The new security setup wizard in alpha-3 requies that the new user provides a security token that's printed to console to proceed, but knowing where it goes really isn't easy. You see some beginning of it in this Wiki page, but this is still far from complete.
For example, on Windows %JENKINS_HOME% is something the user can override during the setup, which I think defaults to either c:\jenkins or %APPDATA%\jenkins that I can't remember. The latter location would be different depending on Windows versions. And if you are a kind of guy who just clicks Next, Next, and Next, you probably don't know where it is.
On OS X, we support two ways of installing it, and they put things to different locations. I don't know exactly where so I couldn't add it to the page.
Then there's a whole can of worm about running Jenkins on a servlet container, which can do any number of things depending on how you installed the said servlet container.
I think this is too much hassle, especially given that I cannot think of any other tools that do this much. For example, Atlassian tools show the setup wizard to anyone accessing it.
I suggest we consider alternative ways of authenticating the user:
- Create a random file name under $JENKINS_HOME and ask the user to touch that file by showing the path.
- Instead of printing it out to stdout, create a file under $JENKINS_HOME and ask the user to paste in its content.
Both of these remove any ambiguity and sufficiently authenticate the user.
Daniel raised that this approach reveals the location of $JENKINS_HOME but I don't consider that a vulnerability by itself. This only happens briefly during the setup anyway.