[TYPO3-v4] Request for comments: Separating password transmission from password comparison
Helmut Hummel
helmut.hummel at typo3.org
Fri Dec 23 12:52:38 CET 2011
Hi Dmitry,
Dmitry Dulepov wrote:
> Blocked by me because this change breaks the compatibility. We do not do
> that without prior notice.
How does it break compatibilty that you think it cannot go into 4.7?
There only minor things that change for external auth-services and what
changes are improvements or things that a auth-service should not rely on.
To explain it a bit more in detail:
How it is now:
$this->login['uident']
Contains the value transmitted in the password field if
$TYPO3_CONF_VARS['BE']['loginSecurityLevel'] is "superchallenged" or "rsa"
If the $TYPO3_CONF_VARS['BE']['loginSecurityLevel'] is "normal"
then the value transmitted in the password field (clear text password)
will be stored in $this->login['uident_text'] and $this->login['uident']
will be set to a calculated "superchallenged" value.
How it will be after my change:
Exactly the same, except that $this->login['uident'] will never be
overwritten with any calculated value, but will always contain what has
been transmitted in the password field.
So the only thing that changes is that other services will not find the
superchallenged value any more in $this->login['uident'] but only in
$this->login['uident_superchallenged']if
$TYPO3_CONF_VARS['BE']['loginSecurityLevel'] is set to "normal".
So this change adds consitency to the data that is accessible by other
services and also making it possible to transparently benefit from rsa
encryption, which is currently not possible for e.g. ldap auth services.
I happily update any documentation on that if there is one on that
topic, and of course we need to mention it in the release notes. But I
do not understand why this improvement cannot go into a new TYPO3
version while other breaking changes can.
So what is your suggestion?
Kind regards,
Helmut
--
Helmut Hummel
TYPO3 Security Team Leader, TYPO3 v4 Core Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the TYPO3-project-v4
mailing list