[TYPO3-project-4-3] Making RSA Auth default login method?

[Steffen Kamper]

Hi,

Ingmar Schlecht schrieb:
> Hi all,
> 
> as you might have noticed, Dmitry today committed the RSA Auth
> extension, so a fully encrypted login procedure will be possible even
> without HTTPS with TYPO3 4.3.
> 
> However, it is not configured to be the default at the moment, but needs
> to be enabled by setting TYPO3_CONF_VARS[BE][loginSecurityLevel] (or FE
> respectively) to the value "rsa" in order to get active.
> 
> Now, the question is whether we should enable it by default instead.
> 
> Pros:
>  + secure by default (it's not possible any longer to log in with just
>    the MD5 of the password & the password is transmitted to the server
>    RSA encrypted (i.e. public/private key encryption))
> 
> Cons:
>  - People who don't have the openssl PHP extension installed might not
>    be able to log in at all and need to set their login security level
>    back to superchallenged (or something different) from the install
>    tool
> 
> Personally, I would tend to enable rsa by default (my feeling is that
> most servers have the openssl PHP extension installed). What would be
> ideal I think would be a fallback to superchallenged if openssl is not
> found...
> 
> What do you think?
> 

i like to point to 2 issues:
1) If you upgrade you have be_users already which has to be converted.
2) we don't have an intelligent install script. imho such setting 
belongs to a installer which can checkk requirements to make the right 
proposal. Setting default to something dependent to an extension is 
dangerous. I also think of newbies installing TYPO3 first time. If they 
are not able to login they will delete the installed package and look 
for the next CMS

vg Steffen