[TYPO3-v4] Enabling saltedpasswords and rsaauth by default

Helmut Hummel helmut.hummel at typo3.org
Sun Jul 17 15:28:45 CEST 2011


Hi Steffen,

On 17.07.11 14:44, Steffen Gebert wrote:
> Hi Helmut,
>
>> I talked to Xavier at the T3CTM and he was fine enabling saltedpasswords
>> and rsaauth by default before feature freeze of 4.6. and implementing
>> checks if both are working properly until the final release.
>
> I think we're all in favor of this :)
>
> I think, the biggest blocker was the limited possibility of pre-install
> checks. So whether the environment allows to use rsaauth or not etc.
> Dunno, if improving this is already covered in the Install Tool
> refactorings.

Right. That's why I cannot make that part until the feature freeze. But 
for sure, it must be implemented until the final release.

>> I'm now wondering what would be the best for enabling the extensions.
>>
>> The easiest would be to just add them to the extlist in localconf.php
>> but this file is not in the repository, is it? Is this part of the
>> packaging script?
> But then, the user might not be able to login, if openssl is not
> available. Maybe saltedpasswords hooks itself (like DBAL) into the 1-2-3
> wizard and (de)activates itself, if prerequisites are (not) met?

We need these checks, for sure.

> localconf.php is part of the distributions repositories, e.g. here:
> http://git.typo3.org/TYPO3v4/Distributions/Blank.git?a=tree;f=Resources/typo3conf;h=d5206169e5bde7a4a5c20f9b73627d16e56675f6;hb=HEAD

Ah, thanks.

>> The alternative would be to install the extensions at some point during
>> the install process using the extension manager API, but this would be a
>> bit more complicated.
> Yes, for sure. Nevertheless, I think that's the way to go, in order to
> avoid too many frustrated users.
>
> For existing sites, we could also add an Upgrade Wizard, which at least
> strongly advices users to install saltedpasswords.

Both things are valid. Nevertheless I would like to do it the easy way 
first (before feature freeze) and then implement the checks (probably in 
the new refactored install) after that.

Agreed?

Kind regards,
Helmut

-- 
Helmut Hummel
TYPO3 Security Team Leader, TYPO3 v4 Core Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org


More information about the TYPO3-project-v4 mailing list