Centrally Secure Passwords

JFrog Platform Administration Documentation

Content Type
Administration / Platform
ft:sourceType
Paligo

Some tools use cleartext passwords, which can pose a security risk. The security risk is even greater if you use LDAP or other external authentication, since you expose your SSO password in cleartext and that password is likely to be used for other services.

For example, Maven uses cleartext passwords in the settings.xml file by default.

Using Maven's built-in support for encrypted passwords and generating passwords on the client side does not overcome the security risks for the following reasons:

  1. The login password is decrypted on the client side and ends up as cleartext in memory, and then transmitted over the wire (unless forcing SSL too).

  2. The master password used for decryption is stored in clear text on the file system.

  3. Password encryption is left to the good will of the end-user and there is no way to centrally mandate it.

A unique solution is provided for this problem by generating encrypted passwords for users based on secret keys stored in the system. You can ensure users' shared passwords are never stored or transmitted as clear text.

WebUI Changes implemented in Artifactory 7.38.x and above

Security is now called Authentication Providers. All the relevant text and images on this page have been updated to reflect this change.

The security Settings previously found under the Security tab have moved to User Management.

You can set a central policy for using or accepting encrypted passwords in the Administration module under User Management | Settings by setting the Password Encryption Policy field.

password-encryption-policy.png

The behavior according to the Password Encryption Policy setting is as follows:

Password Encryption Policy Setting

Description

Supported

The system can receive requests with encrypted passwords (default).

Required

The system requires an encrypted password for every authenticated request.

Unsupported

The system rejects requests with encrypted passwords.