+++ This bug was initially created as a clone of Bug #608355 +++ Description of problem: When creating a new user, the password is sent to the users email address in clear text. Version-Release number of selected component (if applicable): RHN Satellite 5.3.0 with latest patches and Spacewalk 1.0 How reproducible: Always Steps to Reproduce: 1. Create a new user 2. Getting a Phone call and hear that the Sat admin got insane because of sending password by unencrypted email Actual results: Hello, A Red Hat login has been created for you by Root Superuser. Your Red Hat login, in combination with an active Red Hat subscription, provides you with access to manage systems on Spacewalk. Red Hat login: luc Password: lalala e-mail: root@localhost https://spacewalk.example.com/ Important: Please change your password upon logging in. Thank you for using Spacewalk. --the Spacewalk Team Expected results: Being completely silent, credentials are submitted by phone/physical meeting. Additional info: Behavior on RHN Satellite is the same like on Spacewalk 1.0 (the upstream of RHN Satellite)
Fix by adding infrastructure to support one-time-use tokens that take the user to a change-your-password page. * Occurs on "forgot my password" request * Occurs on new-user-creation * Sends "go here to reset your password, or ignore" * Sends comfirmation email when password successfully changed/set * token expires on config-setting (default = 48 hours) * tokens remain in db (rhnResetPassword) as audit trail The following spacewalk.github commits enable this workflow: 7e63b252b61de573e00264e15b7ca8f750cc8950 e18542b50a95cf4c4b085a2f158645c46287e6e9 d1ede7633f2f52c07f91fb929755ee2aea86780d 52478842a3bdb09e91628b603cb685d74aa26cc8 4e962d33eb058c7d3143c809d01e1ad8b5548993 d8b8c43b00fddca3d1c3c35ba556ac4232af0537 1a64f52b7fd2003d1c7b1e1979f14308cd67f0a7 5d4fb4e2eb4f4d624b35a9d45e1482e1c345d586 daf10a96914ddb2a102083680e6cdb1d2cae0bc3 6b5c5ec2c777502b6dc40df6e677ec3bca099519 3bd414db18f4645433a8c1fde22cbe7b7f6cedd2 b39c8957c65a7389b841f22b65592b5d583fa0cd 1a0db1551caddbcf093f21b02b8cc49970e6e597 New emails: ** USER-CREATE: ** Subject: Your Spacewalk Account is ready Hello, A Red Hat login has been created for you by Admin Nimda. Your Red Hat login, in combination with an active Red Hat subscription, provides you with access to manage systems on Spacewalk. Red Hat login: tokenuser4 e-mail: root@localhost Please proceed to https://myspacewalk.example.com/rhn/ResetLink.do?token=0fe245a5e782e6cec82b2029f420568863b5e3a5 to set your password and enable your account. Thank you for using Spacewalk. --the Spacewalk Team ** FORGOT PASSWORD: ** Subject: Spacewalk Password Reset [ This is an automated email sent to root@localhost at your request. ] A request to reset the Spacewalk password for login admin has been made. To continue the reset process, please proceed to: https://myspacewalk.example.com/rhn/ResetLink.do?token=d8187c209d21abccca693ef76b060a5a75fe64d6 If you don't want your password reset, you can ignore this email. If you experience any further difficulties with the reset process, please contact your Spacewalk administrator for further assistance. Thank you for using Spacewalk. ** ONCE PASSWORD IS SET/CHANGED SUCCESSFULLY: ** Subject: Spacewalk Password Reset Confirmation [ This is an automated email sent to root@localhost. ] The Spacewalk password for login admin has been reset in response to a reset-request made at myspacewalk.example.com If you did not initiate this password reset, please IMMEDIATELY contact the Spacewalk administrator at myspacewalk.example.com for further assistance. Thank you for using Spacewalk.
spacewalk.github additional commits - NOT CURRENTLY IN 2.4: d63e3302e3041567367b28bdccb509af9c8aba2c 7a47296d12dfd2745eeec884abddab21cc924823
missed one other spacewalk.github additional commits - NOT CURRENTLY IN 2.4: 30c9ee863cea69c2fc1cd99ef1c60f1e2a81f3ab
Spacewalk 2.4 has been released.
Correction to #c2 and #c3, 2.4 contains both 7a47296d12dfd2745eeec884abddab21cc924823 and 30c9ee863cea69c2fc1cd99ef1c60f1e2a81f3ab