masking password

S

Sanjay

All,

I'm developing a command line interface for a java application. The cli
makes a socket connection to my java application and then sends text
over to the java app. The text mesg are commands which the java
application would execute. Many users would be using this cli, therefore
they would require a username & password. My problem is that - when the
user types the passwd, the passwd gets printed on the console. How do I
mask the password ? I use the telnet prog on windows to connect to
the java app running on a remote host.

thanks in advance

sanjay
 
C

Christophe Vanfleteren

Sanjay said:
All,

I'm developing a command line interface for a java application. The cli
makes a socket connection to my java application and then sends text
over to the java app. The text mesg are commands which the java
application would execute. Many users would be using this cli, therefore
they would require a username & password. My problem is that - when the
user types the passwd, the passwd gets printed on the console. How do I
mask the password ? I use the telnet prog on windows to connect to
the java app running on a remote host.

thanks in advance

sanjay

You should let the server send a random string to the client.
Let the client append his password to the random string, and return an MD5
sum of the result to the server. Then do the same on the server and compare
the MD5 sums.
This way you've never send the password over the wire, and the md5 sum that
was sent over the wire can not be reused by someone else in another
session.
Or ofcourse you could run the entire process over a secure socket using SSL.
 
R

Roedy Green

My problem is that - when the
user types the passwd, the passwd gets printed on the console. How do I
mask the password ?

see javax.swing.JPasswordField
 
R

Roedy Green

Doesn't work in a command-line interface, though.

What's to stop the basically command line interface from having a tiny
gui component just to deal with username password?

If he puts passwords in the bat files, they are very exposed, whether
they display or not.

From the point of view of preventing someone mucking around
accidentally triggering the program, putting passwords in the bat file
does nothing. The meddler is likely to try just running the bat file
to find out what it is for.
 
G

Gordon Beaton

What's to stop the basically command line interface from having a
tiny gui component just to deal with username password?

For one, it would make an otherwise CLI-based program useless in a
purely CLI environment.

/gordon
 
X

xarax

Christophe Vanfleteren said:
You should let the server send a random string to the client.
Let the client append his password to the random string, and return an MD5
sum of the result to the server. Then do the same on the server and compare
the MD5 sums.
This way you've never send the password over the wire, and the md5 sum that
was sent over the wire can not be reused by someone else in another
session.
Or ofcourse you could run the entire process over a secure socket using SSL.

That presumes that the server already knows the client's
password. If the server must hand-off client requests
to another agent, then the client's password will be
required by that agent to authenticate the requests.

Example: Java client talking to a server application over
TCP/IP. The server needs to know what the client is allowed
to do by querying the platform security product with the
client's user-id and password. The server cannot get the
user's password from the platform security product, but
must request that information from the client and forward
it to the security product for authentication.

Digital certificates pose the same problem, since the
server is in-between the client and the security product.
Somehow, the client's credentials must be delivered to
the server is a secure manner, so that the server can
then use those credentials to query the security product
about what the client is allowed to do, if anything.

The client and the server need to agree on an encryption
mechanism to hide the credentials as they are transmitted
over the wire.
 
M

mromarkhan

peace be unto you
Tested using MS-DOS Prompt

--- outputs
C:\My Documents\omar\nntp-test\password2>javac JConioLib.java

C:\My Documents\omar\nntp-test\password2>javah -jni JConioLib

C:\My Documents\omar\nntp-test\password2>gcc -g -O2 -c -IC:/Dev-Cpp/include -Ic:
/j2sdk1.4.2_03/include -Ic:/j2sdk1.4.2_03/include/win32 -g JConioLib.c

C:\My Documents\omar\nntp-test\password2>dllwrap --output-def JConioLib.def --ad
d-stdcall-alias -o JConioLib.dll -s JConioLib.o
C:\MINGW\BIN\DLLWRAP.EXE: no export definition file provided.
Creating one, but that may not be what you want

C:\My Documents\omar\nntp-test\password2>javac Password.java

C:\My Documents\omar\nntp-test\password2>java Password
Please enter your password (Hint:java): *****
Incorrect password
Please enter your password (Hint:java): *****
Authenticated
Welcome super user


--- JConio.java
public class JConio
{
JConioLib lib;
public JConio()
{
lib = new JConioLib();
}
public int getch()
{
int i = lib.getch();
return i;
}
}

-- JConioLib.java
public class JConioLib
{
public native int getch();
static
{
System.loadLibrary("JConioLib");
}
}

--- JConioLib.c
#include <stdio.h>
#include <stdlib.h>
#include <jni.h>
#include "JConioLib.h"

JNIEXPORT jint JNICALL Java_JConioLib_getch
(JNIEnv * env, jobject obj)
{
int c = getch();
return (jint) c;
}

--- Password.java
class Password
{
public static void main(String [] s)
{
String lineSeparator = System.getProperty("line.separator");
String prompt = "Please enter your password (Hint:java): ";
String realPassword="java"+lineSeparator.charAt(0);
StringBuffer password = new StringBuffer();
JConio conio = new JConio();
boolean isAuthenticated = false;
// for three tries
for(int nTries = 1; nTries <= 3; nTries++)
{
// prompt for password
System.out.print(prompt);
char cPass;
int len = 0;
int i = 0;

// create an infinite loop
while(true)
{

// get a single character

cPass = (char) conio.getch();

// if the character
// does not equal
// a carriage return or new line
// add the character to the
// string buffer

if (cPass != '\r' && cPass != '\n')
{
password.append(cPass);
}
len++;

// a carriage return forces the
// cursor at the beginning of the line

System.out.print("\r");

// recreate the prompt

System.out.print(prompt);

// fill the length of the user input
// with asterisk

for (i = 0; i < len; i++)
{
System.out.print("*");
}

// a carriage return or new line
// char indicates the end of user
// input or System.getProperty("line.separator");

if (cPass == '\n' || cPass == '\r')
{
password.append(cPass);
break;
}
}
if(password.toString().equals(realPassword))
{
isAuthenticated=true;
System.out.println("\nAuthenticated");
break;
}
else
{
System.out.println("\nIncorrect password");
}
password.setLength(0);
}
if(isAuthenticated)
{
System.out.println("Welcome super user");
}
else
{
System.out.println("Access denied");
}
}
}

--- compilation
javac JConioLib.java
javah -jni JConioLib
gcc -g -O2 -c -IC:/Dev-Cpp/include -Ic:/j2sdk1.4.2_03/include -Ic:/j2sdk1.4.2_03/include/win32 -g JConioLib.c
dllwrap --output-def JConioLib.def --add-stdcall-alias -o JConioLib.dll -s JConioLib.o
javac Password.java
java Password

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top