Automated Password Reset

The automated password reset program allows users to semi-automatically reset passwords. It is a series of three scripts (located in /afs/.ugcs/drop/pwreset/token_db )


 * pwreset_shell.py This is a shell program for the login account.  It prompts the user for which one of their alternate addresses they want to use to reset the password.  It needs to be copied to /afs/.ugcs/user/passwordreset/pwreset_shell.py so the account can actually read it.
 * pwreset_remctl.py This is a remctl command on dionysus.  It takes care of picking a token, emailing it, and adding the token to the database
 * pwreset_cron.py This is a cron script, run through a wrapper from cron.d on dionysus (every 5 minutes).  It checks for new messages with valid tokens, and lets a sysadmin know if there are any.
 * pwreset_doreset.py This email scans the mail directory of passwordreset for messages with tokens. It then prompts the sysadmin if they want to reset the password, makes a new password, and emails it back to the user.

pwreset.py is a library that contains some common code for the other files.

The tokens are kept in a flat db at /afs/.ugcs/drop/pwreset/token_db. It must be kept secure, otherwise a user could read the token and use it to reset a password. Because of this security need, the passwordreset user must *not* have access to the token_db file, so sysadmin intervention is required.

This service requires the passwordreset full user (for maildir and login shell), as well as the passwordreset_kadmin user for the kadmin and cron commands. passwordreset_kadmin has access to the token db as well as the passwordreset maildir.

Users
Users use this service by logging in to passwordreset@to.ugcs.caltech.edu The password is ugcs_pwreset  It prompts them for their username, and lets them pick from the emails they have on file. The remctl command on dionysus sends them an email. Once they respond, tt is then up to a sysadmin to run pwreset_doreset.py