24 Jan
2010
24 Jan
'10
1:42 p.m.
Hello,
The most common support request is to reset BitFolk account
password. I have therefore implemented a password reset feature to
the web panel at https://panle.bitfolk.com/.
It works as you would expect:
- Someone follows the "reset password" link on the login screen.
- They are invited to put in an account name. If the account exists
and reset is enabled for that account, then an email is generated
with an authorisation key in it. The email is sent to the email
address on record for that account.
The email also contains the IP address of the client that
requested the reset, together with their browser's user agent and
the time stamp.
- Following the link in the email within 12 hours will randomly
generate a new password. Nothing will happen if the link is not
followed.
When this was last discussed, there were a few people who didn't
like the idea of their passwords being able to be reset by email and
potentially being exposed to an attacker who already has control of
their email account. Therefore I have also added the option to
disable the feature.
I will put the feature live on Wednesday 27th January, so if you
don't like the idea of the above being possible please go to
https://panel.bitfolk.com/account/security/ and disable it.
In the near future I shall also add a third option for PGP encrypted
emails, which should allay most people's concerns about that
feature, but I am keen to get a basic version of this deployed
before the weekend of 6th February as I'll be at FOSDEM and support
will be emergencies only.
Clearly forms to change other personal details such as email
and postal addresses are also required, and also will be coming
soon.
On the security link above you will also find a password change
form for those who prefer a web page vs. logging in to the Xen Shell
and typing "passwd".
As always I'm keen to hear what people's priorities are for other
features to be added to the panel. I'm also open to ideas about
software for managing such feature requests, as RT probably isn't
best suited to it.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"Whoever is responsible for this stunning design failure deserves continuous
cockpunches." -- jwz
24 Jan
24 Jan
1:44 p.m.
On Sun, Jan 24, 2010 at 01:42:00PM +0000, Andy Smith wrote:
I have therefore implemented a password reset feature
to the web
panel at https://panle.bitfolk.com/.
https://panel.bitfolk.com/ clearly!
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"I remember the first time I made love. Perhaps it was not love exactly but I
made it and it still works." -- The League Against Tedium
1:51 p.m.
New subject: Feature tracking
As always I'm keen to hear what people's
priorities are for other
features to be added to the panel. I'm also open to ideas about
software for managing such feature requests, as RT probably isn't
best suited to it.
One of the projects I use uses uservoice.com. I use Fogbugz (it also does
my project management, but can just as easily handle support stuff). It's
not O/S but they do a free version for <=2 active users.
--
Dee
2:16 p.m.
New subject: Feature tracking
On Sun, Jan 24, 2010 at 01:51:23PM -0000, dee(a)earlsoft.co.uk wrote:
> As always I'm keen to hear what people's
priorities are for other
> features to be added to the panel. I'm also open to ideas about
> software for managing such feature requests, as RT probably isn't
> best suited to it.
I've found trac to be sufficient for my needs on the Tycho
project[1], once I added the dependencies plugin to it. Most of the
tickets on there are for further development, rather than active bugs
(although we have a few of those, too).
Hugo.
[1] https://acet.rdg.ac.uk/trac/tycho/
--
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
--- I hate housework. You make the beds, you wash the dishes, and ---
six months later you have to start all over again.
27 Jan
27 Jan
8:57 p.m.
Hello,
On Sun, Jan 24, 2010 at 01:42:00PM +0000, Andy Smith wrote:
The most common support request is to reset BitFolk
account
password. I have therefore implemented a password reset feature to
the web panel at https://panle.bitfolk.com/.
[...]
I will put the feature live on Wednesday 27th January,
so if you
don't like the idea of the above being possible please go to
https://panel.bitfolk.com/account/security/ and disable it.
It's live now.
So, from this point on we will have to be a lot more thorough for
the edge cases where people still need to ask support for a password reset, and this will
introduce delays.
I would imagine the most common scenario will be:
+ VPS dead
+ owner away from home or otherwise without access to their password
store
+ No SSH keys configured, or not at a machine with the configured
keys available
+ Account password forgotten
+ Email address hosted solely on VPS that is dead, so password reset
not an option
Strictly speaking the above set of failures are going to be mostly
in customer hands so there is an argument that I need do nothing
more, however, two workarounds spring to mind.
One is allowing people to configure multiple email addresses
(perhaps multiple roles, each with one or more addresses). Another
is to implement management of console SSH keys into the console and
web panel, so that people have an easier time getting in.
Which would you prefer I tackled first?
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
"Whoever is responsible for this stunning design failure deserves continuous
cockpunches." -- jwz
9:24 p.m.
On 2010-01-27, Andy Smith wrote:
Strictly speaking the above set of failures are going
to be mostly
in customer hands so there is an argument that I need do nothing
more, however, two workarounds spring to mind.
One is allowing people to configure multiple email addresses
(perhaps multiple roles, each with one or more addresses). Another
is to implement management of console SSH keys into the console and
web panel, so that people have an easier time getting in.
Which would you prefer I tackled first?
Personally I would prefer the latter as it has utility beyond simply
rescuing inaccessible accounts.
Robert
28 Jan
28 Jan
7:04 a.m.
Although it is my opinion that 2 is probably the technically more
clever and useful option - you will probably find allowing an
alternative email (i.e. if there mail is hosted on bitfolk) to save
more agro.
On 27 January 2010 21:24, Robert Leverington <robert(a)rhl.me.uk> wrote:
On 2010-01-27, Andy Smith wrote:
Strictly speaking the above set of failures are
going to be mostly
in customer hands so there is an argument that I need do nothing
more, however, two workarounds spring to mind.
One is allowing people to configure multiple email addresses
(perhaps multiple roles, each with one or more addresses). Another
is to implement management of console SSH keys into the console and
web panel, so that people have an easier time getting in.
Which would you prefer I tackled first?
Personally I would prefer the latter as it has utility beyond simply
rescuing inaccessible accounts.
Robert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQIcBAEBAgAGBQJLYK8ZAAoJEKps/C0U95hcvO8QAJzlbXYvq5pnhInW0IlIUZ/i
X4T1/EKPm95IvM7Gpgdp2uQIWiOUJjovMtyHKxTrrI7BEaiidbzEME8EGceq6JXo
trxcTl2b5/NCj/9qxZHFotfxjjsCZHnI/PZT+qVdBFdQuWe/+Ujq764eTsIhgbqH
CA1GqKlnTZjpC/gXUt+8CPUHFWDUL3gwxqaAYrkJOLe5rW3bgRhdjOIk1LbDrf1C
H3p1W3KbGZbF4YpbICv7XsqNwySJ5NW/BbogKlREFpqS1yRxe1sd7WqLmRbC7Gav
NGOITckCcPeGbg/UqfuBvc4EcqGDdPKRxwe+zbV9742qMYuds23dnRF6xCzcFdp0
f8XZh5fpj9iR0rpmgeIa0OrewrrMz/5Sq13jmioLO5gypZM+/OEYr7oHIRE/Emx3
zFvjNZ/wXiWRuPH/pvN0ZqJJRpcv6qfHATuc1MaSH+fsuMtZxzGh3OVWGIA8P67i
ckX0h1SvvTITaGin0sYNPYlU+ilr39iG2KyhPXEQmpE45be8c5ut0p2K0GJp3IB5
7jZkJVVhmQAKYTaUd5QDyh7GLFqkMKo5z+LIhiW1PIacuHl8vpJmcgVQljVGq4le
LgiGTZ9HFCdFq1J/Z6PshnHhvCeOx7RwhzQZrjL7kZUPlcYVF5N0Tt3TUV+TwlBy
cjtulDIyabDBn4CzEQdT
=BKUk
-----END PGP SIGNATURE-----
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
2:34 p.m.
Hi Simon,
On Thu, Jan 28, 2010 at 07:04:00AM +0000, Simon Watson wrote:
Although it is my opinion that 2 is probably the
technically more
clever and useful option - you will probably find allowing an
alternative email (i.e. if there mail is hosted on bitfolk) to save
more agro.
It was pointed out that I probably should start with advising people
of possible issues if the only place they can read their email is on
their VPS. So that's for the details change page.
Sounds obvious perhaps, but as pointed out, so was the "don't just
leave your passwords in /root/PASSWORDS" thing yet people still do
it all the time.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
30 Jan
30 Jan
12:23 a.m.
On 27/01/2010 20:57, Andy Smith wrote:
One is allowing people to configure multiple email
addresses
(perhaps multiple roles, each with one or more addresses). Another
is to implement management of console SSH keys into the console and
web panel, so that people have an easier time getting in.
I vote for the ssh keys
--
Dee Earley (dee(a)earlsoft.co.uk)
irc: irc://irc.blitzed.org/
web: http://www.earlsoft.co.uk
phone: +44 (0)780 8369596
5439
days inactive
5445
days old
8 comments
6 participants
participants (6)
-
Andy Smith -
Dee Earley -
dee@earlsoft.co.uk
-
Hugo Mills -
Robert Leverington -
Simon Watson