[TYPO3-project-4-3] Making RSA Auth default login method?

[Ingmar Schlecht]

Hi Steffen,

Steffen Kamper schrieb:
> i like to point to 2 issues:
> 1) If you upgrade you have be_users already which has to be converted

RSA Auth doesn't necessarily need to convert the passwords in the
database. Although of course salted MD5s would be better, they are not a
requirement for RSA Auth.

The main advantage of RSA Auth are, that:
  - an attacker can't login any more if he only knows the MD5 of
    the password but not the password itself
  - the server gets to know the clear text password the user entered
  - the connection is still secured because it's RSA encrypted

So this is not about how we store the password in the database.
Theoretically it could still be MD5 or even clear text (although clear
text wouldn't really make sense because you could just as well use
superchallenged then).

> 2) we don't have an intelligent install script. imho such setting
> belongs to a installer which can checkk requirements to make the right
> proposal. Setting default to something dependent to an extension is
> dangerous. I also think of newbies installing TYPO3 first time. If they
> are not able to login they will delete the installed package and look
> for the next CMS

We could circumvent the problem with the extension not being installed
by making it required. Of course this will slightly slow down, but
everything will work (whether you have chosen rsa or superchallenged
authentication) because it will still look for the install tool value to
be set.

One more thing:
Even if we don't make RSA authentication the default for upgrading
installations, I would very much like to at least have it default for
new installations. That could be achieved by having that setting in the
dummy package...

cheers
Ingmar