Password through telnet

Ephracis · 12-15-2004, 05:11 PM

I have a server that listens to connection that are supposed to be done with just telnet. I don't care for encryption since the server won't be so big and serious but I do care for the password be in clear text when you type it in.

So the server send opens a socket and so on and when a connection is made is does something like this:

Code:

message = "Type in password: ";
send(socket, message, strlen(message), 0);
nbytes = recv(socket, buffer, maxsize, 0);

The thing here is that when you type in the password it is show in clear text. I don't want that. How can I fix this?

itsme86 · 12-15-2004, 10:51 PM

I use this in a program I wrote:

Code:

static char echo_on_str[] = { IAC, WONT, TELOPT_ECHO, '\0' };
static char echo_off_str[] = { IAC, WILL, TELOPT_ECHO, '\0' };

Just be sure to #include <arpa/telnet.h>

Just send whichever string you want to turn echo on and off.

P.S. You can also find a bunch of other cool stuff you can do with the telnet protocol by browsing through that header file.

You might also find the RFC helpful: http://www.faqs.org/rfcs/rfc854.html

Ephracis · 12-16-2004, 05:25 AM

I don't really understand what you mean. Should I send() the echo_off_str to the client from the server and then do a recv() to get the password?

Like this:

Code:

char *sendmsg;
char *recvmsg;
int nbytes;

static char echo_on_str[] = { IAC, WONT, TELOPT_ECHO, '\0' };
static char echo_off_str[] = { IAC, WILL, TELOPT_ECHO, '\0' };

sendmsg = "Password: ";
send(socket, sendmsg, strlen(sendmsg), 0);

send(socket, echo_off_str, sizeof(echo_off_str), 0);
nbytes = recv(socket, recvmsg, 256, 0);
send(socket, echo_on_str, sizeof(echo_on_str), 0);

itsme86 · 12-16-2004, 09:29 AM

Ephracis · 12-16-2004, 11:03 AM

Quote:

Originally posted by itsme86
Yes.

Well that did not work. But do I have to do a recv() before I can continue?

Because the next recv() got filled without letting the client respond.

itsme86 · 12-16-2004, 12:07 PM

It doesn't matter what you do after you send the echo_off_str. The telnet client receives it, turns local echo off, and anything the user types after that doesn't get echo'd until you send the echo_on_str which tells the client to turn local echo back on.

Maybe you're using a client that doesn't comply to the full telnet protocol standard?

Ephracis · 12-16-2004, 12:49 PM

I am using "telnet" that comes with Slackware Linux so I guess the chances that it is pretty "standard" are good.

But the problem is that after I send echo_off_str I seem to get some answer from the client. So then the password was filled with the returned answer (which I haven't checked what it is) but I could fix this by setting a recv() that just put the answer in "char *trash" and after that prompt for the password. So it is working.

But I wonder if it will work with other clients now.

itsme86 · 12-16-2004, 12:58 PM

If you plan on making your server work with telnet, then you should make your server comply to telnet protocol standards. Almost every telnet command you send will generate a reply.

If you just want to use the echo on/off thing then you can read in the reply and discard the 3 bytes that comprise the reply the client is sending to you.

Ephracis · 12-16-2004, 01:02 PM

Oh great. I was afraid that the reply was *not* supposed to be there so if I would have any client that follows the telnet protocol standars it would prompt two times before password.

But ok, so then I am doing it right, recv()ing the reply and after that getting password.

Thanks a lot.

bm17 · 12-16-2004, 04:21 PM

Alternately, you can just allow the user to see the password, and then use RFC 1097 to make him forget that he saw it.