[TYPO3-project-4-3] saltedpasswords for v4.3
Sebastian Fischer
sebastian at fischer.im
Sat Jun 20 12:20:53 CEST 2009
Hi Steffen,
Steffen Ritter wrote:
> Hi folks,
>
> we finished "saltedpasswords" rewrite as sysext for TYPO3 4.3...
> We need you to test it on other systems.
> You'll find it at
> https://svn.typo3.org/TYPO3v4/Extensions/t3sec_saltedpw/trunk
> attached is current T3X for easy testing...
>
> Some facts:
> - on first login "oldformat" passwords are converted to salted if
> "updatePasswd" is set (standard).
What happens if a password is already md5 crypted in the db?
> - Extension works on security levels "normal" and "rsa" in fe, for be
> you have to use "rsa" for security reasons...
> - You can choose between using blowfish and md5 to crypt your hash.
> Currently this might be risky since there is no real portability since
> blowfish not avaliable on every server... Since php 5.3 a own blowfish
> build in library will be shipped which everytime will be used at
> fallback if no syslib is installed.
> - We changed Hash-Format from a lib PHPasswd to a "generalized" and
> really "portable" format, which will allow you to use TYPO3 user db for
> other services (f.e.: smtp/pop3/imap-server, linux-login, samba shares
> (even in windows over ldap), nfs/printerservices). The PHPasswd format
> MAY be recognized if the old extension is available in ext-folder (not
> installed) and "handleOldFormat" is set
>
>
> Following things we are currently awaiting (you cannot test yet):
> - user creation in admin panel does hardcoded md5, so be shure not to
> enable "forceSalted", which would only allow salted formats... I will
> provide a patch within the next days, as soon as we have this ext in.
This would be crucial for using.
> - the user setup Module has currently md5 hardcoded, Steffen Kamper
> provided a patch, which allows to register your eval functions via Hook,
> I attached this too...
Well agian ;) crucial
> - for felogin "send new password" we are awaiting the patches in core
> list to use the hook which is introduced there...
>
>
> regards
>
> Steffen
>
After reading i ask myself why didn't we have a feature like this until now.
Definitly a must have.
Greetings
Sebastian
More information about the TYPO3-project-4-3
mailing list