[TYPO3-core] RFC #13754: Secure Install Tool Login
Bernhard Kraft
kraftb at think-open.at
Sat Mar 6 11:57:20 CET 2010
Hello !
This is a SVN patch request.
Type: Feature
Bugtracker references:
http://bugs.typo3.org/view.php?id=13754
Branches:
Trunk
Problem:
As we have an rsaauth library now and a service for salted passwords it
would make sense to:
1. store the install tool password as salted password instead of md5
this makes it harder for people having read access to localconf.php to
use md5 digest for password cracking
2. use RSA for login and password changes so the password or it's md5
sum never gets transmitted directly over the line
3. Add a way to set a new install password without transmitting its md5
value in any direction over the line (so not even display the md5 sum to
the admin user going to set the install tool password)
Solution:
See attached patch or bugtracker entry.
The way how to set a new install tool password has changed. Just try it
and read the message shown when logging in.
Old md5 passwords get converted to salted passwords like it is common
when using the sysext "saltedpasswords".
greets,
Bernhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: installToolPassword_secure__v0.diff
Type: text/x-patch
Size: 21245 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100306/557a709d/attachment-0001.bin>
More information about the TYPO3-team-core
mailing list