For legacy reasons the MD5 and plaintext plugins are included in the list of authenticators. If a company has been using CloudStack for awhile they may want to move all their users to a stronger plugin such as SHA256SALTED (which is now the default).
Is there a mechanism to do that? It doesn't appear that there is so I propose modify the API as follows: 1) Include a result in the response to the login API which indicates whether a user must change his password. 2) If a user is in this state have him call a new API called changeMyPassword. That API would require his old password and a new password. If the calls succeeds then the user can retry the login API with his new password. 3) Add a new parameter named forceUserToChangePassword to the UpdateUser API. An admin would set that parameter value to indicate that a user is required to change his password. Thoughts?
