Multi-factor authentication for jenkins-ci.org accounts, and for Jenkins plugin deployments?

7 views
Skip to first unread message

Chris Kilding

unread,
Jul 31, 2020, 1:49:21 PM7/31/20
to jenkin...@googlegroups.com
Hello,

At FOSDEM earlier this year there was a discussion about whether release builds of plugins could be pushed from a central security-hardened box in ci.jenkins.io, and whether this would improve the security posture of plugin releases compared to the status quo (where incrementals builds are pushed from ci.jenkins.io, but release builds are published from individual plugin maintainers' laptops).

The verdict was that:

- In theory it would be a good idea.
- In practice a central release box would offer such a tempting target to skilled attackers that they would find ways to tamper with it which we could not adequately defend against.
- While a maintainer's laptop is a messier environment (in terms of the Maven cache) and also probably easier to attack than a security-hardened box in AWS, an attack would only compromise that maintainer's plugin(s) rather than all of the plugins.

And therefore, on balance, maintainers continue to release plugins from their laptops.

The fundamental constraints on centralised release boxes are unlikely to change in the short term. I am therefore wondering if we could use multi-factor authentication (MFA) to improve the security of laptop-based plugin releases.

First, could we have MFA in our jenkins-ci.org SSO accounts?

This would be the obvious starting point. At minimum it would help secure our logins to Jira, Artifactory, as well as the account portal.

Second, could we use MFA in Maven deployments?

This *could* provide a significant security upgrade over the Artifactory API key which we use today: anyone who bears that key has arbitrary upload access for the corresponding plugin(s).

I see two ways we could potentially do this:

- maven-deploy-plugin. This would require some extra work on the LDAP side, and maybe a PR on maven-deploy-plugin itself, which I would be happy to investigate. Once enabled, when a Maven deployment is initiated, the maintainer would be asked to authenticate with their normal username/password plus an MFA token. (I suppose the username/password could be securely cached after first login, and the MFA token is the thing asked for each time.)
- Create a holding area in Artifactory for newly uploaded artifacts, and require an MFA prompt for each release. You would push from maven-deploy-plugin as usual, but rather than the artifacts going straight into the index, they would go to a holding area, and Artifactory would give you an MFA prompt to confirm that it really was you that uploaded them. I suppose advantages of this approach are (a) it keeps the MFA entirely in-browser where WebAuthn support is already mature and (b) it would allow M-of-N control for the release of particularly sensitive plugins.

Let me know your thoughts below.

Regards,

Chris

Jesse Glick

unread,
Jul 31, 2020, 5:18:04 PM7/31/20
to Jenkins Dev
On Fri, Jul 31, 2020 at 1:49 PM Chris Kilding
<chris+...@chriskilding.com> wrote:
> The verdict was that:
>
> …
>
> And therefore, on balance, maintainers continue to release plugins from their laptops.

FYI: I actually have a different proposal for automated releases, but
I have not had time to finish writing it up. Requires some support
from the infra team, but nowhere near as much as the central server
(the current JEP-221).

Chris Kilding

unread,
Aug 2, 2020, 8:16:51 AM8/2/20
to jenkin...@googlegroups.com
Hi Jesse,

Sounds interesting, I look forward to seeing it when it's written up.

Chris
> --
> You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to jenkinsci-de...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3mxiGq%2BVcnHJWpPshbfZsdzMRwV12PZVF7E7jdTQytvw%40mail.gmail.com.
>

Gavin Mogan

unread,
Aug 2, 2020, 2:38:44 PM8/2/20
to Jenkins Developers
There's slowly progress to move accounts.jenkins.io to keycloak that has mfa support.
I would suspect the hosted artifactory has mfa as well, but never looked.

Reply all
Reply to author
Forward
0 new messages