LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 08-03-2003, 05:06 AM   #1
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Rep: Reputation: 30
Login and password program for linux from scrach, suggestion's welcomed.


Login2:

Code:
#define _XOPEN_SOURCE
#define EXIT_SUCCESS 0
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <time.h>

void wait(int seconds)
{
	clock_t endtime = clock() + seconds * CLOCKS_PER_SEC;
	while ((clock() < endtime));
}

int main()
{
	char *password, read[100], salt[] = "$1$8Hlk7DfS";
	FILE *file;
	if ((file  = fopen("/etc/pssword", "r")) == NULL)
	{
		printf("\nFile doesn't exist, run 'pssword' first.\n");  //'/etc/pssword' will exsist or it will use
                                                                         //'/etc/shadow' the way it should once i figure
                                                                         //out how or someone know's and help's out.
		exit(-1);
	}
	password = (char *) malloc(100);
	if (fgets(read, sizeof(read), file) == NULL)
	{
		printf("\nNo password for %s exist's, try running 'pssword' as root.\n", getlogin());
		free(password);
	  	exit(-1);
	}
	do
	{
		printf("\nPlease enter your password.\n");
		printf("\nPassword:");
    		scanf("%s", password);
		strcpy(password, crypt(password, salt));  //This seem's like a problem, if 'password' doesnt meet the
                                                          //requirements then it's copied to as many time's as it doesnt.
							  //This program need's to be compiled with the '-lcrypt' option
                                                          //to utilize the GNU des library for the 'crypt()' function.
		if (strcmp(password, read) < 0 || strcmp(password, read) > 0)
		{
			wait(2);
			printf("\nPassword incorrect\n");
	        }
	}
	while (strcmp(password, read) < 0 || strcmp(password, read) > 0);
	wait(2);
	printf("\n%s successfully logged in!\n", getlogin());
	if (fclose(file) == EOF)
	{
		printf("\nUnable to close file.\n");
		free(password);
		exit(-1);
	}
	free(password);
	return EXIT_SUCCESS;
}
I've been coding for 2 1/2 year's off and on, the most use for pointer's i've
found so far is what you see above. I was wondering if the way is use 'password' above correct, it work's, but is it correct? This next question does'nt really belong here, but what's the degugger called in linux, i use slackware, i was hoping that if no one here used slackware that there was a debugger that is in most distros that would also be in slackware.
Thank's!
One more thing, this program isn't done yet so if you see something that doesn't make sense, what can i say, it's just a project.

Last edited by Tarts; 08-03-2003 at 05:25 AM.
 
Old 08-03-2003, 05:12 AM   #2
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Original Poster
Rep: Reputation: 30
pssword2:

Code:
#define _XOPEN_SOURCE
#define EXIT_SUCCESS 0
#define MAX_PASS_LENGTH 15
#define MIN_PASS_LENGTH 6
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <time.h>

void wait(int seconds)
{
	clock_t endtime = clock() + seconds * CLOCKS_PER_SEC;
	while ((clock() < endtime));
}

int main()
{
 	char *password, write[100], salt[] = "$1$8Hlk7DfS";
	FILE *file;
	if ((file = fopen("/etc/pssword", "w+")) == NULL)
	{
		printf("\nUnable to create '/etc/pssword', only root can change or create the password.\n"); //At present
                                                                                                    //you have to be root.
		exit(-1);
   	}
	password = (char *) malloc(100);
	do
	{
		printf("\nPlease input a password no more than 15 charactors, no less than 6.\n");
		printf("Password:");
		scanf("%s", password);
		wait(2);
		if (strlen(password) < MIN_PASS_LENGTH)
		{
			wait(2);
			printf("\nThe password has to be greater than 6 charactors, try again.\n");
		}
		else if (strlen(password) > MAX_PASS_LENGTH)
		{
			wait(2);
			printf("\nthe password need's to be less than 15 charactor's, try again.\n");
		}
	}
	while (strlen(password) < MIN_PASS_LENGTH || strlen(password) > MAX_PASS_LENGTH);
	strcpy(write, crypt(password, salt)); //This program need's to be compiled with the '-lcrypt' option to utilize 
	if (fputs(write, file) == EOF)        //the GNU des library for the 'crypt()' function.
	{
		printf("\nUnable to write to file.\n");
		free(password);
		exit(-1);
	}
	if (fclose(file) == EOF)
	{
		printf("\nUnable to close file.\n");
		free(password);
		exit(-1);
	}
	free(password);
	return EXIT_SUCCESS;
}
This is the password program, i'm almost completely satisfied with it so far.
 
Old 08-03-2003, 05:48 AM   #3
kev82
Senior Member
 
Registered: Apr 2003
Location: Lancaster, England
Distribution: Debian Etch, OS X 10.4
Posts: 1,263

Rep: Reputation: 50
your login program will currently accept input from a pipe and just keeps looping until the correct password is entered so you can basically pipe the system dictionary to it - not good.

scanf is a very bad way to do input as it does no bounds checking and echoes its ouput to the screen.

i think you should zero the password array at the start of each iteration of the do loop just to be safe.

as soon as you can you need to dump the root privaleges.

what does your wait do that sleep doesnt? also theres a library function called wait so perhaps a different name or make it static.

thats all i can see off the top of my head, sorry if ive read anything incorrectly i just gave it a quick glance.

oh and the most likely installed debugger will be gdb.

Last edited by kev82; 08-03-2003 at 05:50 AM.
 
Old 08-03-2003, 06:19 AM   #4
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by kev82
your login program will currently accept input from a pipe and just keeps looping until the correct password is entered so you can basically pipe the system dictionary to it - not good.
Ok i didn't know that, what would be a possible solution? And also what could happen if someone did that. System dictionary?Can you explain?

Quote:
scanf is a very bad way to do input as it does no bounds checking and echoes its ouput to the screen.
Any suggestion's on a function, one that doesn't output to stdout?

Quote:
i think you should zero the password array at the start of each iteration of the do loop just to be safe.
It's a pointer, so i don't think i have to worry about it. (See post 1)

Quote:
as soon as you can you need to dump the root privaleges.
I didn't know their where any, i just knew that root had to run both program's because root own's the '/etc' directory, so if that's a root privlege then i know what your talking about, if not can you explain?

Quote:
oh and the most likely installed debugger will be gdb.
Great! Thank's.

Last edited by Tarts; 08-03-2003 at 06:30 AM.
 
Old 08-03-2003, 06:47 AM   #5
kev82
Senior Member
 
Registered: Apr 2003
Location: Lancaster, England
Distribution: Debian Etch, OS X 10.4
Posts: 1,263

Rep: Reputation: 50
the system dictionary contains a big list of words, so cat system_dict | login_program would try all the words in the system dictionary against the password until it found a match or reached the end. this can be fixed by using a better input method

there is a function getpass in the std c library but according to the man page it is obselete and i cant find its replacement so i guess the way to go is low level terminal io. have a look here: http://www.gnu.org/manual/glibc-2.2....nal-Modes.html

i didnt mean the permissions of the executable, i meant the running permissions. i agree it has to be run as root to read /etc/passwd but after that you can drop some privilages - see below.

there will always be some vulnerability in your code that someone hasnt found yet. so its better to be running as a non root user when they find it. basically only be root when you need to. the functions to change this are setuid/seteuid/getuid/geteuid and there group equivelents.

Last edited by kev82; 08-03-2003 at 06:50 AM.
 
Old 08-03-2003, 07:40 AM   #6
Tarts
Member
 
Registered: Feb 2003
Distribution: Slackware 9.1 (exclusively) ;)
Posts: 344

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by kev82
the system dictionary contains a big list of words, so cat system_dict | login_program would try all the words in the system dictionary against the password until it found a match or reached the end. this can be fixed by using a better input method
I'll look into that, albeit i'm still a bit confused.

Quote:
there is a function getpass in the std c library but according to the man page it is obselete and i cant find its replacement so i guess the way to go is low level terminal io. have a look here: http://www.gnu.org/manual/glibc-2.2....nal-Modes.html
Thank's for the link! I've seen low level i/o before, i'll check out that site in detail.
Quote:
i didnt mean the permissions of the executable, i meant the running permissions. i agree it has to be run as root to read /etc/passwd but after that you can drop some privilages - see below.
My program use's '/etc/pssword', i can see how you got that mixed up though,

Quote:
there will always be some vulnerability in your code that someone hasnt found yet. so its better to be running as a non root user when they find it. basically only be root when you need to. the functions to change this are setuid/seteuid/getuid/geteuid and there group equivelents.
Valuble info! Thank's alot kev82.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux program to determine Win XP login status andrej666 Programming 2 03-08-2005 09:40 AM
Loaded Linux, lost login ID and password for superuser? How can I recover? PaulK Linux - Newbie 3 08-24-2004 10:01 PM
sugestions welcomed Cooler Arch 10 07-19-2004 04:41 AM
start form scrach what is the best seure directory structure to use? crashedspine Linux - Security 2 06-23-2004 05:33 PM
Suse Linux 8.2 Professional .. login and password _ Laur2150 Linux - Security 5 03-15-2004 04:32 AM


All times are GMT -5. The time now is 02:49 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration