SID-00502: Strange Password Behavior - All accounts unable to log in
| Status: |
Answered |
TWiki version: |
4.3.1 |
Perl version: |
5.8.7 |
| Category: |
CategoryAccessControl |
Server OS: |
Ubuntu 8.10 |
Last update: |
16 years ago |
All,
Some time over the weekend, all the user accounts stopped working on our twiki server - we were all getting wrong password errors. When we tried to reset the passwords, it allowed some of us - the rest it reported that we had no email addresses in our accounts. I found a .htaccess file that listed all those who requested the change - I found my own account in it, without a password, and the accounts in it which had already successfully requested a change, with their passwords.
The path to this .htaccess file was here:
/var/www/twiki/twiki/data/.htaccess
The only users listed here are those who requested a password reset. As each employee requested a password reset, their information would inter into the .htaccess file, but not their email. Once I manually entered their email account I was able to request a password reset on their behalf.
Does anyone have any idea why this may have happened? Does anyone know how I can go in and update the user accounts and add in their email addresses if they are missing?
Thanks!
MIke
--
MichaelCasale - 2009-08-24
Discussion and Answer
Hmm, first time I see a report like this. Possibly caused by a rogue plugin? Or if someone with shell access runs the
passwd command on TWiki's
.htpasswd, this would remove the e-mail addresses.
I suggest to restore the
.htpasswd from backup. You can manually fix entries, make sure each entry is of format:
FirstLastname:encryptedPassword:first.last@example.com
--
PeterThoeny - 2009-08-25
Thanks - the file you mentioned was wiped out, yet some users were able to request a new password, and others were not. Perhaps those users log into different webs than the default? There are other .htpasswd files there, no?
Thanks for your help. When I find what wiped out the file I'll let you know. For now the process is I request a password reset on behalf of the user, twiki populates the file with the username:encryptedPassword yet gives me an error in the
PasswordReset function. I then vi into the .htpasswd file and I add the user's email to the end of the string and request a reset on their behalf again. This works for now.
Mike
--
MichaelCasale - 2009-08-26
Seems the issue with the permission of the .htpasswd file. Please check-it should have write access to the apache server daemon user.
--
SopanShewale - 2009-08-27
All,
Thanks for all your help on this - the problems continue, though. For some reason users passwords appear to be resetting - they can request another reset, though. I can't tell if someone is doing this on their behalf as a prank, or if there is another problem.
Is there some sort of log that is on or that I can set which tracks twiki activity, so I can look for password reset requests for certain users?
Thanks!
Mike
--
MichaelCasale - 2009-09-10
grep the Apache access_log for TWiki/ResetPassword.
Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the
TWiki consultants if you need timely help. We invite you to
get involved with the community, it is more likely you get community support if you support the open source project!
--
PeterThoeny - 2009-11-23
If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.