[JENKINS-30749] Jenkins should be secure out of the box by default - Jenkins Jira

Details

Type: Improvement
Status: Resolved (View Workflow)
Priority: Critical
Resolution: Fixed
Component/s: core
Labels:
- 2.0
- 2.0-planned
- security

Similar Issues:

Show
Epic Link:
2.0: Out of the box experience

Description

The default setup is of jenkins should be secure out-of-the-box and the admin must change it to be insecure if they desire.

Things like listen on localhost only (for http/https/ssh/cli etc)
ship with jenkins own security realm by default without allow users to sign up and a single admin user pre-defined.
Force password expiry on the local user database (to ensure the password is changed at first login)
Local user database should be able to support locking accounts (to prevent brute force attacks)

Attachments

Issue Links

depends on

JENKINS-33595 Disable SSHD by default on new Installations

Resolved

JENKINS-33596 Disable DNSMultiCast & UDPBroadcastThread by default

Resolved

is blocking

JENKINS-33462 Security Token dialogue should link to quality docs about where to find Jenkins logs

Resolved

is related to

JENKINS-12731 Reducing the steps required for initial lockdown of a Jenkins instance (open ports, default permissions, etc.)

Resolved

JENKINS-24513 Zero executors on master not well documented or enforced

Open

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

SCM/JIRA link daemon added a comment - 2016-03-09 20:16

Code changed in jenkins
User: kzantow
Path:
core/src/main/java/hudson/PluginManager.java
core/src/main/java/hudson/model/UpdateCenter.java
core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java
core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
core/src/main/java/jenkins/install/InstallState.java
core/src/main/java/jenkins/install/InstallUtil.java
core/src/main/java/jenkins/install/SetupWizard.java
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/resources/hudson/security/FullControlOnceLoggedInAuthorizationStrategy/config.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryForm.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/addUser.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/firstUser.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signup.jelly
core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signupWithFederatedIdentity.jelly
core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly
core/src/main/resources/jenkins/install/SetupWizard/index.jelly
core/src/main/resources/jenkins/install/SetupWizard/proxy-configuration.jelly
core/src/main/resources/jenkins/install/pluginSetupWizard.properties
core/src/main/resources/jenkins/model/Jenkins/login.jelly
core/src/main/resources/jenkins/model/Jenkins/loginError.jelly
core/src/main/resources/lib/layout/html.jelly
core/src/main/resources/lib/layout/layout.jelly
test/src/test/java/hudson/model/UpdateCenterPluginInstallTest.java
war/src/main/js/api/securityConfig.js
war/src/main/js/pluginSetupWizard.js
war/src/main/js/pluginSetupWizardGui.js
war/src/main/js/templates/firstUserPanel.hbs
war/src/main/js/templates/incompleteInstallationPanel.hbs
war/src/main/js/templates/offlinePanel.hbs
war/src/main/js/templates/pluginSelectionPanel.hbs
war/src/main/js/templates/proxyConfigPanel.hbs
war/src/main/js/templates/setupCompletePanel.hbs
war/src/main/js/templates/successPanel.hbs
war/src/main/js/templates/welcomePanel.hbs
war/src/main/js/util/jenkins.js
war/src/main/less/pluginSetupWizard.less
war/src/test/js/pluginSetupWizard-spec.js
http://jenkins-ci.org/commit/jenkins/5368c96404d415451bb657aea8073834c8bd815b
Log:
~~JENKINS-30749~~ - make Jenkins secure out of the box:

create initial admin user with difficult password (based on UUID)
force login with password as security token
force initial admin user creation

Show

SCM/JIRA link daemon added a comment - 2016-03-09 20:16 Code changed in jenkins User: kzantow Path: core/src/main/java/hudson/PluginManager.java core/src/main/java/hudson/model/UpdateCenter.java core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java core/src/main/java/jenkins/install/InstallState.java core/src/main/java/jenkins/install/InstallUtil.java core/src/main/java/jenkins/install/SetupWizard.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/security/FullControlOnceLoggedInAuthorizationStrategy/config.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryForm.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/addUser.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/firstUser.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signup.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signupWithFederatedIdentity.jelly core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly core/src/main/resources/jenkins/install/SetupWizard/index.jelly core/src/main/resources/jenkins/install/SetupWizard/proxy-configuration.jelly core/src/main/resources/jenkins/install/pluginSetupWizard.properties core/src/main/resources/jenkins/model/Jenkins/login.jelly core/src/main/resources/jenkins/model/Jenkins/loginError.jelly core/src/main/resources/lib/layout/html.jelly core/src/main/resources/lib/layout/layout.jelly test/src/test/java/hudson/model/UpdateCenterPluginInstallTest.java war/src/main/js/api/securityConfig.js war/src/main/js/pluginSetupWizard.js war/src/main/js/pluginSetupWizardGui.js war/src/main/js/templates/firstUserPanel.hbs war/src/main/js/templates/incompleteInstallationPanel.hbs war/src/main/js/templates/offlinePanel.hbs war/src/main/js/templates/pluginSelectionPanel.hbs war/src/main/js/templates/proxyConfigPanel.hbs war/src/main/js/templates/setupCompletePanel.hbs war/src/main/js/templates/successPanel.hbs war/src/main/js/templates/welcomePanel.hbs war/src/main/js/util/jenkins.js war/src/main/less/pluginSetupWizard.less war/src/test/js/pluginSetupWizard-spec.js http://jenkins-ci.org/commit/jenkins/5368c96404d415451bb657aea8073834c8bd815b Log: JENKINS-30749 - make Jenkins secure out of the box: create initial admin user with difficult password (based on UUID) force login with password as security token force initial admin user creation

Hide

Permalink

Daniel Beck added a comment - 2016-03-09 20:30

Fixed towards 2.0.

Show

Daniel Beck added a comment - 2016-03-09 20:30 Fixed towards 2.0.

Jenkins

Jenkins should be secure out of the box by default

Details

Description

Attachments

Issue Links

Activity

People

Dates