need to reset user passwords (+UI)

Bug #1288750 reported by William Reade
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju-core
Fix Released
Medium
Tim Penhey

Bug Description

When a subtly malicious admin creates a new user and gives them a .jenv to identify them, the admin could keep a copy and use it to impersonate that user in future; when a client first logs in it should be required to reset the password and record a fresh one before taking any action.

This will involve factoring out and reusing existing logic currently used by agents.

The reset-password functionality must also be exposed in the UI, so that a user can respond effectively if their password is compromised.

Tags: security
William Reade (fwereade)
Changed in juju-core:
status: New → Triaged
importance: Undecided → High
Changed in juju-core:
importance: High → Medium
Changed in juju-core:
status: Triaged → In Progress
status: In Progress → Triaged
Tim Penhey (thumper)
Changed in juju-core:
assignee: nobody → Tim Penhey (thumper)
status: Triaged → In Progress
milestone: none → 1.21-alpha2
Curtis Hovey (sinzui)
tags: added: security
Tim Penhey (thumper)
Changed in juju-core:
status: In Progress → Fix Committed
Curtis Hovey (sinzui)
Changed in juju-core:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.