Summary: | merge account with new commiter account | ||
---|---|---|---|
Product: | Services | Reporter: | Richard Scheffenegger <rscheff> |
Component: | Bug Tracker | Assignee: | Oleksandr Tymoshenko <gonzo> |
Status: | Closed FIXED | ||
Severity: | Affects Only Me | CC: | gonzo, rscheff |
Priority: | --- | ||
Version: | unspecified | ||
Hardware: | Any | ||
OS: | Any |
Description
Richard Scheffenegger
2020-04-06 18:12:51 UTC
Just to confirm that the new @freebsd.org account exists. How is simply resetting the kpasswd via SSH using the right @freebsd user name not an easy route for a denial of service? (E.g. anyone can reset the kerberos passwords for all commiters, who have to recover their passwords tediously thereafter, no? (In reply to Richard Scheffenegger from comment #1) Hi Richard, Accounts have been merged. Closing PR as fixed. You can reset the user's password only if you have user's private SSH key to login to the kpasswd server. Without it attacker can only get this far: % ssh rscheff@kpasswd.freebsd.org Permission denied (publickey). |