This document offers guidance when a Wikimedia user loses access to their account and can't login.
- 1 Wikimedia account password reset
- 2 For users
- 3 For admins
- 4 Two-factor authentication removal
- 5 Reset user password in LDAP
Wikimedia account password reset
A user can't login if two conditions are met:
- they have a blank or incorrect email address;
- they have forgotten their password.
In such case, there is a need to avoid social engineering: it's necessary to ensure that the user making the request has a legitimate claim to the user account in question. A good point to check is if the requester's e-mail address can be legitimately linked with user.
If you are a Wikitech user and:
- you need your password to be reset, or
- you need your two-factor authentication to be disabled
you need to open a open a new phabricator task adding
Trust-and-Safety as Tags.
Ensure the request is legitimate
Make sure the request is legit. This part is covered at Password reset/Confirming identities.
Especially, someone from Trust & Safety should be notified of the password reset. It might also be a good idea to pass things to them if there is no sufficient elements to confirm the identity.
Technical procedure to follow
- On a maintenance host (such as mwmaint1002), run
mwscript resetUserEmail.php --wiki=<user's home wiki> <username> <new email>
- In your browser, go to Special:PasswordReset on the user's main wiki.
- Type in the user's name, left the e-mail address blank and click "Reset password".
- Ask requester to check their inbox to ensure that the password reset email was received.
- Home wiki shouldn't matter much
- MediaWiki usernames could contain UTF-8 characters. If you've some difficulties to use them on the terminal, you can use instead the user id prefixed with #.
|Old instructions in case something goes wrong|
|The following content has been placed in a collapsed box for improved usability.|
On CentralAuth wikis, the eval.php script has the effect of updating the globaluser table (gu_email and gu_email_authenticated) and then clearing the relevant memcached key.
|The above content has been placed in a collapsed box for improved usability.|
Two-factor authentication removal
Before following these steps, if the user has an existing device available that has worked with 2FA in the past but has suddenly ceased working, ensure the user's 2FA device has an accurate clock. The clue is in the name of the 2FA method we use - Time-based One-time Password Algorithm - if the clock on the device is too far off it must generate the wrong codes (it has happened with e.g. 2 minutes difference). :)
Wikimedia or wikitech two factor authentication removal
Be careful! This process is highly vulnerable to social-engineering attacks. Don't reset things just because a user asked you on IRC or via email. Before resetting someone's login, be sure to confirm their identity:
- If you recognize them, have a face-to-face or in a video chat.
- If someone on WMF staff recognizes them, have a three-way video chat where a staffmember vouches.
- Have the user write a request to disable 2fa in their home directory on a CloudVPS/Toolforge bastion.
A maintenance script works both for wikitech 2FA and SUL 2FA:
For wikitech 2FA, run the following on a wikitech host (labweb1001 or labweb1002) or on mwmaint1002:
mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=labswiki <username>
For SUL (Wikipedia etc.) 2FA, determine a wiki on which the user exists locally (i.e. has contributions), and then run the script on mwmaint1002 using that wiki:
mwscript extensions/OATHAuth/maintenance/disableOATHAuthForUser.php --wiki=<wiki> <username>
The user can then log in using just their password and re-add two factor authentication.
Phabricator two factor authentication removal
- Requesting a 2FA reset for a Phabricator account: mw:Phabricator/Help/Two-factor Authentication Resets
- Performing a reset as a Phabricator admin with shell access: Phabricator#Removing_Two_Factor_Authentication
Reset user password in LDAP
To reset a user password in LDAP (wikitech wiki user), a root or member of admin group ldap-admins can:
- install the slappasswd utility locally (it's inside the slapd package)
- use slappasswd to hash a new password (SSHA password)
- ssh to an mwmaint server (ssh mwmaint1002)
- run sudo modify-ldap-user <username> (replace <username> with the actual user)
- paste the SSHA password hash line and :wq
- when logging in on wikitech ensure the exact spelling is used, capitalization matters and not just the first letter either