Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-30749

Jenkins should be secure out of the box by default

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The default setup is of jenkins should be secure out-of-the-box and the admin must change it to be insecure if they desire.

      • Things like listen on localhost only (for http/https/ssh/cli etc)
      • ship with jenkins own security realm by default without allow users to sign up and a single admin user pre-defined.
      • Force password expiry on the local user database (to ensure the password is changed at first login)
      • Local user database should be able to support locking accounts (to prevent brute force attacks)

      See also: Design

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            Fixed towards 2.0.

            Show
            danielbeck Daniel Beck added a comment - Fixed towards 2.0.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: kzantow
            Path:
            core/src/main/java/hudson/PluginManager.java
            core/src/main/java/hudson/model/UpdateCenter.java
            core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java
            core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
            core/src/main/java/jenkins/install/InstallState.java
            core/src/main/java/jenkins/install/InstallUtil.java
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/java/jenkins/model/Jenkins.java
            core/src/main/resources/hudson/security/FullControlOnceLoggedInAuthorizationStrategy/config.jelly
            core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryForm.jelly
            core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage.jelly
            core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/addUser.jelly
            core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/firstUser.jelly
            core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly
            core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signup.jelly
            core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signupWithFederatedIdentity.jelly
            core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly
            core/src/main/resources/jenkins/install/SetupWizard/index.jelly
            core/src/main/resources/jenkins/install/SetupWizard/proxy-configuration.jelly
            core/src/main/resources/jenkins/install/pluginSetupWizard.properties
            core/src/main/resources/jenkins/model/Jenkins/login.jelly
            core/src/main/resources/jenkins/model/Jenkins/loginError.jelly
            core/src/main/resources/lib/layout/html.jelly
            core/src/main/resources/lib/layout/layout.jelly
            test/src/test/java/hudson/model/UpdateCenterPluginInstallTest.java
            war/src/main/js/api/securityConfig.js
            war/src/main/js/pluginSetupWizard.js
            war/src/main/js/pluginSetupWizardGui.js
            war/src/main/js/templates/firstUserPanel.hbs
            war/src/main/js/templates/incompleteInstallationPanel.hbs
            war/src/main/js/templates/offlinePanel.hbs
            war/src/main/js/templates/pluginSelectionPanel.hbs
            war/src/main/js/templates/proxyConfigPanel.hbs
            war/src/main/js/templates/setupCompletePanel.hbs
            war/src/main/js/templates/successPanel.hbs
            war/src/main/js/templates/welcomePanel.hbs
            war/src/main/js/util/jenkins.js
            war/src/main/less/pluginSetupWizard.less
            war/src/test/js/pluginSetupWizard-spec.js
            http://jenkins-ci.org/commit/jenkins/5368c96404d415451bb657aea8073834c8bd815b
            Log:
            JENKINS-30749 - make Jenkins secure out of the box:

            • create initial admin user with difficult password (based on UUID)
            • force login with password as security token
            • force initial admin user creation
            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: kzantow Path: core/src/main/java/hudson/PluginManager.java core/src/main/java/hudson/model/UpdateCenter.java core/src/main/java/hudson/security/FullControlOnceLoggedInAuthorizationStrategy.java core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java core/src/main/java/jenkins/install/InstallState.java core/src/main/java/jenkins/install/InstallUtil.java core/src/main/java/jenkins/install/SetupWizard.java core/src/main/java/jenkins/model/Jenkins.java core/src/main/resources/hudson/security/FullControlOnceLoggedInAuthorizationStrategy/config.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryForm.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/_entryFormPage.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/addUser.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/firstUser.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/setupWizardFirstUser.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signup.jelly core/src/main/resources/hudson/security/HudsonPrivateSecurityRealm/signupWithFederatedIdentity.jelly core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly core/src/main/resources/jenkins/install/SetupWizard/index.jelly core/src/main/resources/jenkins/install/SetupWizard/proxy-configuration.jelly core/src/main/resources/jenkins/install/pluginSetupWizard.properties core/src/main/resources/jenkins/model/Jenkins/login.jelly core/src/main/resources/jenkins/model/Jenkins/loginError.jelly core/src/main/resources/lib/layout/html.jelly core/src/main/resources/lib/layout/layout.jelly test/src/test/java/hudson/model/UpdateCenterPluginInstallTest.java war/src/main/js/api/securityConfig.js war/src/main/js/pluginSetupWizard.js war/src/main/js/pluginSetupWizardGui.js war/src/main/js/templates/firstUserPanel.hbs war/src/main/js/templates/incompleteInstallationPanel.hbs war/src/main/js/templates/offlinePanel.hbs war/src/main/js/templates/pluginSelectionPanel.hbs war/src/main/js/templates/proxyConfigPanel.hbs war/src/main/js/templates/setupCompletePanel.hbs war/src/main/js/templates/successPanel.hbs war/src/main/js/templates/welcomePanel.hbs war/src/main/js/util/jenkins.js war/src/main/less/pluginSetupWizard.less war/src/test/js/pluginSetupWizard-spec.js http://jenkins-ci.org/commit/jenkins/5368c96404d415451bb657aea8073834c8bd815b Log: JENKINS-30749 - make Jenkins secure out of the box: create initial admin user with difficult password (based on UUID) force login with password as security token force initial admin user creation

              People

              • Assignee:
                kzantow Keith Zantow
                Reporter:
                teilo James Nord
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: