Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65107

The new LTS release may lock out old users

    XMLWordPrintable

Details

    Description

      Hi,

       

      If a user has a very old passwordhash defined in users/foo_xx/config.xml the new LTS release may lock the user out of jenkins.

       

      This happened with my admin user (setup arund 2012).I spent > 1 day figuring this out and ruling out a security incident and would greatly appreciate that this was mentioned in the releasnotes of 2.277. I upgraded from 2.268.

       

       

      Attachments

        Issue Links

          Activity

            markewaite Mark Waite added a comment - - edited

            Documented in Jenkins 2.277.1 upgrade guide.

            markewaite Mark Waite added a comment - - edited Documented in Jenkins 2.277.1 upgrade guide .
            worf_lt Worf added a comment -

            I can confirm that a change of the user's password in 2.263.4 will have its hash to be written in the new format and thus mitigates the issue.
            Nevertheless, I would suspect such a change to be stated in the Change Log (regardless of whether it was intentionally made). This way, administrators who are in the (hopefully) rare situation of maintaining a Jenkins installation whose users did not change their password since 2012 (horrible security practice) can take measures before users complain that they cannot log in anymore.

            Thanks for your feedback and efforts!

            worf_lt Worf added a comment - I can confirm that a change of the user's password in 2.263.4 will have its hash to be written in the new format and thus mitigates the issue. Nevertheless, I would suspect such a change to be stated in the Change Log (regardless of whether it was intentionally made). This way, administrators who are in the (hopefully) rare situation of maintaining a Jenkins installation whose users did not change their password since 2012 (horrible security practice) can take measures before users complain that they cannot log in anymore. Thanks for your feedback and efforts!
            jglick Jesse Glick added a comment -

            Removal of the very old password encoder was intentional. Should suffice to update your password while running 2.265 or older.

            jglick Jesse Glick added a comment - Removal of the very old password encoder was intentional. Should suffice to update your password while running 2.265 or older.
            markewaite Mark Waite added a comment -

            Thanks for the details worf_lt. The transition from acegi security to Spring Security framework (JEP-227) is intentional in Jenkins 2.277.1. If users in 2.263.4 update their password, does it write a bcrypt based password or does it continue to write the old style password?

            I suspect that the removal of the classic password encoder is intentional. Copying jglick in case he wants to comment on the change.

            markewaite Mark Waite added a comment - Thanks for the details worf_lt . The transition from acegi security to Spring Security framework ( JEP-227 ) is intentional in Jenkins 2.277.1. If users in 2.263.4 update their password, does it write a bcrypt based password or does it continue to write the old style password? I suspect that the removal of the classic password encoder is intentional. Copying jglick in case he wants to comment on the change.
            worf_lt Worf added a comment -

            Hi Guys!
            I've tried to update to latest LTS (v2.277.2) yesterday and ran into the same issue as described by the reporter. Our Jenkins instance runs since 2012 and was continuously updated.

            However, all existing users still use SHA password hashes (there wasn't any migration to jbcrypt) and since commit https://github.com/jenkinsci/jenkins/commit/a9ca5ef3d4c97937636bf3c585f4232514279b14 the CLASSIC password encoder has gone from hudson.security.HudsonPrivateSecurityRealm.
            As a consequence, no user could log in anymore and I had to rollback to v2.263.4 where login still works.

            worf_lt Worf added a comment - Hi Guys! I've tried to update to latest LTS (v2.277.2) yesterday and ran into the same issue as described by the reporter. Our Jenkins instance runs since 2012 and was continuously updated. However, all existing users still use SHA password hashes (there wasn't any migration to jbcrypt) and since commit https://github.com/jenkinsci/jenkins/commit/a9ca5ef3d4c97937636bf3c585f4232514279b14 the CLASSIC password encoder has gone from hudson.security.HudsonPrivateSecurityRealm . As a consequence, no user could log in anymore and I had to rollback to v2.263.4 where login still works.

            People

              Unassigned Unassigned
              tarjei_asku Tarjei
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: