Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-33599

Finding security token from console log can be very hard

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      The new security setup wizard in alpha-3 requies that the new user provides a security token that's printed to console to proceed, but knowing where it goes really isn't easy. You see some beginning of it in this Wiki page, but this is still far from complete.

      For example, on Windows %JENKINS_HOME% is something the user can override during the setup, which I think defaults to either c:\jenkins or %APPDATA%\jenkins that I can't remember. The latter location would be different depending on Windows versions. And if you are a kind of guy who just clicks Next, Next, and Next, you probably don't know where it is.

      On OS X, we support two ways of installing it, and they put things to different locations. I don't know exactly where so I couldn't add it to the page.

      Then there's a whole can of worm about running Jenkins on a servlet container, which can do any number of things depending on how you installed the said servlet container.

      I think this is too much hassle, especially given that I cannot think of any other tools that do this much. For example, Atlassian tools show the setup wizard to anyone accessing it.

      I suggest we consider alternative ways of authenticating the user:

      • Create a random file name under $JENKINS_HOME and ask the user to touch that file by showing the path.
      • Instead of printing it out to stdout, create a file under $JENKINS_HOME and ask the user to paste in its content.

      Both of these remove any ambiguity and sufficiently authenticate the user.

      Daniel raised that this approach reveals the location of $JENKINS_HOME but I don't consider that a vulnerability by itself. This only happens briefly during the setup anyway.

        Attachments

          Issue Links

            Activity

            kohsuke Kohsuke Kawaguchi created issue -
            kohsuke Kohsuke Kawaguchi made changes -
            Field Original Value New Value
            Project Jenkins Website [ 10401 ] Jenkins [ 10172 ]
            Key WEBSITE-136 JENKINS-33599
            Workflow WEBSITE: Software Development Workflow [ 169555 ] JNJira [ 169555 ]
            Status To Do [ 10003 ] Open [ 1 ]
            Component/s core [ 15593 ]
            Component/s core [ 21434 ]
            kzantow Keith Zantow made changes -
            Assignee Keith Zantow [ kzantow ]
            kzantow Keith Zantow made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            kzantow Keith Zantow made changes -
            Remote Link This issue links to "PR 2138 (Web Link)" [ 14086 ]
            kohsuke Kohsuke Kawaguchi made changes -
            Labels 2.0 2.0 2.0-planned
            kohsuke Kohsuke Kawaguchi made changes -
            Assignee Keith Zantow [ kzantow ] Kohsuke Kawaguchi [ kohsuke ]
            kohsuke Kohsuke Kawaguchi made changes -
            Remote Link This issue links to "PR 2142 (Web Link)" [ 14093 ]
            kohsuke Kohsuke Kawaguchi made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 169556 ] JNJira + In-Review [ 198633 ]

              People

              • Assignee:
                kohsuke Kohsuke Kawaguchi
                Reporter:
                kohsuke Kohsuke Kawaguchi
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: