Hello,
I did a quick search and didn't pull up anything similar to my request, if I missed it feel free to close this :)
If you elect to use the hashed password storage option in Virtualmin, the "Forgot Password?: link on the login page is not present. I believe that the forgot password, at least from minimal research, works by sending the password to the users email address. Which it can't do if Virtualmin is unable to know the real password. My request is that the password is reset to something randomly generated and sent to the users email. This would allow for those who use the password hashing storage to still offer a password reset directly inside VIrtualmin rather then writing their own password reset/recovery that uses the remote/command line api (as I do currently)
As it stands now a user must contact, usually me unless it is a user created by a domain owner, the administrator who then has to validate that the user is who they say (usually by matching their email address used to request the reset) to an account and then reset and email them the new password. This adds administration overhead for me and could reduce productivity for my clients as they need to wait for me to read, verify and reset their password.
Summary: Have the "Forgot your Virtualmin password?" link available no matter which password storage method is used and generate a random password to be sent to the user. You could either make random be what always happens when a password reset is requested or only when the hashed password storage is in use. Although I would like to see an option that controls this behavior.
Bonus points: Add an option that requires the user to choose a new password when they login using that randomly generated password.
One last thing: Why is the password storage method under server templates anyways? I don't understand why one would use one storage method for one template and one for another. I feel it should be moved to "Virtualmin Configuration" page perhaps?
Thanks for reading my wall of text :) -Dustin
Comments
Submitted by JamieCameron on Fri, 11/21/2014 - 17:55 Comment #1
Are you interested in password resets for domain owners, or mailbox users? For mailboxes this is tricky because the only address Virtualmin has on file for them is the one that is protected by the lost password!
Submitted by ReArmedHalo on Fri, 11/21/2014 - 18:30 Comment #2
Hi,
Domain owners would be good enough I believe. Although I am confused about what you are saying about the mailbox users password being in a file protected by said password? Are you saying the lost password is the domain owners password or said mailbox user? Because I can reset a mailbox user password via the interface so I don't understand why that couldn't be reset (if an alternative email was stored perhaps it could be sent there?)
But really I am only thinking about the domain owner to login to Virtualmin. (And if possible any other user that can login to Virtualmin (extra admins))
-Dustin
Submitted by JamieCameron on Sun, 11/23/2014 - 00:28 Comment #3
Ok, I will look into adding this feature.
For mail users, the problem is where to send the temporary password. Sending it to the mailbox on the Virtualmin system won't do much good, as presumably the user doesn't have access to it!
Submitted by ReArmedHalo on Sun, 11/23/2014 - 10:15 Comment #4
Hi,
Hmm... Good point... Perhaps have a field for a secondary email address to be added with the email account? I think that would be more difficult because you should then really require verification of said secondary address... I would be fine if email accounts were not able to have their password reset. If the domain owner/master admin wanted to then they should/cloud implement their own system for email account resets perhaps.
-Dustin
Submitted by JamieCameron on Sat, 02/14/2015 - 19:39 Comment #5
FYI, this has been implemented for inclusion in the next Usermin / Virtualmin releases.
Submitted by Issues on Sat, 02/28/2015 - 19:40 Comment #6
Automatically closed -- issue fixed for 2 weeks with no activity.