Hello,
At FOSDEM earlier this year there was a discussion about whether release builds of plugins could be pushed from a central security-hardened box in
ci.jenkins.io, and whether this would improve the security posture of plugin releases compared to the status quo (where incrementals builds are pushed from
ci.jenkins.io, but release builds are published from individual plugin maintainers' laptops).
The verdict was that:
- In theory it would be a good idea.
- In practice a central release box would offer such a tempting target to skilled attackers that they would find ways to tamper with it which we could not adequately defend against.
- While a maintainer's laptop is a messier environment (in terms of the Maven cache) and also probably easier to attack than a security-hardened box in AWS, an attack would only compromise that maintainer's plugin(s) rather than all of the plugins.
And therefore, on balance, maintainers continue to release plugins from their laptops.
The fundamental constraints on centralised release boxes are unlikely to change in the short term. I am therefore wondering if we could use multi-factor authentication (MFA) to improve the security of laptop-based plugin releases.
First, could we have MFA in our
jenkins-ci.org SSO accounts?
This would be the obvious starting point. At minimum it would help secure our logins to Jira, Artifactory, as well as the account portal.
Second, could we use MFA in Maven deployments?
This *could* provide a significant security upgrade over the Artifactory API key which we use today: anyone who bears that key has arbitrary upload access for the corresponding plugin(s).
I see two ways we could potentially do this:
- maven-deploy-plugin. This would require some extra work on the LDAP side, and maybe a PR on maven-deploy-plugin itself, which I would be happy to investigate. Once enabled, when a Maven deployment is initiated, the maintainer would be asked to authenticate with their normal username/password plus an MFA token. (I suppose the username/password could be securely cached after first login, and the MFA token is the thing asked for each time.)
- Create a holding area in Artifactory for newly uploaded artifacts, and require an MFA prompt for each release. You would push from maven-deploy-plugin as usual, but rather than the artifacts going straight into the index, they would go to a holding area, and Artifactory would give you an MFA prompt to confirm that it really was you that uploaded them. I suppose advantages of this approach are (a) it keeps the MFA entirely in-browser where WebAuthn support is already mature and (b) it would allow M-of-N control for the release of particularly sensitive plugins.
Let me know your thoughts below.
Regards,
Chris