Login and password program for linux from scrach, suggestion's welcomed.
ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Login and password program for linux from scrach, suggestion's welcomed.
Login2:
Code:
#define _XOPEN_SOURCE
#define EXIT_SUCCESS 0
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <time.h>
void wait(int seconds)
{
clock_t endtime = clock() + seconds * CLOCKS_PER_SEC;
while ((clock() < endtime));
}
int main()
{
char *password, read[100], salt[] = "$1$8Hlk7DfS";
FILE *file;
if ((file = fopen("/etc/pssword", "r")) == NULL)
{
printf("\nFile doesn't exist, run 'pssword' first.\n"); //'/etc/pssword' will exsist or it will use
//'/etc/shadow' the way it should once i figure
//out how or someone know's and help's out.
exit(-1);
}
password = (char *) malloc(100);
if (fgets(read, sizeof(read), file) == NULL)
{
printf("\nNo password for %s exist's, try running 'pssword' as root.\n", getlogin());
free(password);
exit(-1);
}
do
{
printf("\nPlease enter your password.\n");
printf("\nPassword:");
scanf("%s", password);
strcpy(password, crypt(password, salt)); //This seem's like a problem, if 'password' doesnt meet the
//requirements then it's copied to as many time's as it doesnt.
//This program need's to be compiled with the '-lcrypt' option
//to utilize the GNU des library for the 'crypt()' function.
if (strcmp(password, read) < 0 || strcmp(password, read) > 0)
{
wait(2);
printf("\nPassword incorrect\n");
}
}
while (strcmp(password, read) < 0 || strcmp(password, read) > 0);
wait(2);
printf("\n%s successfully logged in!\n", getlogin());
if (fclose(file) == EOF)
{
printf("\nUnable to close file.\n");
free(password);
exit(-1);
}
free(password);
return EXIT_SUCCESS;
}
I've been coding for 2 1/2 year's off and on, the most use for pointer's i've
found so far is what you see above. I was wondering if the way is use 'password' above correct, it work's, but is it correct? This next question does'nt really belong here, but what's the degugger called in linux, i use slackware, i was hoping that if no one here used slackware that there was a debugger that is in most distros that would also be in slackware.
Thank's!
One more thing, this program isn't done yet so if you see something that doesn't make sense, what can i say, it's just a project.
#define _XOPEN_SOURCE
#define EXIT_SUCCESS 0
#define MAX_PASS_LENGTH 15
#define MIN_PASS_LENGTH 6
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <time.h>
void wait(int seconds)
{
clock_t endtime = clock() + seconds * CLOCKS_PER_SEC;
while ((clock() < endtime));
}
int main()
{
char *password, write[100], salt[] = "$1$8Hlk7DfS";
FILE *file;
if ((file = fopen("/etc/pssword", "w+")) == NULL)
{
printf("\nUnable to create '/etc/pssword', only root can change or create the password.\n"); //At present
//you have to be root.
exit(-1);
}
password = (char *) malloc(100);
do
{
printf("\nPlease input a password no more than 15 charactors, no less than 6.\n");
printf("Password:");
scanf("%s", password);
wait(2);
if (strlen(password) < MIN_PASS_LENGTH)
{
wait(2);
printf("\nThe password has to be greater than 6 charactors, try again.\n");
}
else if (strlen(password) > MAX_PASS_LENGTH)
{
wait(2);
printf("\nthe password need's to be less than 15 charactor's, try again.\n");
}
}
while (strlen(password) < MIN_PASS_LENGTH || strlen(password) > MAX_PASS_LENGTH);
strcpy(write, crypt(password, salt)); //This program need's to be compiled with the '-lcrypt' option to utilize
if (fputs(write, file) == EOF) //the GNU des library for the 'crypt()' function.
{
printf("\nUnable to write to file.\n");
free(password);
exit(-1);
}
if (fclose(file) == EOF)
{
printf("\nUnable to close file.\n");
free(password);
exit(-1);
}
free(password);
return EXIT_SUCCESS;
}
This is the password program, i'm almost completely satisfied with it so far.
your login program will currently accept input from a pipe and just keeps looping until the correct password is entered so you can basically pipe the system dictionary to it - not good.
scanf is a very bad way to do input as it does no bounds checking and echoes its ouput to the screen.
i think you should zero the password array at the start of each iteration of the do loop just to be safe.
as soon as you can you need to dump the root privaleges.
what does your wait do that sleep doesnt? also theres a library function called wait so perhaps a different name or make it static.
thats all i can see off the top of my head, sorry if ive read anything incorrectly i just gave it a quick glance.
oh and the most likely installed debugger will be gdb.
Originally posted by kev82
your login program will currently accept input from a pipe and just keeps looping until the correct password is entered so you can basically pipe the system dictionary to it - not good.
Ok i didn't know that, what would be a possible solution? And also what could happen if someone did that. System dictionary?Can you explain?
Quote:
scanf is a very bad way to do input as it does no bounds checking and echoes its ouput to the screen.
Any suggestion's on a function, one that doesn't output to stdout?
Quote:
i think you should zero the password array at the start of each iteration of the do loop just to be safe.
It's a pointer, so i don't think i have to worry about it. (See post 1)
Quote:
as soon as you can you need to dump the root privaleges.
I didn't know their where any, i just knew that root had to run both program's because root own's the '/etc' directory, so if that's a root privlege then i know what your talking about, if not can you explain?
Quote:
oh and the most likely installed debugger will be gdb.
the system dictionary contains a big list of words, so cat system_dict | login_program would try all the words in the system dictionary against the password until it found a match or reached the end. this can be fixed by using a better input method
there is a function getpass in the std c library but according to the man page it is obselete and i cant find its replacement so i guess the way to go is low level terminal io. have a look here: http://www.gnu.org/manual/glibc-2.2....nal-Modes.html
i didnt mean the permissions of the executable, i meant the running permissions. i agree it has to be run as root to read /etc/passwd but after that you can drop some privilages - see below.
there will always be some vulnerability in your code that someone hasnt found yet. so its better to be running as a non root user when they find it. basically only be root when you need to. the functions to change this are setuid/seteuid/getuid/geteuid and there group equivelents.
Originally posted by kev82
the system dictionary contains a big list of words, so cat system_dict | login_program would try all the words in the system dictionary against the password until it found a match or reached the end. this can be fixed by using a better input method
I'll look into that, albeit i'm still a bit confused.
Quote:
there is a function getpass in the std c library but according to the man page it is obselete and i cant find its replacement so i guess the way to go is low level terminal io. have a look here: http://www.gnu.org/manual/glibc-2.2....nal-Modes.html
Thank's for the link! I've seen low level i/o before, i'll check out that site in detail.
Quote:
i didnt mean the permissions of the executable, i meant the running permissions. i agree it has to be run as root to read /etc/passwd but after that you can drop some privilages - see below.
My program use's '/etc/pssword', i can see how you got that mixed up though,
Quote:
there will always be some vulnerability in your code that someone hasnt found yet. so its better to be running as a non root user when they find it. basically only be root when you need to. the functions to change this are setuid/seteuid/getuid/geteuid and there group equivelents.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
