need to reset user passwords (+UI)
Bug #1288750 reported by
William Reade
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| juju-core |
Fix Released
|
Medium
|
Tim Penhey | ||
Bug Description
When a subtly malicious admin creates a new user and gives them a .jenv to identify them, the admin could keep a copy and use it to impersonate that user in future; when a client first logs in it should be required to reset the password and record a fresh one before taking any action.
This will involve factoring out and reusing existing logic currently used by agents.
The reset-password functionality must also be exposed in the UI, so that a user can respond effectively if their password is compromised.
| Changed in juju-core: | |
| status: | New → Triaged |
| importance: | Undecided → High |
| Changed in juju-core: | |
| importance: | High → Medium |
| Changed in juju-core: | |
| status: | Triaged → In Progress |
| status: | In Progress → Triaged |
| Changed in juju-core: | |
| assignee: | nobody → Tim Penhey (thumper) |
| status: | Triaged → In Progress |
| milestone: | none → 1.21-alpha2 |
| tags: | added: security |
| Changed in juju-core: | |
| status: | In Progress → Fix Committed |
| Changed in juju-core: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
