[TYPO3-project-4-3] saltedpasswords for v4.3

Steffen Ritter info at rs-websystems.de
Thu Jun 18 10:19:48 CEST 2009


Hi folks,

we finished "saltedpasswords" rewrite as sysext for TYPO3 4.3...
We need you to test it on other systems.
You'll find it at
	https://svn.typo3.org/TYPO3v4/Extensions/t3sec_saltedpw/trunk
attached is current T3X for easy testing...

Some facts:
- on first login "oldformat" passwords are converted to salted if 
"updatePasswd" is set (standard).
- Extension works on security levels "normal" and "rsa" in fe, for be 
you have to use "rsa" for security reasons...
- You can choose between using blowfish  and md5 to crypt your hash. 
Currently this might be risky since there is no real portability since 
blowfish not avaliable on every server... Since php 5.3 a own blowfish 
build in library will be shipped which everytime will be used at 
fallback if no syslib is installed.
- We changed Hash-Format from a lib PHPasswd to a "generalized" and 
really "portable" format, which will allow you to use TYPO3 user db for 
other services (f.e.: smtp/pop3/imap-server, linux-login, samba shares 
(even in windows over ldap), nfs/printerservices). The PHPasswd format 
MAY be recognized if the old extension is available in ext-folder (not 
installed) and "handleOldFormat" is set


Following things we are currently awaiting (you cannot test yet):
  - user creation in admin panel does hardcoded md5, so be shure not to 
enable "forceSalted", which would only allow salted formats... I will 
provide a patch within the next days, as soon as we have this ext in.
  - the user setup Module has currently md5 hardcoded, Steffen Kamper 
provided a patch, which allows to register your eval functions via Hook, 
I attached this too...
  - for felogin "send new password" we are awaiting the patches in core 
list to use the hook which is introduced there...


regards

Steffen
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: setup_beuserpw_eval.diff
Url: http://lists.netfielders.de/pipermail/typo3-project-4-3/attachments/20090618/0ef14bfc/attachment.txt 


More information about the TYPO3-project-4-3 mailing list