January 25, 2009

Avoiding Clear Text Passwords in Maven

On Secure LDAP Integration: Avoiding Clear Text Passwords in Maven Settings and Controlling Login Fallback

First, Some Background
One shortcoming of Maven is that it requires you to store your repository passwords in clear text inside the settings.xml file. Now, this stops being mere annoyance and starts becoming a real security hole once your repository's authentication is done by integrating with an external security service, such as LDAP. SSL can help you overcome transmitting your password in clear text, but storing your LDAP/Active Directory password in clear text is a different story, as it opens the door for anyone who grabs your settings file to all resources accessible by you on the organizational network: email accounts, shared documents, backoffice applications etc. Certainly not a welcome side-effect.

Artifactory includes an out-of-the-box LDAP integration, that can be quite easily set up and tested from the web UI. Soon after introducing LDAP into Artifactrory, we received an inspiring feature request from Patrick Crocker, that led us to implement the current encrypted password support which overcomes this security hole in Maven.

BTW, you can use encrypted passwords even without LDAP, of course, for just not letting people seeing what your clear text passwords look like.

How Does It Work?
First, an Artifactory admin has to enable password encryption by going to Admin:Security:General and setting the password encryption policy to either "Supported" or "Required":

This activates secure password generation for each user based on a secure key stored as part of the user's details.
From now on, any user can use his profile page (your login name on the upper-right corner) to get an auto generated Triple DES secure password to use in his settings.xml file -
just type in your current password and take your secure password for the Encrypted Password field.
Artifactory also gives you a sample server xml element snippet for use your settings.xml.

Controlling Login Fallback
A common case that often appears when integrating with an external authentication system is that you want to force all users to go exclusively through LDAP, except for a couple of special users that need to be able to log in using internal passwords even when the LDAP server is unreachable (e.g., when a change on the LDAP server requires adjusting the connection settings), or when no LDAP authentication details exist (like in the case of a CI build server). For this kind of users, just leave the "Disable Internal Password" flag off in the users' details panel.

That's it!


1 comment:

  1. UPDATE: -
    One question we are often asked is - "How is this different from Maven's built-in support for encrypted passwords?"

    It is true that from first glance the features may look similar, but there are substantial differences that make the support for encrypted passwords on the server side much more compelling:

    (1) Control: Artifactory offers a centrally-controlled password policy, so it is not left up to users to decide what level of security they are willing to maintain. If an administrator mandates an encrypted password policy, no user can fall back to storing his domain password in clear text.

    (2) Ease of use: The steps required by a user to set up his encrypted password are minimal - just download a generated settings.xml from Artifactory and copy/paste your encrypted password to it from your profile page. Compare this with creating a master password from the command line, using another command line to encrypt the original password and maintaining the master password on disk. Moreover, from our experience with some very large development shops, putting this into the environment setup process may be a non-trivial requirement for end developers.

    (3) Security: User passwords are never stored - not in encrypted form and certainly not in clear text. Artifactory only stores a secure key per user that is accesible strictly by administrators. This key is used to encrypt the user password using Triple DES:
    A user enters his password in the UI, the password is encrypted and the user copies it to his settings.xml. Then, when a request comes in to Artifactory with using encrypted password, the password in decrypted in memory on the server and passed to LDAP (or compared against a local hashed password if no LDAP is used).
    On the other hand, Maven decrypts the password to clear-text on the client side, and you also must keep the master password in clear-text on the clients' filesystem.

    (4) Maven-agnostic: The way secure passwords are managed in Artifactory is totally independent of Maven capabilities, and can be used with any REST/HTTP client, like Gradle and Ivy/Ant.