+   password length, 100 characters here was empirically derived.
+
+   If a longer password is allowed Dropbear cannot compensate
+   for the crypt time which will expose which usernames exist */
 #define DROPBEAR_MAX_PASSWORD_LEN 100

 #define SHA1_HASH_SIZE 20