7

In setting up our Jenkins/Hudson server recently it became clear that it has to store passwords. It seems that it stores the passwords "ciphered" in config.xml I can't see how this would be safe as the chain of secrets has to break somewhere.

  • Can Jenkins' ciphered passwords be considered "safe"?
  • Is this just security through obscurity?

I should specify that we're using Jenkins 1.425.

Catskul
  • 1,839
  • 4
  • 20
  • 23
  • In this case Hudson has to pass on the passwords to secondary authentication mechanisms so it has to be able to undo it's encryption. Looks like Shane found the answer. – Catskul Aug 09 '11 at 22:59

1 Answers1

6

It looks to be AES128 encrypted using a key stored locally. You're exactly right that it's essentially just a layer of obscurity - conceptually, the only options available in a situation like this are to require a password to be entered at the time the service starts as a decryption key, or to store the key somewhere locally; a good analogue is encrypted SSL certificates for a web server.

The comments in the code for the hudson.util.Secret class make clear that they understand the security limitations of this method:

Glorified String that uses encryption in the persisted form, to avoid accidental exposure of a secret. Note that since the cryptography relies on Hudson.getSecretKey(), this is not meant as a protection against code running in the same VM, nor against an attacker who has local file system access.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Are you familiar enough with Hudson to know whether it's possible to force it to require a password on startup? – Catskul Aug 09 '11 at 23:10
  • @Catskul Doesn't seem like it's possible, given the structure of the decryption stuff - it's meant to be invisible to the user. – Shane Madden Aug 10 '11 at 00:27