[otrs] How can I reset passwords for all customers?

[Bogdan Iosif]

Hi,

I need to perform a mass reset of all customer passwords, for security reasons (hundreds of accounts).

Is there a shell script I can call to reset the password for each customer account? Can it be done directly from the database, without using Perl / OTRS framework?

Thanks,

Bogdan

P.S:I thought this was the purpose of the otrs.SetPassword.pl script but it seems it only works for agent accounts.

[Michiel Beijen]

Hi Bogdan,

There is currently no such script in the framework. But I wrote this script a while ago, feel free to use it:

https://gist.github.com/mbeijen/5082292

it works very similar to the current script for agents. The only difference is if you do not provide a password on the command line, it will generate one for you.

In your case you'd need to get a list of customers out of the system and execute this script for every customer, using bash.

HTH,

Mike

---------------------------------------------------------------------
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs

[Gerald Young]

UPDATE customer_user SET pw="Ra@ndomString!"

Brute force, but definitely would work.

[Bogdan Iosif]

I was just about to write back that I managed to get my problem solved by slightly modifying the existing otrs.SetPassword.pl.

Your version is cleaner than mine though so I won't post my version.

Thanks!

[Bogdan Iosif]

I don't think this would work for me because I need to reset passwords to values that are later communicated to customers. It can't easily be done just at the db level because the pw hash is salted with their usernames.

[Gerald Young]

"I need to reset passwords to values that are later communicated to customers"

I don't see how this is good security, especially since the passwords aren't forced to reset and you've now generated a list of passwords for all your users in plain text after a potential security breach. 

I realize you have to do what you have to do, but having the users reset their own password is (IMO) a safer tactic.

[Bogdan Iosif]

You're right, leaving the reset to the customers would've been better. Unfortunately, we've already committed to having those passwords on hand because some of our customer accounts have invalid emails (they don't want to provide an email address to be 100% sure they don't get any notifications) and some accounts share the same email address (support email address from customer's company).

[David Boyes]

A password expiration date would be a useful addition to OTRS (or the option to defer authentication to PAM, where we can already do that). If the password is expired, OTRS could force the password change on expiration, setting the field to zero would be “never expire”.

I like the PAM idea a lot better, though – that would permit this to work with any authentication method, and be a much more general solution to the problem.

[Gerald Young]

PAM should already work via external authentication, but is impractical in Bogdan's situation where there is zero email or multiple users for one email address and there is no way to notify nor provide an individual customer user how to change her password securely and easily.

Since it appears contact needs to be made manually anyway, it seems practical to change the passwords over the phone on demand.