httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Korthof>
Subject Re: dbmmanage overhaul
Date Mon, 28 Jul 1997 19:16:28 GMT
On Mon, 28 Jul 1997, Marc Slemko wrote:

> On Mon, 28 Jul 1997, Doug MacEachern wrote:
> > I agree, shall I turn off echo and prompt?  Or can the password still
> > be hijacked?
> Check out what htpasswd does.  Unfortunately, I'm not aware of a getpass()
> for perl.

I'm not aware of a getpass(), but the following works, at least to prevent
an echo and on Solaris and IRIX (and probably UNIX in general, though
probably not on Win32).  First, make sure to turn off buffering...

system("stty raw; stty -echo");

my ($c,$password);

while ($c = getc(STDIN) and $c ne "\n" and $c ne "\r") {
    $password .= $c;

system("stty sane");
(the sleep 1 may be paranoid, but it seems to help avoid problems)

Alternately, you could use htpasswd to get an encrypted form, store that
in a temporary file long enough to read it, and then use that -- which
works just as well.

I do think that passwords in the clear text should be avoided, especially
because this is so easy to avoid.  If it's possible to snoop the tty or a
pipe as someone other than root, though, I don't know how to fix that, and
I kind of think it's a lower level problem than ones we should be solving.

     -- Ed Korthof        |  Web Server Engineer --
     --    |  Organic Online, Inc --
     -- (415) 278-5676    |  Fax: (415) 284-6891 --

View raw message