[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

New db.debian.org address

Hi All,

I've just put up chpasswd@db.debian.org which is an automated daemon for
re-creating lost passwords. You must send a PGP signed message with the
phrase 'Please change my debian password' (case sensitive). It will email
you back a PGP/GPG encrypted message containing your new password.

Right now it does not actually effect a change of password, it only goes
through the motions of generating and encrypting.

I use this incantation for testing:
echo "Please change my Debian password" | gpg --clearsign | mail chpasswd@db.debian.org

Now, like the ping address this one also has replay protection, signature
expiration and all that other good stuff. It also requires that the
message start with the phrase I have given above, this should be ample to
protect against forgeries. Final version will also CC: the @debian.org
address of the account.

One thing to note is that the Daemon senses if the message was
signed with PGP2 or 'something else'. If PGP2 is detected it enters a
special PGP2 compatibility mode. Otherwise is encrypts using the OpenPGP
spec (GPG and PGP5). Encryption in this mode does not use IDEA or the
PGP2.x packet format.

Please send a few messages to it and see if you can read the results, let
me know of any problems!


Reply to: