You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Oleg Gusakov (JIRA)" <ji...@codehaus.org> on 2009/02/03 20:25:21 UTC
[jira] Issue Comment Edited: (MNG-553) Secure Storage of Server
Passwords
[ http://jira.codehaus.org/browse/MNG-553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=162620#action_162620 ]
Oleg Gusakov edited comment on MNG-553 at 2/3/09 1:24 PM:
----------------------------------------------------------
Implemented solution is manual for now, I will add automation plugin later on. I already have the plugin but need to modify it a little.
*Manual process*
To encrypt a password, run the following cli:
java -cp maven-2.1.0-M2-SNAPSHOT-uber.jar org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher [ -m | -p ]
where:
* *-m* means encrypt master password
* *-p* means encrypt a password
To setup encryption for server *my.server*
* encrypt master password - get the output and save in *~/.m2/sec.xml*
{code}
<settingsSecurity>
<master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
</settingsSecurity>
{code}
* encrypt the password with cli
* save the password into settings.xml
{code}
<server>
<id>my.server</id>
<username>foo</username>
<password>{COQLCE6DU6GtcS5P=}</password>
</server>
{code}
* that is all. Maven will intercept the password and decrypt it on the fly.
Because password is decrypted and send like that on the wire, you don't get much security from this approach, unless the connection itself is encrypted.
The best layout is like the following:
* have all global settings in in the global settings.xml file - *$M2_HOME/conf/settings.xml*, keep all profiles here
* move *servers* secrion to *~/.m2/settings.xml* - keep all you private passwords encrypted in this file
* keep encrypted master password in *~/.m2/sec.xml*
** if you want to enhance this - move this file to a removable disk and put a reference to that file into *~/.m2/sec.xml*
{code}
<settingsSecurity>
<relocation>/Volumes/mySecureUsb/secret/sec.xml</relocation>
</settingsSecurity>
{code}
then password will be read from */Volumes/mySecureUsb/secret/sec.xml*
was (Author: olle):
Implemented solution is manual for now, I will add automation plugin later on. I already have the plugin but need to modify it a little.
*Manual process*
To encrypt a password, run the following cli:
java -cp maven-2.1.0-M2-SNAPSHOT-uber.jar org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher [ -m | -p ]
where:
* *-m* means encrypt master password
* *-p* means encrypt a password
To setup encryption for server *my.server*
* encrypt master password - get the output and save in *~/.m2/sec.xml*
{code}
<sec>
<master>{jSMOWnoPFgsHVpMvz5VrIt5kRbzGpI8u+9EF1iFQyJQ=}</master>
</sec>
{code}
* encrypt the password with cli
* save the password into settings.xml
{code}
<server>
<id>my.server</id>
<username>foo</username>
<password>{COQLCE6DU6GtcS5P=}</password>
</server>
{code}
* that is all. Maven will intercept the password and decrypt it on the fly.
Because password is decrypted and send like that on the wire, you don't get much security from this approach, unless the connection itself is encrypted.
The best layout is like the following:
* have all global settings in in the global settings.xml file - *$M2_HOME/conf/settings.xml*, keep all profiles here
* move *servers* secrion to *~/.m2/settings.xml* - keep all you private passwords encrypted in this file
* keep encrypted master password in *~/.m2/sec.xml*
** if you want to enhance this - move this file to a removable disk and put a reference to that file into *~/.m2/sec.xml*
{code}
<sec>
<relocation>/Volumes/mySecureUsb/secret/sec.xml</relocation>
</sec>
{code}
then password will be read from */Volumes/mySecureUsb/secret/sec.xml*
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Issue Type: Improvement
> Components: Settings
> Affects Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Assignee: Oleg Gusakov
> Priority: Critical
> Fix For: 2.1.0-M2
>
> Attachments: MNG-553.patch
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira