[Savannah-hackers] Reseting Savannah passwords

savannah-hackers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] Reseting Savannah passwords

From:	Loic Dachary
Subject:	[Savannah-hackers] Reseting Savannah passwords
Date:	Sat, 13 Jul 2002 15:17:27 +0200

        Hi,

        We need to reset all Savannah passwords.

        Discussing with Mathieu Roy and Jaime Villate today (at
http://lsm.abul.org/ ;-) we came up with the following plan.

        Please let us know if it is reasonable. It is not perfect (problem
with people who can't be reached by email) but we could not figure out
a better way.

        We will start implementing & testing the process. The idea is
to do the actual password reset before tuesday.

        Thanks,

======================================================================
. Add a modified field in the user table

 mysql -e "alter table user add modified timestamp" sourceforge

======================================================================
. Modify the account/login.php page
  If unix_pw == 'NO_PASSWORD'
  -> print the following message (will be customized according to
     the information we have in the database regarding the user)

        The password for account USER_NAME was expired. A mail was
sent to EMAIL and you should receive it shortly. This mail contains a
URL that will allow you to set a new password. When the password is
changed you'll be able to login again and use your Savannah account.

        Password expiration is a necessity to prevent compromission.
We apologize for the inconvenience.

        If EMAIL is no longer a valid mail to reach you, the mail
will be lost and you'll have to resort to other measures. We strongly
encourage you to make sure the mail address registered on Savannah is
accurate. 

Case 1: You are a member of a project and have write access
        to the CVS tree. 

        Assuming your email address is address@hidden, do the
        following (USER and PROJECT are placeholders) :

        cvs -d address@hidden:/cvsroot/PROJECT co CVSROOT
        cd CVSROOT
        cvs add address@hidden
        cvs commit -m 'address@hidden'

        send the following mail:

        To: address@hidden
        Subject: Reset Email user USER : address@hidden

        Please check in /cvsroot/PROJECT CVSROOT/address@hidden

        Thanks in advance.


Case 2: You are a member of a project.

        Ask another member of the project to do the above (Case 1) on
        your behalf. 

Case 3: You're not a member of any project.

        We have no way to figure out who you are and your Savannah
        account is lost. You can register using another login name.

Before complaining we beg you read this mail very carefully. You
have two ways to complain:

Complain method 1:

        send a mail based on the following template:

        To: address@hidden
        Subject: Password for USER

        I'm unhappy because ....

        My user page is http://savannah.gnu.org/users/USER

Complain method 2:

        Fill a support request at

        http://savannah.gnu.org/support/?func=addsupport&group_id=11

   -> send e-mail as if lostpw was called.

======================================================================
. Test on yeupou/loic/villate accounts

======================================================================
. Save the user/email/password data 

  mysql -e "select user_name,email,unix_pw from user" sourceforge > 
/subversions/sourceforge/dumps/2002-07-13-users.txt

======================================================================
. Set passwd of users [1000,2000[ to NO_PASSWD

  mysql -e "update user set unix_pw = 'NO_PASSWD' where user_id >= 1000 and 
user_id < 2000" sourceforge

======================================================================
. Monitor password reset with the following:

  - See successfull password reset

        mysql -e "select user_name where unix_pw != 'NO_PASSWD' and user_id >= 
1000 and user_id < 2000" sourceforge

  - See people who did not receive the notification email (or did
    not yet click on the link after 12 hours)

        mysql -e "select user_name where confirm_hash != '' and user_id >= 1000 
and user_id < 2000 and  modified > date_sub(now(), interval 12 hour)" 
sourceforge

======================================================================
. People using pserver on /cvs won't be able to use their CVS 
  access anymore. If, for some reason, reseting a password on 
  Savannah is not an option re-install the old password on a 
  case by case basis. 

======================================================================
. After 4 days, patch the password reset method to integrate new
  ideas & criticisms to improve it

======================================================================
. Run the new method on all other users user_id < 1000 or user_id >=
  2000

-- 
Loic   Dachary         http://www.dachary.org/  address@hidden
12 bd  Magenta         http://www.senga.org/      address@hidden
75010    Paris         T: 33 1 42 45 07 97          address@hidden
        GPG Public Key: http://www.dachary.org/loic/gpg.txt

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-hackers] Reseting Savannah passwords, Loic Dachary <=

Prev by Date: [Savannah-hackers] Cron <address@hidden> sf_stat
Next by Date: Re: [Savannah-hackers] (fwd) Mail delivery failed: returning message to sender address@hidden
Previous by thread: [Savannah-hackers] savannah.gnu.org: submission of gtlog Simulation Library
Next by thread: [Savannah-hackers] Status of fencepost.gnu.org and GNU.ORG Kerberos account access
Index(es):
- Date
- Thread