HPE Community
Operating System - HP-UX
1755747 Members
2479 Online
108837 Solutions
New Discussion юеВ

Masking a password within a C prog in UNIX

 
Joseph A Benaiah_1
Regular Advisor

тАО04-05-2001 10:03 AM

тАО04-05-2001 10:03 AM

Masking a password within a C prog in UNIX

Does anyone know how to mask a password when writing C for HP-UX. I am currently implementing second level of security and need this as part of my program.

So far, I have not found a UNIX system programming book that contains this information so any contributions will be gratefully appreciated.

Joseph.
0 Kudos
Reply
7 REPLIES 7
A. Clay Stephenson
Acclaimed Contributor

тАО04-05-2001 10:29 AM

тАО04-05-2001 10:29 AM

Re: Masking a password within a C prog in UNIX

Can you clarify your requirements? Do you merely wish to suppress echo of the typed password or do you wish to make it difficult for someone examine the executable with the strings command and look for likely passwords?
I assume that you are trying in some way to safely embed a password into the execuatable.
If it ain't broke, I can fix that.
0 Kudos
Reply
Kenneth Platz
Esteemed Contributor

тАО04-05-2001 12:04 PM

тАО04-05-2001 12:04 PM

Re: Masking a password within a C prog in UNIX

Joseph,

The following isn't pretty, but appears to work:#include
#include
#include

int main() {
int fd;
char buf[BUFSIZ];
struct termios ts;
fd = open( "/dev/tty", O_RDWR | O_NOCTTY );
printf( "Please enter your password: " );
tcgetattr( fd, &ts );
ts.c_lflag ^= ECHO;
tcsetattr( fd, TCSANOW, &ts );
fgets( buf, BUFSIZ, stdin );
putchar( '\n' );
ts.c_lflag |= ECHO;
tcsetattr( fd, TCSANOW, &ts );

printf( "Password is %s\n", buf );
}

This opens the controlling TTY for your process (/dev/tty), and then uses the tcgetattr() and tcsetattr() calls to turn off and turn on local echo.

More information is available in the man pages for termio(7), tcgetattr(2) and tcsetattr(2).

I hope this helps.
I think, therefore I am... I think!
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО04-05-2001 12:11 PM

тАО04-05-2001 12:11 PM

Re: Masking a password within a C prog in UNIX

I am going to assume that you actually want to hide a passwd with your c source so that a strings attack would not reveal the plaintext.
Please see the attached code. The idea is to create a very simple random number generator
with a known seed. The output of successive calls to the RNG is xor'ed to each sucessive character of the plaintext password. In the encode phase, a small piece of c source is written to stdout to be included in your application. Your application then includes this piece of c code which is actually an initialized variable declaration containing octal representation of the xor'ed bytes of your plaintext password. You then call the decode function which converts the data in the declaration back into the original string by again xor'ing the data and using the same RNG
with the same seed value. Please seed the attached c source.
If it ain't broke, I can fix that.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО04-05-2001 12:33 PM

тАО04-05-2001 12:33 PM

Re: Masking a password within a C prog in UNIX

In case all you want to do is suppress echo; by far the easist thing to do is call the function getpass.

char *pw;
pw = getpass("Enter your password");

man getpass
If it ain't broke, I can fix that.
0 Kudos
Reply
Matts Kallioniemi
Occasional Advisor

тАО04-05-2001 10:52 PM

тАО04-05-2001 10:52 PM

Re: Masking a password within a C prog in UNIX

If you are trying to prevent a strings attack on your executable then it might be a better idea to set uid/gid on the executable and store the password in a text file. Hiding the password with reversible algorithms will not stop the determined attacker.

Please explain your threat model in more detail.
0 Kudos
Reply
Joseph A Benaiah_1
Regular Advisor

тАО04-07-2001 09:53 AM

тАО04-07-2001 09:53 AM

Re: Masking a password within a C prog in UNIX

Thanks for the information. I have tried all of them, but obviously the getpass option is the easiest to remember.

The Threat:
I have 8 servers that can be accessed from the 2 central servers and 2 Ignite servers as root, i.e. the entries are roots .rhosts file.

So that there is some type of audit trail, I want the System Administrators to log in using their own user id and su to root when required. The problem is that the System Administrators are logging onto the 8 servers from the 2 central servers which means that I do not have a decent audit trail of who is using the 8 servers and at what times, e.t.c.
Therefore, a small amendment to /etc/profile will require a 2nd level password if the user is root and they are not logging in from the console.

Unfortunately, I could not think of any other way of doing it.

The password itself will be in the binary. One thing I tend to do is define an array such as:

char *letters[] = {"a","b","c","d","e","f","g"};

I keep this as a global variable and if I want the password to be 'cde' for example, I issue the following in the main code

char pw[8];
sprintf(pw, "%s%s%s", letters[2], letters[3], letters[4]);

Running a strings on this does not reveal the password of the characters in the array. However, if you know of any way that this could be hacked, please could you let me know.


Cheers.

Joseph.
0 Kudos
Reply
Kenneth Platz
Esteemed Contributor

тАО04-09-2001 10:26 AM

тАО04-09-2001 10:26 AM

Re: Masking a password within a C prog in UNIX

Joseph,

The easiest thing I could think of would be to use the UNIX password encryption facilities:

#include
#include

/* Use the standard UNIX "passwd" command to set the password for a "dummy" user, then cut & paste the entry in the "passwd" file to the below array. In this case I used "Testing" */
char passwd[] = "LIWwCntiH/JGs";
char *attempt;
char *encrypt;

attempt = getpass( "Please enter password: " );
encrypt = crypt( attempt, passwd );

if ( strcmp( encrypt, passwd ) != 0 ) {
/* Failed attempt */
} else {
/* Successful attempt */
}

More information can be found in the man pages for crypt(3).

I hope this helps.
I think, therefore I am... I think!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.