Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2381

Passwords should not be stored in a decodable form

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: _unsorted
    • Labels:
      None
    • Environment:
      Platform: Macintosh, OS: All
    • Similar Issues:

      Description

      When using Hudson's own user database, passwords are stored in base 64. The problem is that
      someone who has access to the user configuration files would be able to easily decode these
      passwords. This in turn can lead to other security problems, if users aren't smart about using different
      passwords for different services.

      Further, the fact that passwords are currently reversible means that checking Hudson configurations
      into source code control, or otherwise backing them up is potentially dangerous from a security
      perspective.

      A better approach would be to store a non-reversible digest (like SHA256) of the password in the user
      configuration file. To validate a password, the Hudson application would digest the password specified
      by the user at login and compare it to the digest stored. If they are equal, then the user is
      authenticated.

      Apparently Hudson uses Acegi Security to implement password authentication. According to the Acegi
      site, they support digest-based password encoders. Hudson should be changed to use SHA1 at a
      minimum (or a stronger digest, like SHA256, if possible), migrating older clear text passwords to new
      configuration files.

        Attachments

          Activity

          Hide
          mindless Alan Harder added a comment -

          looking at this

          Show
          mindless Alan Harder added a comment - looking at this
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : mindless
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
          trunk/hudson/main/war/resources/WEB-INF/security/HudsonPrivateSecurityRealm.groovy
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=15172
          Log:
          [FIXED JENKINS-2381] Store SHA-256 encrypted passwords instead of reversible base-64 scrambling.
          For compatibility, can still read old style user config.xml files, but whenever a user logs
          in it will resave with the new style.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/main/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java trunk/hudson/main/war/resources/WEB-INF/security/HudsonPrivateSecurityRealm.groovy trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=15172 Log: [FIXED JENKINS-2381] Store SHA-256 encrypted passwords instead of reversible base-64 scrambling. For compatibility, can still read old style user config.xml files, but whenever a user logs in it will resave with the new style.
          Hide
          mindless Alan Harder added a comment -

          .

          Show
          mindless Alan Harder added a comment - .
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
          trunk/hudson/main/war/resources/WEB-INF/security/HudsonPrivateSecurityRealm.groovy
          http://fisheye4.cenqua.com/changelog/hudson/?cs=15173
          Log:
          JENKINS-2381
          Allowed the hashed password to live even if the security realm is temporarily made to something else.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java trunk/hudson/main/war/resources/WEB-INF/security/HudsonPrivateSecurityRealm.groovy http://fisheye4.cenqua.com/changelog/hudson/?cs=15173 Log: JENKINS-2381 Allowed the hashed password to live even if the security realm is temporarily made to something else.
          Hide
          ejono ejono added a comment -

          After upgrading to 1.238, none of my users can log in anymore. It rejects their
          passwords. Fortunately I was still logged in via the "Remember Me" feature, so
          I was able to reset their passwords.

          Show
          ejono ejono added a comment - After upgrading to 1.238, none of my users can log in anymore. It rejects their passwords. Fortunately I was still logged in via the "Remember Me" feature, so I was able to reset their passwords.
          Hide
          ejono ejono added a comment -

          CC'ing myself. (Sorry, should've done this on the previous change.)

          Show
          ejono ejono added a comment - CC'ing myself. (Sorry, should've done this on the previous change.)
          Hide
          mindless Alan Harder added a comment -

          already fixed, see issue #3043

          Show
          mindless Alan Harder added a comment - already fixed, see issue #3043

            People

            Assignee:
            mindless Alan Harder
            Reporter:
            acronce acronce
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: