[TYPO3-project-4-3] saltedpasswords for v4.3

Oliver Hader oliver at typo3.org
Tue Aug 11 11:06:25 CEST 2009 

Hi everybody,

just FYI: I've added Sascha Kettler from AOE media to the Forge project.
He already was member of the project some months ago and then got
removed for some reason...

Sascha is maintainer of the PECL package "crack" [1]. He will do a
review of saltedpasswords and contribute changes to SVN if necessary.

[1] http://pecl.php.net/package/crack

olly


Steffen Ritter schrieb:
> Hi folks,
> 
> we finished "saltedpasswords" rewrite as sysext for TYPO3 4.3...
> We need you to test it on other systems.
> You'll find it at
>     https://svn.typo3.org/TYPO3v4/Extensions/t3sec_saltedpw/trunk
> attached is current T3X for easy testing...
> 
> Some facts:
> - on first login "oldformat" passwords are converted to salted if
> "updatePasswd" is set (standard).
> - Extension works on security levels "normal" and "rsa" in fe, for be
> you have to use "rsa" for security reasons...
> - You can choose between using blowfish  and md5 to crypt your hash.
> Currently this might be risky since there is no real portability since
> blowfish not avaliable on every server... Since php 5.3 a own blowfish
> build in library will be shipped which everytime will be used at
> fallback if no syslib is installed.
> - We changed Hash-Format from a lib PHPasswd to a "generalized" and
> really "portable" format, which will allow you to use TYPO3 user db for
> other services (f.e.: smtp/pop3/imap-server, linux-login, samba shares
> (even in windows over ldap), nfs/printerservices). The PHPasswd format
> MAY be recognized if the old extension is available in ext-folder (not
> installed) and "handleOldFormat" is set
> 
> 
> Following things we are currently awaiting (you cannot test yet):
>  - user creation in admin panel does hardcoded md5, so be shure not to
> enable "forceSalted", which would only allow salted formats... I will
> provide a patch within the next days, as soon as we have this ext in.
>  - the user setup Module has currently md5 hardcoded, Steffen Kamper
> provided a patch, which allows to register your eval functions via Hook,
> I attached this too...
>  - for felogin "send new password" we are awaiting the patches in core
> list to use the hook which is introduced there...
-- 
Oliver Hader
TYPO3 Release Manager 4.3

More information about the TYPO3-project-4-3 mailing list