Advanced Authentication
Here you will be tasked with enhancing the basic authenticator developed in the previous part of the lab exercise. You'll address 2 limitations:
- The password attempt is visible when entered on the standard output, which is insecure
- The authenticator cannot handle multiple users, and the correct password is hardcoded in the program's binary
Hiding the Password Attempt Input
Having the console display what is typed when a password attempt is input is obviously not secure: someone could be taking picture/filming/peeking over the shoulder of the user attempting to authenticate.
An old way to input a password attempt without having it displayed on the console is getpass.
However, as its manual page indicate, it is depreciated and should not be used.
The manual page indicates that termios, a set of functions controlling terminal attributes, should rather be used.
Implement two functions named disable_echo and enable_echo, that respectively enable and disable the display of characters on the command line.
They should both make use of the functions tcgetattr and tcsetattr provided by termios.
These functions take no parameter and return void.
They should be used in the main function of the authenticator program as follows:
printf("Please input your password: \n");
disable_echo();
fgets(input, sizeof(input), stdin);
enable_echo();
For some hints on how to implement these two functions, see this StackOverflow post.
Storing User IDs and Passwords in a File
Hardcoding passwords in the binary, even if they are hashed and salted, is not particularly secure. Enhance the authenticator so that it reads the correct passwords from a file on disk. This database of correct password should also store associated usernames, using the following format:
<username>:<hash function ID>$<salt>$<hash value>
The enhanced version our authenticator should now take two command line parameters:
./authenticator <path to correct password file> <username to authenticate>
To test your code you can download an example of database file here.
This database contains 5 users with the following passwords (hashed with 500000 rounds of SHA-512 with salt saltsalt1 ot saltsalt5):
| Username | Password |
|---|---|
| user1 | password1 |
| user2 | password2 |
| user3 | password3 |
| user4 | password4 |
| user5 | password5 |
A couple of hints about how to proceed:
- Use
fopen/fcloseandfgetsto open/close and read the password database file line by line. - Use
strtokto extract the username and the password hash (separated by:).
If you have access to a Linux installation where you have root permissions, you can check out the file holding the hashes for the different users on the computer with the following command (you'll see that the format is quite similar to that of our enhanced authenticator):
cat /etc/shadow
Submission
Add and push your advanced authenticator's source code as a single file named authenticator-advanced.c to the submission git repository.