Bug 245406

Summary: merge account with new commiter account
Product: Services Reporter: Richard Scheffenegger <rscheff>
Component: Bug TrackerAssignee: Oleksandr Tymoshenko <gonzo>
Status: Closed FIXED    
Severity: Affects Only Me CC: gonzo, rscheff
Priority: ---    
Version: unspecified   
Hardware: Any   
OS: Any   

Description Richard Scheffenegger freebsd_committer freebsd_triage 2020-04-06 18:12:51 UTC 
Hi,

there should be a new rscheff@freebsd.org account, where this rscheff@gmx.at account should be merged with.
Comment 1 Richard Scheffenegger freebsd_committer freebsd_triage 2020-04-06 18:19:02 UTC 
Just to confirm that the new @freebsd.org account exists.

How is simply resetting the kpasswd via SSH using the right @freebsd user name not an easy route for a denial of service? (E.g. anyone can reset the kerberos passwords for all commiters, who have to recover their passwords tediously thereafter, no?
Comment 2 Oleksandr Tymoshenko freebsd_committer freebsd_triage 2020-04-07 06:09:04 UTC 
(In reply to Richard Scheffenegger from comment #1)

Hi Richard,

Accounts have been merged. Closing PR as fixed.

You can reset the user's password only if you have user's private SSH key to login to the kpasswd server. Without it attacker can only get this far:

% ssh rscheff@kpasswd.freebsd.org
Permission denied (publickey).