[jira] Created: (MNG-4626) Avoid cleartext passwords over http

["Brendan Lawlor (JIRA)" <ji...@codehaus.org>]

Avoid cleartext passwords over http
-----------------------------------

                 Key: MNG-4626
                 URL: http://jira.codehaus.org/browse/MNG-4626
             Project: Maven 2 & 3
          Issue Type: Improvement
          Components: General
    Affects Versions: 3.0-alpha-7
            Reporter: Brendan Lawlor


The current encryption scheme implemented by Maven avoids the use of cleartext passwords on local files by allowing them to be encrypted locally and decrypted just before the maven client requests from or deploys to a central artifact repository.

I would like to suggest that the Maven team replicate the idea adopted by Artifactory, where passwords are _transmitted_ encrypted, and only decrypted on the server side by the repository. Requests and deployments are made over http and transmitted in the clear. Where the passwords are system passwords integrated to Active Directory or similar using LDAP, this is not an option even within a company's LAN. I like the idea of where Nexus and the Maven development stack in general is going (I listened to Jason's seminar recently and I'm keen on much of where you are going). But passwords in the clear over http is a showstopper and I'm surprised you haven't already borrowed this idea from the competition.

Another irritating side effect of maven's insistence in using cleartext passwords has been mentioned by a colleague of mine in MNG-4611. We currently use Artifactory for EXACTLY this reason (the password encryption) and maven logs loudly about the fact that the passwords are encrypted.



-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] Commented: (MNG-4626) Avoid cleartext passwords over http

["Brian Fox (JIRA)" <ji...@codehaus.org>]

    [ http://jira.codehaus.org/browse/MNG-4626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=217075#action_217075 ] 

Brian Fox commented on MNG-4626:
--------------------------------

Maven was built assuming no intelligence on the repository side, so it exactly follows the http standards wrt authentication. Simply encrypting the password is a false sense of security, if you really have sensitive data, you should instead be using https to encrypt the whole transfer. The encryption built into Maven 2.1 was intended to provide a way to give some security to your password by obscuring it from the settings.xml. Naturally to conform to http standards, we needed to reverse the encryption before putting in on the wire. 

There may be some consideration done to define a new repository manager protocol and some password encryption around that, but for the moment, this seems to be out of scope for Maven itself.

That said, we have developed this functionality in Nexus Pro, but never shipped it because of some incompatibilities with the sun http provider in some edge cases. It sort of fell off the priority list, but we will be resurrecting and polishing this up soon.

> Avoid cleartext passwords over http
> -----------------------------------
>
>                 Key: MNG-4626
>                 URL: http://jira.codehaus.org/browse/MNG-4626
>             Project: Maven 2 & 3
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.0-alpha-7
>            Reporter: Brendan Lawlor
>
> The current encryption scheme implemented by Maven avoids the use of cleartext passwords on local files by allowing them to be encrypted locally and decrypted just before the maven client requests from or deploys to a central artifact repository.
> I would like to suggest that the Maven team replicate the idea adopted by Artifactory, where passwords are _transmitted_ encrypted, and only decrypted on the server side by the repository. Requests and deployments are made over http and transmitted in the clear. Where the passwords are system passwords integrated to Active Directory or similar using LDAP, this is not an option even within a company's LAN. I like the idea of where Nexus and the Maven development stack in general is going (I listened to Jason's seminar recently and I'm keen on much of where you are going). But passwords in the clear over http is a showstopper and I'm surprised you haven't already borrowed this idea from the competition.
> Another irritating side effect of maven's insistence in using cleartext passwords has been mentioned by a colleague of mine in MNG-4611. We currently use Artifactory for EXACTLY this reason (the password encryption) and maven logs loudly about the fact that the passwords are encrypted.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] Commented: (MNG-4626) Avoid cleartext passwords over http

["Brendan Lawlor (JIRA)" <ji...@codehaus.org>]

    [ http://jira.codehaus.org/browse/MNG-4626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=217143#action_217143 ] 

Brendan Lawlor commented on MNG-4626:
-------------------------------------

Brian: Point taken on using https. It just seems like a lot of encryption for a little password, but as Paul points out, just a statically encrypted password can still be reused (though only in the context of the Artifactory/Nexus server). 

Brett: that sums up things pretty well. I'll look into switching over to https and see if there is a big performance penalty (potentially nasty for our very busy continuous integration engine). In the meantime, it would be very nice if the escaping mechanism did what it says on the box (perhaps a separate JIRA for that one?)

Many thanks for the replies.

> Avoid cleartext passwords over http
> -----------------------------------
>
>                 Key: MNG-4626
>                 URL: http://jira.codehaus.org/browse/MNG-4626
>             Project: Maven 2 & 3
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.0-alpha-7
>            Reporter: Brendan Lawlor
>
> The current encryption scheme implemented by Maven avoids the use of cleartext passwords on local files by allowing them to be encrypted locally and decrypted just before the maven client requests from or deploys to a central artifact repository.
> I would like to suggest that the Maven team replicate the idea adopted by Artifactory, where passwords are _transmitted_ encrypted, and only decrypted on the server side by the repository. Requests and deployments are made over http and transmitted in the clear. Where the passwords are system passwords integrated to Active Directory or similar using LDAP, this is not an option even within a company's LAN. I like the idea of where Nexus and the Maven development stack in general is going (I listened to Jason's seminar recently and I'm keen on much of where you are going). But passwords in the clear over http is a showstopper and I'm surprised you haven't already borrowed this idea from the competition.
> Another irritating side effect of maven's insistence in using cleartext passwords has been mentioned by a colleague of mine in MNG-4611. We currently use Artifactory for EXACTLY this reason (the password encryption) and maven logs loudly about the fact that the passwords are encrypted.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] Issue Comment Edited: (MNG-4626) Avoid cleartext passwords over http

["Brett Porter (JIRA)" <ji...@codehaus.org>]

    [ http://jira.codehaus.org/browse/MNG-4626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=217078#action_217078 ] 

Brett Porter edited comment on MNG-4626 at 4/7/10 6:24 PM:
-----------------------------------------------------------

can I sum up, between the two issues, that you want Maven to not decrypt the password in settings.xml, and that Artifactory is using the same algorithm and master key ? So a suitable escaping mechanism (that works as documented on the page) would be sufficient? That should be fine to do, but I otherwise agree using https for your repository is a better option all around.

      was (Author: brettporter):
    can I some up, between the two issues, that you want Maven to not decrypt the password in settings.xml, and that Artifactory is using the same algorithm and master key ? So a suitable escaping mechanism (that works as documented on the page) would be sufficient? That should be fine to do, but I otherwise agree using https for your repository is a better option all around.
  
> Avoid cleartext passwords over http
> -----------------------------------
>
>                 Key: MNG-4626
>                 URL: http://jira.codehaus.org/browse/MNG-4626
>             Project: Maven 2 & 3
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.0-alpha-7
>            Reporter: Brendan Lawlor
>
> The current encryption scheme implemented by Maven avoids the use of cleartext passwords on local files by allowing them to be encrypted locally and decrypted just before the maven client requests from or deploys to a central artifact repository.
> I would like to suggest that the Maven team replicate the idea adopted by Artifactory, where passwords are _transmitted_ encrypted, and only decrypted on the server side by the repository. Requests and deployments are made over http and transmitted in the clear. Where the passwords are system passwords integrated to Active Directory or similar using LDAP, this is not an option even within a company's LAN. I like the idea of where Nexus and the Maven development stack in general is going (I listened to Jason's seminar recently and I'm keen on much of where you are going). But passwords in the clear over http is a showstopper and I'm surprised you haven't already borrowed this idea from the competition.
> Another irritating side effect of maven's insistence in using cleartext passwords has been mentioned by a colleague of mine in MNG-4611. We currently use Artifactory for EXACTLY this reason (the password encryption) and maven logs loudly about the fact that the passwords are encrypted.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] Commented: (MNG-4626) Avoid cleartext passwords over http

["Brett Porter (JIRA)" <ji...@codehaus.org>]

    [ http://jira.codehaus.org/browse/MNG-4626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=217078#action_217078 ] 

Brett Porter commented on MNG-4626:
-----------------------------------

can I some up, between the two issues, that you want Maven to not decrypt the password in settings.xml, and that Artifactory is using the same algorithm and master key ? So a suitable escaping mechanism (that works as documented on the page) would be sufficient? That should be fine to do, but I otherwise agree using https for your repository is a better option all around.

> Avoid cleartext passwords over http
> -----------------------------------
>
>                 Key: MNG-4626
>                 URL: http://jira.codehaus.org/browse/MNG-4626
>             Project: Maven 2 & 3
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.0-alpha-7
>            Reporter: Brendan Lawlor
>
> The current encryption scheme implemented by Maven avoids the use of cleartext passwords on local files by allowing them to be encrypted locally and decrypted just before the maven client requests from or deploys to a central artifact repository.
> I would like to suggest that the Maven team replicate the idea adopted by Artifactory, where passwords are _transmitted_ encrypted, and only decrypted on the server side by the repository. Requests and deployments are made over http and transmitted in the clear. Where the passwords are system passwords integrated to Active Directory or similar using LDAP, this is not an option even within a company's LAN. I like the idea of where Nexus and the Maven development stack in general is going (I listened to Jason's seminar recently and I'm keen on much of where you are going). But passwords in the clear over http is a showstopper and I'm surprised you haven't already borrowed this idea from the competition.
> Another irritating side effect of maven's insistence in using cleartext passwords has been mentioned by a colleague of mine in MNG-4611. We currently use Artifactory for EXACTLY this reason (the password encryption) and maven logs loudly about the fact that the passwords are encrypted.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] Commented: (MNG-4626) Avoid cleartext passwords over http

["Paul Benedict (JIRA)" <ji...@codehaus.org>]

    [ http://jira.codehaus.org/browse/MNG-4626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=217077#action_217077 ] 

Paul Benedict commented on MNG-4626:
------------------------------------

Even with an encrypted password sent over HTTP, unless the encryption is time sensitive (nonce?), an intercept could allow its unauthorized reuse.

> Avoid cleartext passwords over http
> -----------------------------------
>
>                 Key: MNG-4626
>                 URL: http://jira.codehaus.org/browse/MNG-4626
>             Project: Maven 2 & 3
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.0-alpha-7
>            Reporter: Brendan Lawlor
>
> The current encryption scheme implemented by Maven avoids the use of cleartext passwords on local files by allowing them to be encrypted locally and decrypted just before the maven client requests from or deploys to a central artifact repository.
> I would like to suggest that the Maven team replicate the idea adopted by Artifactory, where passwords are _transmitted_ encrypted, and only decrypted on the server side by the repository. Requests and deployments are made over http and transmitted in the clear. Where the passwords are system passwords integrated to Active Directory or similar using LDAP, this is not an option even within a company's LAN. I like the idea of where Nexus and the Maven development stack in general is going (I listened to Jason's seminar recently and I'm keen on much of where you are going). But passwords in the clear over http is a showstopper and I'm surprised you haven't already borrowed this idea from the competition.
> Another irritating side effect of maven's insistence in using cleartext passwords has been mentioned by a colleague of mine in MNG-4611. We currently use Artifactory for EXACTLY this reason (the password encryption) and maven logs loudly about the fact that the passwords are encrypted.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

[jira] Updated: (MNG-4626) Password encryption escaped mechanism doesn't work as advertised

["Brett Porter (JIRA)" <ji...@codehaus.org>]

     [ http://jira.codehaus.org/browse/MNG-4626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brett Porter updated MNG-4626:
------------------------------

    Summary: Password encryption escaped mechanism doesn't work as advertised  (was: Avoid cleartext passwords over http)

changed the summary accordingly. I haven't had the chance to test it yet.

> Password encryption escaped mechanism doesn't work as advertised
> ----------------------------------------------------------------
>
>                 Key: MNG-4626
>                 URL: http://jira.codehaus.org/browse/MNG-4626
>             Project: Maven 2 & 3
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.0-alpha-7
>            Reporter: Brendan Lawlor
>
> The current encryption scheme implemented by Maven avoids the use of cleartext passwords on local files by allowing them to be encrypted locally and decrypted just before the maven client requests from or deploys to a central artifact repository.
> I would like to suggest that the Maven team replicate the idea adopted by Artifactory, where passwords are _transmitted_ encrypted, and only decrypted on the server side by the repository. Requests and deployments are made over http and transmitted in the clear. Where the passwords are system passwords integrated to Active Directory or similar using LDAP, this is not an option even within a company's LAN. I like the idea of where Nexus and the Maven development stack in general is going (I listened to Jason's seminar recently and I'm keen on much of where you are going). But passwords in the clear over http is a showstopper and I'm surprised you haven't already borrowed this idea from the competition.
> Another irritating side effect of maven's insistence in using cleartext passwords has been mentioned by a colleague of mine in MNG-4611. We currently use Artifactory for EXACTLY this reason (the password encryption) and maven logs loudly about the fact that the passwords are encrypted.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira