Feature #20382
closedImplement RSA authentication for BE and FE
0%
Description
Problem: currently Backend and Frontend login procedures are not secure enough. The Backend sends a md5-hashed password and the Frontend sends a plain text password. Both ways allows to capture and reuse password by an attacker.
Solution: RSA authentication uses private/public key method to encode the password using public key on the client side (browser) and decode the password on the server using private key. The proposed patch adds this authentication method to TYPO3 through a specially developed authentication service. The service will create a pair of keys for each login attempt. Thus brute forcing does not make sense. Private key is stored in two places (separated in two parts), which makes it hard for the attacker to get the key. Also keys expires in 30 minutes, so the login is not possible using old keys. The service requires either openssl PHP extension, or the openssl binary. It does not "hack" TYPO3 in any way, it uses fully official way to integrate into the TYPO3 authentication chain.
Notes:
- the core had "superchallenged" method hard–coded. The first patch removes this code and places it to the "sv" extension, where it logically belongs
- the first patch makes it possible to implement any additional login method (for example, using certificates)
- the first patch also patches "felogin" to use RSA authentication automatically if enabled in the Install tool
- ajax login box does not work with RSA. I will re–factor it later, before the release of 4.3. It will use the same hooks thus making any authentication method possible
- to test the authentication you must do the following in sequence:
- apply the first patch to the core
- apply the second patch to add the "rsaauth" extension –OR– instal the extension using a supplied T3X file
- go to the Install tool and set [BE][loginSecurityLevel] to "rsa" (without quotes). This must be the very last step you do!
- the code was mostly reviewed by Ingmar (v4) and Andi (v5, security stuff). Only the core patch was changed after the review
- if you want to try FE authentication with RSA, set [FE][loginSecurityLevel] to "rsa"
- !!!***!!! if you want to stop using RSA authentication, the very first step must be removing "rsa" from the "loginSecurityLevel"! If you forget it and uninstall the extension before touching the Install tool, you will not be able to login to BE/FE anymore until you fix the Install tool settings!
(issue imported from #M11016)
Files