Correct Handling of Linux passwords

Article Title: correctly process the password in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
In Linux, Many API functions are used to process passwords, but this only solves half of the problem. You have to use a good password. For example, only plain text passwords (security) are used when necessary.
　　
The only chance to expose plain text (password content) is to ask the user's password during authentication. Some available API functions can reduce this risk, including encryption, which should be performed immediately after obtaining the user password.
　　
The first principle of password processing is never to write a plain text password to a disk-even a temporary file that will be deleted immediately. Once the data is stored on the disk, it is difficult to ensure that the data is not lost after use.
　　
Although this principle seems simple, you must remember that Linux uses virtual memory. If you load swap partitions, the memory (Content in) will be written to the disk at any time. To prevent the Password Buffer from being written to the swap partition, you can call the mlock API:
　　
Const intsz = 25;
Char * buf = malloc (sz );
Mlock (buf, sz );
Memset (buf, 0, sz );
　　
To ensure that the buffer is actually locked, you must write at least one value to each memory page.
　　
Another important principle is that the entered password should never be fed back to the terminal. You can write your own function or use the getpass function, which works like the following:
　　
Const char prompt [] = "Password :";
Char * pword = NULL;
Pword = getpass (prompt );
　　
Sometimes you cannot use getpass. In this case, you will need to write your own getpass function. The following is an example:
　　
# Include
# Include
　　
Ssize_t
My_getpass (char ** lineptr, size_t * n, FILE * stream)
{
Structtermios old, new;
Intnread;
　　
/* Turn echoing off and fail if we can't .*/
If (tcgetattr (fileno (stream), & old )! = 0)
Return-1;
New = old;
New. c_lflag & = ~ ECHO;
If (tcsetattr (fileno (stream), TCSAFLUSH, & new )! = 0)
Return-1;
　　
/* Read the password .*/
Nread = getline (lineptr, n, stream );
　　
/* Restore terminal .*/
(Void) tcsetattr (fileno (stream), TCSAFLUSH, & old );
　　
Return nread;
}
Return nread;
}
　　
Obviously, the buffer passed to the function should be locked first.
　　
Pluggable verification module (PAM)
　　
PAM is a modular system that abstracts authentication, password management, session management, and account management. It authorizes applications written to work with PAM to use various modules and allows these modules to be detached or replaced by other modules without re-writing the applications.
　　
PAM allows you to perform everything discussed in this article in a safe way, rather than starting from scratch when you write new applications for different systems. Unless for any specific reason, we recommend that you use PAM. You will find that it is more ideal than implementing an older system or writing your own system.