Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-30749

Jenkins should be secure out of the box by default

      The default setup is of jenkins should be secure out-of-the-box and the admin must change it to be insecure if they desire.

      • Things like listen on localhost only (for http/https/ssh/cli etc)
      • ship with jenkins own security realm by default without allow users to sign up and a single admin user pre-defined.
      • Force password expiry on the local user database (to ensure the password is changed at first login)
      • Local user database should be able to support locking accounts (to prevent brute force attacks)

      See also: Design

          [JENKINS-30749] Jenkins should be secure out of the box by default

          James Nord created issue -
          James Nord made changes -
          Component/s New: security [ 15508 ]
          Jesse Glick made changes -
          Labels New: security
          Jesse Glick made changes -
          Component/s Original: security [ 15508 ]
          Component/s Original: packaging [ 20120 ]
          Jesse Glick made changes -
          Assignee Original: Kohsuke Kawaguchi [ kohsuke ]
          Jesse Glick made changes -
          Labels Original: security New: 2.0 security
          Jesse Glick made changes -
          Link New: This issue is related to JENKINS-24513 [ JENKINS-24513 ]
          Kohsuke Kawaguchi made changes -
          Epic Link New: JENKINS-31157 [ 165813 ]
          Daniel Beck made changes -
          Link New: This issue is related to JENKINS-12731 [ JENKINS-12731 ]
          Daniel Beck made changes -
          Labels Original: 2.0 security New: 2.0-planned security

            kzantow Keith Zantow
            teilo James Nord
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: