[TYPO3-core] RFC #13754: Secure Install Tool Login
Steffen Ritter
info at rs-websystems.de
Sat Mar 6 12:18:35 CET 2010
Bernhard Kraft schrieb:
> Hello !
>
> This is a SVN patch request.
>
>
> Type: Feature
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=13754
>
> Branches:
> Trunk
>
> Problem:
> As we have an rsaauth library now and a service for salted passwords it
> would make sense to:
>
> 1. store the install tool password as salted password instead of md5
> this makes it harder for people having read access to localconf.php to
> use md5 digest for password cracking
>
> 2. use RSA for login and password changes so the password or it's md5
> sum never gets transmitted directly over the line
>
> 3. Add a way to set a new install password without transmitting its md5
> value in any direction over the line (so not even display the md5 sum to
> the admin user going to set the install tool password)
>
>
> Solution:
> See attached patch or bugtracker entry.
> The way how to set a new install tool password has changed. Just try it
> and read the message shown when logging in.
> Old md5 passwords get converted to salted passwords like it is common
> when using the sysext "saltedpasswords".
>
>
> greets,
> Bernhard
>
-1 because install tool should not depend on any extensions
-1 because rsaauth is not supportet
-1 because if you are experimenting with those extension you probably
need the install tool es fallback to deactivate it and recreate a new
adminuser
More information about the TYPO3-team-core
mailing list