Details
-
Improvement
-
Status: Resolved (View Workflow)
-
Critical
-
Resolution: Fixed
Description
The default setup is of jenkins should be secure out-of-the-box and the admin must change it to be insecure if they desire.
- Things like listen on localhost only (for http/https/ssh/cli etc)
- ship with jenkins own security realm by default without allow users to sign up and a single admin user pre-defined.
- Force password expiry on the local user database (to ensure the password is changed at first login)
- Local user database should be able to support locking accounts (to prevent brute force attacks)
See also: Design
Attachments
Issue Links
- depends on
-
JENKINS-33595 Disable SSHD by default on new Installations
-
- Resolved
-
-
JENKINS-33596 Disable DNSMultiCast & UDPBroadcastThread by default
-
- Resolved
-
- is blocking
-
JENKINS-33462 Security Token dialogue should link to quality docs about where to find Jenkins logs
-
- Resolved
-
- is related to
-
JENKINS-12731 Reducing the steps required for initial lockdown of a Jenkins instance (open ports, default permissions, etc.)
-
- Resolved
-
-
JENKINS-24513 Zero executors on master not well documented or enforced
-
- Closed
-
Code changed in jenkins
User: kzantow
Path:
core/src/main/java/hudson/PluginManager.java
core/src/main/java/hudson/model/UpdateCenter.java
core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java
core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
core/src/main/java/jenkins/install/InstallState.java
core/src/main/java/jenkins/install/InstallUtil.java
core/src/main/java/jenkins/install/SetupWizard.java
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/resources/hudson/security/FullControlOnceLoggedInAuthorizationStrategy/config.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryForm.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/addUser.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/firstUser.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signup.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signupWithFederatedIdentity.jelly
core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly
core/src/main/resources/jenkins/install/SetupWizard/index.jelly
core/src/main/resources/jenkins/install/SetupWizard/proxy-configuration.jelly
core/src/main/resources/jenkins/install/pluginSetupWizard.properties
core/src/main/resources/jenkins/model/Jenkins/login.jelly
core/src/main/resources/jenkins/model/Jenkins/loginError.jelly
core/src/main/resources/lib/layout/html.jelly
core/src/main/resources/lib/layout/layout.jelly
test/src/test/java/hudson/model/UpdateCenterPluginInstallTest.java
war/src/main/js/api/securityConfig.js
war/src/main/js/pluginSetupWizard.js
war/src/main/js/pluginSetupWizardGui.js
war/src/main/js/templates/firstUserPanel.hbs
war/src/main/js/templates/incompleteInstallationPanel.hbs
war/src/main/js/templates/offlinePanel.hbs
war/src/main/js/templates/pluginSelectionPanel.hbs
war/src/main/js/templates/proxyConfigPanel.hbs
war/src/main/js/templates/setupCompletePanel.hbs
war/src/main/js/templates/successPanel.hbs
war/src/main/js/templates/welcomePanel.hbs
war/src/main/js/util/jenkins.js
war/src/main/less/pluginSetupWizard.less
war/src/test/js/pluginSetupWizard-spec.js
http://jenkins-ci.org/commit/jenkins/5368c96404d415451bb657aea8073834c8bd815b
Log:
JENKINS-30749- make Jenkins secure out of the box: