[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers] Reseting Savannah passwords
From: |
Loic Dachary |
Subject: |
[Savannah-hackers] Reseting Savannah passwords |
Date: |
Sat, 13 Jul 2002 15:17:27 +0200 |
Hi,
We need to reset all Savannah passwords.
Discussing with Mathieu Roy and Jaime Villate today (at
http://lsm.abul.org/ ;-) we came up with the following plan.
Please let us know if it is reasonable. It is not perfect (problem
with people who can't be reached by email) but we could not figure out
a better way.
We will start implementing & testing the process. The idea is
to do the actual password reset before tuesday.
Thanks,
======================================================================
. Add a modified field in the user table
mysql -e "alter table user add modified timestamp" sourceforge
======================================================================
. Modify the account/login.php page
If unix_pw == 'NO_PASSWORD'
-> print the following message (will be customized according to
the information we have in the database regarding the user)
The password for account USER_NAME was expired. A mail was
sent to EMAIL and you should receive it shortly. This mail contains a
URL that will allow you to set a new password. When the password is
changed you'll be able to login again and use your Savannah account.
Password expiration is a necessity to prevent compromission.
We apologize for the inconvenience.
If EMAIL is no longer a valid mail to reach you, the mail
will be lost and you'll have to resort to other measures. We strongly
encourage you to make sure the mail address registered on Savannah is
accurate.
Case 1: You are a member of a project and have write access
to the CVS tree.
Assuming your email address is address@hidden, do the
following (USER and PROJECT are placeholders) :
cvs -d address@hidden:/cvsroot/PROJECT co CVSROOT
cd CVSROOT
cvs add address@hidden
cvs commit -m 'address@hidden'
send the following mail:
To: address@hidden
Subject: Reset Email user USER : address@hidden
Please check in /cvsroot/PROJECT CVSROOT/address@hidden
Thanks in advance.
Case 2: You are a member of a project.
Ask another member of the project to do the above (Case 1) on
your behalf.
Case 3: You're not a member of any project.
We have no way to figure out who you are and your Savannah
account is lost. You can register using another login name.
Before complaining we beg you read this mail very carefully. You
have two ways to complain:
Complain method 1:
send a mail based on the following template:
To: address@hidden
Subject: Password for USER
I'm unhappy because ....
My user page is http://savannah.gnu.org/users/USER
Complain method 2:
Fill a support request at
http://savannah.gnu.org/support/?func=addsupport&group_id=11
-> send e-mail as if lostpw was called.
======================================================================
. Test on yeupou/loic/villate accounts
======================================================================
. Save the user/email/password data
mysql -e "select user_name,email,unix_pw from user" sourceforge >
/subversions/sourceforge/dumps/2002-07-13-users.txt
======================================================================
. Set passwd of users [1000,2000[ to NO_PASSWD
mysql -e "update user set unix_pw = 'NO_PASSWD' where user_id >= 1000 and
user_id < 2000" sourceforge
======================================================================
. Monitor password reset with the following:
- See successfull password reset
mysql -e "select user_name where unix_pw != 'NO_PASSWD' and user_id >=
1000 and user_id < 2000" sourceforge
- See people who did not receive the notification email (or did
not yet click on the link after 12 hours)
mysql -e "select user_name where confirm_hash != '' and user_id >= 1000
and user_id < 2000 and modified > date_sub(now(), interval 12 hour)"
sourceforge
======================================================================
. People using pserver on /cvs won't be able to use their CVS
access anymore. If, for some reason, reseting a password on
Savannah is not an option re-install the old password on a
case by case basis.
======================================================================
. After 4 days, patch the password reset method to integrate new
ideas & criticisms to improve it
======================================================================
. Run the new method on all other users user_id < 1000 or user_id >=
2000
--
Loic Dachary http://www.dachary.org/ address@hidden
12 bd Magenta http://www.senga.org/ address@hidden
75010 Paris T: 33 1 42 45 07 97 address@hidden
GPG Public Key: http://www.dachary.org/loic/gpg.txt
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-hackers] Reseting Savannah passwords,
Loic Dachary <=