[TYPO3-core] RFC #13754: Secure Install Tool Login

Bernhard Kraft kraftb at think-open.at
Sat Mar 6 11:57:20 CET 2010


Hello !

This is a SVN patch request.


Type: Feature

Bugtracker references:
http://bugs.typo3.org/view.php?id=13754

Branches:
Trunk

Problem:
As we have an rsaauth library now and a service for salted passwords it 
would make sense to:

1. store the install tool password as salted password instead of md5
this makes it harder for people having read access to localconf.php to 
use md5 digest for password cracking

2. use RSA for login and password changes so the password or it's md5 
sum never gets transmitted directly over the line

3. Add a way to set a new install password without transmitting its md5 
value in any direction over the line (so not even display the md5 sum to 
the admin user going to set the install tool password)


Solution:
See attached patch or bugtracker entry.
The way how to set a new install tool password has changed. Just try it 
and read the message shown when logging in.
Old md5 passwords get converted to salted passwords like it is common 
when using the sysext "saltedpasswords".


greets,
Bernhard

-------------- next part --------------
A non-text attachment was scrubbed...
Name: installToolPassword_secure__v0.diff
Type: text/x-patch
Size: 21245 bytes
Desc: not available
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20100306/557a709d/attachment-0001.bin>


More information about the TYPO3-team-core mailing list