Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33599

Finding security token from console log can be very hard

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The new security setup wizard in alpha-3 requies that the new user provides a security token that's printed to console to proceed, but knowing where it goes really isn't easy. You see some beginning of it in this Wiki page, but this is still far from complete.

      For example, on Windows %JENKINS_HOME% is something the user can override during the setup, which I think defaults to either c:\jenkins or %APPDATA%\jenkins that I can't remember. The latter location would be different depending on Windows versions. And if you are a kind of guy who just clicks Next, Next, and Next, you probably don't know where it is.

      On OS X, we support two ways of installing it, and they put things to different locations. I don't know exactly where so I couldn't add it to the page.

      Then there's a whole can of worm about running Jenkins on a servlet container, which can do any number of things depending on how you installed the said servlet container.

      I think this is too much hassle, especially given that I cannot think of any other tools that do this much. For example, Atlassian tools show the setup wizard to anyone accessing it.

      I suggest we consider alternative ways of authenticating the user:

      • Create a random file name under $JENKINS_HOME and ask the user to touch that file by showing the path.
      • Instead of printing it out to stdout, create a file under $JENKINS_HOME and ask the user to paste in its content.

      Both of these remove any ambiguity and sufficiently authenticate the user.

      Daniel raised that this approach reveals the location of $JENKINS_HOME but I don't consider that a vulnerability by itself. This only happens briefly during the setup anyway.

        Attachments

          Issue Links

            Activity

            Hide
            rtyler R. Tyler Croy added a comment -

            I can't tell what the request for the website project is here, is it for better documentation, or is this mis-filed into the wrong project?

            Show
            rtyler R. Tyler Croy added a comment - I can't tell what the request for the website project is here, is it for better documentation, or is this mis-filed into the wrong project?
            Hide
            danielbeck Daniel Beck added a comment -
            Show
            danielbeck Daniel Beck added a comment - Discussion on the users list: https://groups.google.com/d/msg/jenkinsci-users/3GpzesBrQRY/WoG3b5e6JwAJ
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            I'm taking this over to free up time of Keith Zantow so that he can work on other stuff for 2.0 that only he can do, like scrollspy.

            Show
            kohsuke Kohsuke Kawaguchi added a comment - I'm taking this over to free up time of Keith Zantow so that he can work on other stuff for 2.0 that only he can do, like scrollspy.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: kzantow
            Path:
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly
            core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.properties
            http://jenkins-ci.org/commit/jenkins/f0d6e9204045a20cdf6ce494e01989b249631cad
            Log:
            JENKINS-33599 - write initial admin password to a file in the Jenkins
            home directory

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: kzantow Path: core/src/main/java/jenkins/install/SetupWizard.java core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.properties http://jenkins-ci.org/commit/jenkins/f0d6e9204045a20cdf6ce494e01989b249631cad Log: JENKINS-33599 - write initial admin password to a file in the Jenkins home directory
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: kzantow
            Path:
            cli/pom.xml
            core/pom.xml
            pom.xml
            test/pom.xml
            war/pom.xml
            http://jenkins-ci.org/commit/jenkins/30839053b6301e8d3ffaaf7dce9be6688039a3d6
            Log:
            Merge remote-tracking branch 'primary/2.0' into JENKINS-33599-write-file-for-security-token

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: kzantow Path: cli/pom.xml core/pom.xml pom.xml test/pom.xml war/pom.xml http://jenkins-ci.org/commit/jenkins/30839053b6301e8d3ffaaf7dce9be6688039a3d6 Log: Merge remote-tracking branch 'primary/2.0' into JENKINS-33599 -write-file-for-security-token
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            Ready for review & final merge

            Show
            kohsuke Kohsuke Kawaguchi added a comment - Ready for review & final merge
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            core/src/main/java/jenkins/install/SetupWizard.java
            core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly
            core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.properties
            http://jenkins-ci.org/commit/jenkins/c4fb608390c55398193ba300c4a0c07676e6c000
            Log:
            Merge pull request #2142 from jenkinsci/PR-2138

            [FIXED JENKINS-33599] write file with admin password for installer

            Compare: https://github.com/jenkinsci/jenkins/compare/904d9b170fbe...c4fb608390c5

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: core/src/main/java/jenkins/install/SetupWizard.java core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.jelly core/src/main/resources/jenkins/install/SetupWizard/authenticate-security-token.properties http://jenkins-ci.org/commit/jenkins/c4fb608390c55398193ba300c4a0c07676e6c000 Log: Merge pull request #2142 from jenkinsci/PR-2138 [FIXED JENKINS-33599] write file with admin password for installer Compare: https://github.com/jenkinsci/jenkins/compare/904d9b170fbe...c4fb608390c5

              People

              • Assignee:
                kohsuke Kohsuke Kawaguchi
                Reporter:
                kohsuke Kohsuke Kawaguchi
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: