[TYPO3-project-4-3] Salted Passwords in Combination with RSAauth

Dmitry Dulepov dmitry.dulepov at gmail.com
Sun Jun 14 20:22:42 CEST 2009 

Hi!

Steffen Ritter wrote:
> If any service does any transformation on the submitted data, such as
> decrypting the encrypted password, this information is not retrieved
> from the service and therefore not passed to the next...
> So no later service can use the decryption of rsaauth.
> 
> Dmitry found a "workaround" for this, which will only work with with
> plain and md5 passwords, not with salted or any other encryption, which
> won't always return same result (details follow).

I do not think the above is correct. Rsaauth will process any evaluation that is registered with TCEmain. So if saltedpw implements a TCEmain evaluation, RSAAuth should work with with it. t3sec_saltedpw did not work because it has checks for the "loginLevel" settings. It expects to see "normal" there and refuses to run if it sees "rsa". That was the problem as I discovered it.

> I did a small fix in checkAuthentification (which really nobody will
> hurt) and therefore this works, and rsauth can be cleaned up be many
> lines...

-3 and +1 lines in your patch. But I am not sure if this change is correct. I deliberately passed the evaluation of the password to the default service. It allows to reuse the existing code. I do not understand the meaning of the added line and removed lines are wrong.

If the login level is set to the RSA, RSA service is the only one who can authenticate the user. Salted passwords must be evaluated as TCEmain evaluations and then they will work with RSA service.

> So --> the only thing the rsa service has to do: save the decrypted
> password to the parent object and let do the normal authservices their
> job...

I think it is dangerous. It means that the password may become available to any intermediate code. I do not like it :(

> The attached patch for rsaauth, is without cleanup of stuff which is not
> needed anymore because I did not won't to mix up things... so there is
> just a change in storing the data and hand around to other services.

Please, do not clean up anything there. There is only necessary code and each line of it is truly necessary. During the review of this code I got proposals to clean up some lines, I explained why they are there and we all agreed they are necessary. By removing something from the there, you risk breaking this module.

-- 
Dmitry Dulepov
LinkedIn: http://www.linkedin.com/in/dmitrydulepov
Twitter: http://twitter.com/dmitryd
Skype: liels_bugs

More information about the TYPO3-project-4-3 mailing list