Password transmitted in plain text

erankur · January 7, 2023, 10:32am

While login through Jenkins, the application layer password encryption is not in place, resulting the vulnerabilities of password disclosure.
Even if, the SSL is in place, SSL will encrypt the password after proxy only, hence allowing users at proxy to intercept communication and disclose password.

Please provide a solution for the same.

MarkEWaite · January 7, 2023, 1:25pm

Maybe this?

halkeye · January 8, 2023, 6:19am

The default user implemention is kinda designed as a reference. You probably want to use something like ldap or oidc or saml or any other implemention

erankur · January 9, 2023, 4:42am

Even if LDAP implementation is there, the username and password entered at user’s browser will transmit in plain text (at least up to proxy).

erankur · January 9, 2023, 4:46am

TLS implementation will encrypt the password once it leaves the proxy/network. A man in the middle (on or before proxy) attacker will be able to see the password.

halkeye · January 9, 2023, 5:34am

Cool, well I recommend you:

use a dedicated system like okta, keycloeak, or authentik that will let you auth with systems designed for security.
If that doesn’t work for you, then your option goes to using TLS
If that doesn’t provide enough for you, then you can submit a pull request with updates required, and/or pay a contractor to implement the feature for you.

Topic		Replies	Views
Encrypted HTML login forms Using Jenkins question	2	344	November 3, 2022
Https behind apache proxy switches to http after login Ask a question	5	493	December 3, 2021
How to manage credential in pipeline [password expired] Using Jenkins	3	931	May 10, 2023
Jenkins is working without credentials even after configuring LDAP authentication Using Jenkins question	5	858	September 20, 2023
Jenkins HTTPS keystore without displaying a password Using Jenkins	2	380	January 21, 2024

Password transmitted in plain text

Related Topics