Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2381

Passwords should not be stored in a decodable form

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Critical Critical
    • _unsorted
    • None
    • Platform: Macintosh, OS: All

      When using Hudson's own user database, passwords are stored in base 64. The problem is that
      someone who has access to the user configuration files would be able to easily decode these
      passwords. This in turn can lead to other security problems, if users aren't smart about using different
      passwords for different services.

      Further, the fact that passwords are currently reversible means that checking Hudson configurations
      into source code control, or otherwise backing them up is potentially dangerous from a security
      perspective.

      A better approach would be to store a non-reversible digest (like SHA256) of the password in the user
      configuration file. To validate a password, the Hudson application would digest the password specified
      by the user at login and compare it to the digest stored. If they are equal, then the user is
      authenticated.

      Apparently Hudson uses Acegi Security to implement password authentication. According to the Acegi
      site, they support digest-based password encoders. Hudson should be changed to use SHA1 at a
      minimum (or a stronger digest, like SHA256, if possible), migrating older clear text passwords to new
      configuration files.

          [JENKINS-2381] Passwords should not be stored in a decodable form

          Alan Harder added a comment -

          looking at this

          Alan Harder added a comment - looking at this

          Code changed in hudson
          User: : mindless
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
          trunk/hudson/main/war/resources/WEB-INF/security/HudsonPrivateSecurityRealm.groovy
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=15172
          Log:
          [FIXED JENKINS-2381] Store SHA-256 encrypted passwords instead of reversible base-64 scrambling.
          For compatibility, can still read old style user config.xml files, but whenever a user logs
          in it will resave with the new style.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/main/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java trunk/hudson/main/war/resources/WEB-INF/security/HudsonPrivateSecurityRealm.groovy trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=15172 Log: [FIXED JENKINS-2381] Store SHA-256 encrypted passwords instead of reversible base-64 scrambling. For compatibility, can still read old style user config.xml files, but whenever a user logs in it will resave with the new style.

          Alan Harder added a comment -

          .

          Alan Harder added a comment - .

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
          trunk/hudson/main/war/resources/WEB-INF/security/HudsonPrivateSecurityRealm.groovy
          http://fisheye4.cenqua.com/changelog/hudson/?cs=15173
          Log:
          JENKINS-2381
          Allowed the hashed password to live even if the security realm is temporarily made to something else.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java trunk/hudson/main/war/resources/WEB-INF/security/HudsonPrivateSecurityRealm.groovy http://fisheye4.cenqua.com/changelog/hudson/?cs=15173 Log: JENKINS-2381 Allowed the hashed password to live even if the security realm is temporarily made to something else.

          ejono added a comment -

          After upgrading to 1.238, none of my users can log in anymore. It rejects their
          passwords. Fortunately I was still logged in via the "Remember Me" feature, so
          I was able to reset their passwords.

          ejono added a comment - After upgrading to 1.238, none of my users can log in anymore. It rejects their passwords. Fortunately I was still logged in via the "Remember Me" feature, so I was able to reset their passwords.

          ejono added a comment -

          CC'ing myself. (Sorry, should've done this on the previous change.)

          ejono added a comment - CC'ing myself. (Sorry, should've done this on the previous change.)

          Alan Harder added a comment -

          already fixed, see issue #3043

          Alan Harder added a comment - already fixed, see issue #3043

            mindless Alan Harder
            acronce acronce
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: