[TYPO3-50-general] permission system plans
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Thu Apr 5 14:47:32 CEST 2007
werner mueller schrieb:
>
> well this will be true. never made any investigations.
>
> what i had in mind was authenticate mail, ftp, other things with typo3
> accounts. postfix uses crypt, pureftpd supports md5, courier again
> crypt, hopefully the same as postfix and mysql.
There are several authentications that are based on md5. But they use it
differently. Anyway for HTTP, SMTP, IMAP, POP and FTP they are described in
various RFCs. Though in the docs the external mechanism is described not
the internal storage. The point is: simply thrwoing a user supplied (plain
text) password against a value found in a db is naive.
> at the end of the day the only common method seemed to be cleartext. not
> the perfect solution. no question. requires encryption of all
> connections all over... the created password hashes in the logged
> queries where different all over. and sync typo3 with an ldap structure
> aint that funny too.
>
> the cheapest way of living keeping configs at a reasonable level are
> plain passwords. well: my opinion. (not happy with it)
Not so bad if you send it only over encrypted channels. All mentioned
protcols (excepct FTP: use SFTP or SCP!!!) may be run over a SSL connection
or support even connection upgrading ("start TLS" command).
Masi
More information about the TYPO3-project-5_0-general
mailing list