Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Password for Server

Posted on 2001-06-20
11
Medium Priority
?
177 Views
Last Modified: 2010-04-06
How do you set a password for the server in a typical tcp/ip client server connection such that the client must type in the correct password to access the server's  files etc???
0
Comment
Question by:marinedestroyer2
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 2

Expert Comment

by:FrodoBeggins
ID: 6210355
To access files you need another protocol (FTP ot HTTP, at least). There the standart is username:pas@server[.domain] (e.g. ftp://marine@hardtoknowpassword:secret.yahoo.com/). But if you make your own protocol on the base of TCP/IP you choose the way. I'm not sure, but I think the tcp protocol have no account management implemented.
0
 
LVL 2

Expert Comment

by:FrodoBeggins
ID: 6210359
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6215427
marinedestroyer2, you need to give more details on what kind of client/server connection you're talking of. Most protocols have mechanisms to provide a login with a password already defined in the protocol, so the way to do things is given (for instance in a RFC).

If you want to implement your own password checking for a proprietary protocol, I'd use a hash approach instead of plain text passwords. MD5 is made just for that and is easy to use and implement.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:marinedestroyer2
ID: 6217329
Sorry, I'm pretty new to Delphi so you have to help me along. I'm just using a standard client/server socket connection where the client sends commands to client and client respond. Could you tell me how to add a login type of thing such that the client has to input a password to login to the server? Could you also tell me more about MD5.
thanx
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6220420
Ok, I'm assuming that you're using a proprietary protocol. In this case, a very very simple method of authentication would be (plain text):
SERVER acceps connection
CLIENT sends: username password
SERVER closes connection if bad username/password

It's obvious that this method is not very secure since anyone listening on the network (packet sniffer, routers etc.) would be able to clearly see both username and password and use them on their own.

MD5 is a hashing algorithm which creates a 512 bit hash sequence for any given bit stream. It is designed in such a way that even if you see the hash, you will not be able to reverse-engineer the original value except with brute force (e.g. trying every possible combination).

So, a much more secure authentication could go like this:
SERVER acceps connection
CLIENT sends: username
SERVER sends: a random sequence of chars
CLIENT internally adds the password to that sequence and applies the MD5 algorithm, then sends the 512 bit hash back to the server
SERVER also internally the correct password to the sequence generated, computes the hash and compares it wth the client's hash
SERVER closes connection if the hashes are not the same

The password is never send as clear text over the network, and since the random sequence is different everytime the client connects, the hash also changes everytime. Since the hash is designed so that you cannot trace back the contents it was created from even if you knew part of the sequence used (that is, the random sequence), it's quite secure.

You can find an implementation of the MD5 algoritm here:
http://www.fichtner.net/delphi/md5.delphi.phtml?download=md5.pas

What it is and how it works is described here:
http://www.rfc-editor.org/rfc/rfc1321.txt
0
 

Author Comment

by:marinedestroyer2
ID: 6222305
yes......but how do you add the function where
CLIENT sends: username password
SERVER closes connection if bad username/password

and also, how do I make sure that the client isn't able to send a command to the server to do something.For instance, if there is a function copyfile in the server,like this
if ReceiveCommandsFromClient='Copy file' then
begin
CopyFile...........etc
end;
How do I prevent the Client from sending the 'Copy file' command to the server unless the client has sent the correct password to the server FIRST. I hope you can help me.THanx
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6222438
Where and how to add it depends on the sockets library you're using as well as if it is asynchroneous or not. As general rule, the server will be in a loop waiting for client commands to come in, and at the beginning the server should only accept the authenciation commands, later on only the normal ones.

You cannot prevent the client from sending any unallowed commands; doing so would also make your server very unsecure (imagine some hacker writing a client which does not respect these rules...). The *server* will have to reject the action asked by the client if the client is not yet (client has not authenticated) or not (client has authenticated but the authenticated user has insufficient rights) allowed to do it.
0
 

Author Comment

by:marinedestroyer2
ID: 6222801
ok........so what type of loop should I add
0
 
LVL 14

Expert Comment

by:AvonWyss
ID: 6224413
Why don't you post some code of yours? As written before, it's impossible to give you a correct hint without knowing what tools you're using (what components to use TCP/IP, whether you're running asyncroneous or not, etc.).
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 8685035
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

PAQ/Refund

Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
Thank you,
Russell

EE Cleanup Volunteer
0
 

Accepted Solution

by:
PashaMod earned 0 total points
ID: 8812307
PAQ'ed and points not refunded,

PashaMod
Community Support Moderator @Experts Exchange
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Objective: - This article will help user in how to convert their numeric value become words. How to use 1. You can copy this code in your Unit as function 2. than you can perform your function by type this code The Code   (CODE) The Im…
In this tutorial I will show you how to use the Windows Speech API in Delphi. I will only cover basic functions such as text to speech and controlling the speed of the speech. SAPI Installation First you need to install the SAPI type library, th…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question