[TYPO3-core] RFC #13754: Secure Install Tool Login
Bernhard Kraft
kraftb at think-open.at
Sat Mar 6 20:58:31 CET 2010
Oliver Hader wrote:
> Without looking to the patch, transfering a password and storing a
> password are different things. I think it's not good to store the
> install tool password salted. So, let's remove storing data from this
> issue and discuss it separately.
Well. I just make a call to the "userAuth" service - and depending on
wheter only rsaauth or additionally saltedpasswords is stored, the
password will get salted.
As the saltedpasswords service has higher priority then rsaauth it will
yield a salted password. So this "could" get separated but why write two
pieces of code if one fits both? ;)
> Using RSA to transfer password data sounds fine to me as long as there
> is a possibility to disable that e.g. with a link "Do you have problems
> with login, use this link instead"...
I guess this problem has been considered by all people reading this
thread. But if rsaauth does not work it will work neither for normal BE
login nor for the install tool. So I guess people will simply uninstall
the rsaauth extension ... which solves the problem.
We could add a message:
If login into the install tool does not work please try uninstalling the
rsaauth extension
But I guess it looks more professional if this is automatically tested
and a message:
rsa encryption not supported
gets shown instead of telling the user "try this and that"
greets,
Bernhard
More information about the TYPO3-team-core
mailing list