-
Bug
-
Resolution: Fixed
-
Major
-
Credentials plugin version 1.18 on Jenkins 1.580.3 on ubuntu 14.04 LTS
The credentials.xml file holds a plaintext copy of the credentials stored via Jenkins. On a fresh install of Jenkins, this file has world readable permissions by default:
$ ls -l /var/lib/jenkins/credentials.xml
rw-rr- 1 jenkins jenkins 2863 Feb 12 19:00 /var/lib/jenkins/credentials.xml
It should have at least group readable permissions only.
[JENKINS-26943] BasicSSHUserPrivateKey.DirectEntryPrivateKeySource.privateKey stored in plaintext
Here's a snippet of the file. It looks like this may be an issue for SSH Credentials Plugin. Sorry!
```
<?xml version='1.0' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1.18">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey plugin="ssh-credentials@1.10">
<scope>GLOBAL</scope>
<id>[REDACTED]</id>
<description>Github SSH Key</description>
<username>git</username>
<passphrase>[REDACTED]</passphrase>
<privateKeySource class="com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource">
<privateKey>[REDACTED]</privateKey>
</privateKeySource>
</com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>
```
William Hutson
added a comment - - edited Here's a snippet of the file. It looks like this may be an issue for SSH Credentials Plugin. Sorry!
```
<?xml version='1.0' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1.18">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey plugin="ssh-credentials@1.10">
<scope>GLOBAL</scope>
<id> [REDACTED] </id>
<description>Github SSH Key</description>
<username>git</username>
<passphrase> [REDACTED] </passphrase>
<privateKeySource class="com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource">
<privateKey> [REDACTED] </privateKey>
</privateKeySource>
</com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>
``` Code changed in jenkins
User: Fritz Elfert
Path:
src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java
http://jenkins-ci.org/commit/ssh-credentials-plugin/67d7bb0b0bbae40a808cedbabf558f63988e9127
Log:
Fixes JENKINS-26943
Code changed in jenkins
User: Stephen Connolly
Path:
src/main/java/com/cloudbees/jenkins/plugins/sshcredentials/impl/BasicSSHUserPrivateKey.java
http://jenkins-ci.org/commit/ssh-credentials-plugin/c7cbe9a5c420026f8d118c7371cbaae16da6cade
Log:
Merge pull request #16 from felfert/fix
Fixes JENKINS-26943
Compare: https://github.com/jenkinsci/ssh-credentials-plugin/compare/3e1dd5c1fabe...c7cbe9a5c420
Passwords are encrypted, and the encryption key is in the inaccessible `JENKINS_HOME/secrets` folder.