Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-30749

Jenkins should be secure out of the box by default

      The default setup is of jenkins should be secure out-of-the-box and the admin must change it to be insecure if they desire.

      • Things like listen on localhost only (for http/https/ssh/cli etc)
      • ship with jenkins own security realm by default without allow users to sign up and a single admin user pre-defined.
      • Force password expiry on the local user database (to ensure the password is changed at first login)
      • Local user database should be able to support locking accounts (to prevent brute force attacks)

      See also: Design

          [JENKINS-30749] Jenkins should be secure out of the box by default

          Code changed in jenkins
          User: kzantow
          Path:
          core/src/main/java/hudson/PluginManager.java
          core/src/main/java/hudson/model/UpdateCenter.java
          core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java
          core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
          core/src/main/java/jenkins/install/InstallState.java
          core/src/main/java/jenkins/install/InstallUtil.java
          core/src/main/java/jenkins/install/SetupWizard.java
          core/src/main/java/jenkins/model/Jenkins.java
          core/src/main/resources/hudson/security/FullControlOnceLoggedInAuthorizationStrategy/config.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryForm.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/addUser.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/firstUser.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signup.jelly
          core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signupWithFederatedIdentity.jelly
          core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly
          core/src/main/resources/jenkins/install/SetupWizard/index.jelly
          core/src/main/resources/jenkins/install/SetupWizard/proxy-configuration.jelly
          core/src/main/resources/jenkins/install/pluginSetupWizard.properties
          core/src/main/resources/jenkins/model/Jenkins/login.jelly
          core/src/main/resources/jenkins/model/Jenkins/loginError.jelly
          core/src/main/resources/lib/layout/html.jelly
          core/src/main/resources/lib/layout/layout.jelly
          test/src/test/java/hudson/model/UpdateCenterPluginInstallTest.java
          war/src/main/js/api/securityConfig.js
          war/src/main/js/pluginSetupWizard.js
          war/src/main/js/pluginSetupWizardGui.js
          war/src/main/js/templates/firstUserPanel.hbs
          war/src/main/js/templates/incompleteInstallationPanel.hbs
          war/src/main/js/templates/offlinePanel.hbs
          war/src/main/js/templates/pluginSelectionPanel.hbs
          war/src/main/js/templates/proxyConfigPanel.hbs
          war/src/main/js/templates/setupCompletePanel.hbs
          war/src/main/js/templates/successPanel.hbs
          war/src/main/js/templates/welcomePanel.hbs
          war/src/main/js/util/jenkins.js
          war/src/main/less/pluginSetupWizard.less
          war/src/test/js/pluginSetupWizard-spec.js
          http://jenkins-ci.org/commit/jenkins/5368c96404d415451bb657aea8073834c8bd815b
          Log:
          JENKINS-30749 - make Jenkins secure out of the box:

          • create initial admin user with difficult password (based on UUID)
          • force login with password as security token
          • force initial admin user creation

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: kzantow Path: core/src/main/java/hudson/PluginManager.java core/src/main/java/hudson/model/UpdateCenter.java core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java core/src/main/java/jenkins/install/InstallState.java core/src/main/java/jenkins/install/InstallUtil.java core/src/main/java/jenkins/install/SetupWizard.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/security/FullControlOnceLoggedInAuthorizationStrategy/config.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryForm.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/addUser.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/firstUser.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signup.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signupWithFederatedIdentity.jelly core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly core/src/main/resources/jenkins/install/SetupWizard/index.jelly core/src/main/resources/jenkins/install/SetupWizard/proxy-configuration.jelly core/src/main/resources/jenkins/install/pluginSetupWizard.properties core/src/main/resources/jenkins/model/Jenkins/login.jelly core/src/main/resources/jenkins/model/Jenkins/loginError.jelly core/src/main/resources/lib/layout/html.jelly core/src/main/resources/lib/layout/layout.jelly test/src/test/java/hudson/model/UpdateCenterPluginInstallTest.java war/src/main/js/api/securityConfig.js war/src/main/js/pluginSetupWizard.js war/src/main/js/pluginSetupWizardGui.js war/src/main/js/templates/firstUserPanel.hbs war/src/main/js/templates/incompleteInstallationPanel.hbs war/src/main/js/templates/offlinePanel.hbs war/src/main/js/templates/pluginSelectionPanel.hbs war/src/main/js/templates/proxyConfigPanel.hbs war/src/main/js/templates/setupCompletePanel.hbs war/src/main/js/templates/successPanel.hbs war/src/main/js/templates/welcomePanel.hbs war/src/main/js/util/jenkins.js war/src/main/less/pluginSetupWizard.less war/src/test/js/pluginSetupWizard-spec.js http://jenkins-ci.org/commit/jenkins/5368c96404d415451bb657aea8073834c8bd815b Log: JENKINS-30749 - make Jenkins secure out of the box: create initial admin user with difficult password (based on UUID) force login with password as security token force initial admin user creation

          Daniel Beck added a comment -

          Fixed towards 2.0.

          Daniel Beck added a comment - Fixed towards 2.0.

            kzantow Keith Zantow
            teilo James Nord
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: