Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65107

The new LTS release may lock out old users

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Hi,

       

      If a user has a very old passwordhash defined in users/foo_xx/config.xml the new LTS release may lock the user out of jenkins.

       

      This happened with my admin user (setup arund 2012).I spent > 1 day figuring this out and ruling out a security incident and would greatly appreciate that this was mentioned in the releasnotes of 2.277. I upgraded from 2.268.

       

       

        Attachments

          Issue Links

            Activity

            Hide
            worf_lt Worf added a comment -

            Hi Guys!
            I've tried to update to latest LTS (v2.277.2) yesterday and ran into the same issue as described by the reporter. Our Jenkins instance runs since 2012 and was continuously updated.

            However, all existing users still use SHA password hashes (there wasn't any migration to jbcrypt) and since commit https://github.com/jenkinsci/jenkins/commit/a9ca5ef3d4c97937636bf3c585f4232514279b14 the CLASSIC password encoder has gone from hudson.security.HudsonPrivateSecurityRealm.
            As a consequence, no user could log in anymore and I had to rollback to v2.263.4 where login still works.

            Show
            worf_lt Worf added a comment - Hi Guys! I've tried to update to latest LTS (v2.277.2) yesterday and ran into the same issue as described by the reporter. Our Jenkins instance runs since 2012 and was continuously updated. However, all existing users still use SHA password hashes (there wasn't any migration to jbcrypt) and since commit https://github.com/jenkinsci/jenkins/commit/a9ca5ef3d4c97937636bf3c585f4232514279b14 the CLASSIC password encoder has gone from hudson.security.HudsonPrivateSecurityRealm . As a consequence, no user could log in anymore and I had to rollback to v2.263.4 where login still works.
            Hide
            markewaite Mark Waite added a comment -

            Thanks for the details Worf. The transition from acegi security to Spring Security framework (JEP-227) is intentional in Jenkins 2.277.1. If users in 2.263.4 update their password, does it write a bcrypt based password or does it continue to write the old style password?

            I suspect that the removal of the classic password encoder is intentional. Copying Jesse Glick in case he wants to comment on the change.

            Show
            markewaite Mark Waite added a comment - Thanks for the details Worf . The transition from acegi security to Spring Security framework ( JEP-227 ) is intentional in Jenkins 2.277.1. If users in 2.263.4 update their password, does it write a bcrypt based password or does it continue to write the old style password? I suspect that the removal of the classic password encoder is intentional. Copying Jesse Glick in case he wants to comment on the change.
            Hide
            jglick Jesse Glick added a comment -

            Removal of the very old password encoder was intentional. Should suffice to update your password while running 2.265 or older.

            Show
            jglick Jesse Glick added a comment - Removal of the very old password encoder was intentional. Should suffice to update your password while running 2.265 or older.
            Hide
            worf_lt Worf added a comment -

            I can confirm that a change of the user's password in 2.263.4 will have its hash to be written in the new format and thus mitigates the issue.
            Nevertheless, I would suspect such a change to be stated in the Change Log (regardless of whether it was intentionally made). This way, administrators who are in the (hopefully) rare situation of maintaining a Jenkins installation whose users did not change their password since 2012 (horrible security practice) can take measures before users complain that they cannot log in anymore.

            Thanks for your feedback and efforts!

            Show
            worf_lt Worf added a comment - I can confirm that a change of the user's password in 2.263.4 will have its hash to be written in the new format and thus mitigates the issue. Nevertheless, I would suspect such a change to be stated in the Change Log (regardless of whether it was intentionally made). This way, administrators who are in the (hopefully) rare situation of maintaining a Jenkins installation whose users did not change their password since 2012 (horrible security practice) can take measures before users complain that they cannot log in anymore. Thanks for your feedback and efforts!
            Hide
            markewaite Mark Waite added a comment - - edited

            Documented in Jenkins 2.277.1 upgrade guide.

            Show
            markewaite Mark Waite added a comment - - edited Documented in Jenkins 2.277.1 upgrade guide .

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              tarjei_asku Tarjei
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: