Improvement - Enhance security of credential storage

sonatype / nexus-ruby-support

26 stars 7 forks source link

Improvement - Enhance security of credential storage #44

Closed eddiewebb closed 10 years ago

eddiewebb commented 11 years ago

We run a central CI server for many teams, and saving passwords in ~/.gem/nexus is a large risk for us as anyone who can push builds to the server can get the password.

I would like a similar approach as the Maven Encryption that uses a secret key to encrypt passwords (rather then base64). The tools should provide no external way to decrypt passwords, but allow it to occur via gem nexus operations.

http://maven.apache.org/guides/mini/guide-encryption.html

eehret commented 11 years ago

I second this... would love to see this enhancement.

mkristian commented 11 years ago

for uploading gems via the gem nexus .... command that is doable since all the code comes from the nexus gem. when downloading via gem install ... or gem update ... or via bundler that the only way right now is to add the credential into the url of the server. I guess for that a feature request to rubygems and bundler could help since that is the place to implement it.

definitely I will look into the nexus command !!!!

eddiewebb commented 11 years ago

Awesome, thanks @mkristian.

downloading artifacts is less important for us as we only restrict publishing, and leave reads/downloads wide open.

mkristian commented 10 years ago

forgot to mention that in case the implementation does need some modification to fit your needs - please let me know since I am not the main user of that feature ;)

eddiewebb commented 10 years ago

Thanks for the change.

Can you provide info around how the new process works?

How do I encrypt?
Where does the cipher get stored?
Any other steps to make this work.

mkristian commented 10 years ago

hoops. I guess I missed the whole cipher part. I will read the maven docu again. will look into it tomorrow.

the only thing it does it to store the credentials in an external file which can be configured.

mkristian commented 10 years ago

well, another shot ;) just pushed nexus-1.2.0.gem

please see https://github.com/sonatype/nexus-ruby-support/wiki/Gem-Nexus-Command

or just $ gem nexus --encrypt if you want the credentials stored somewhere else use $ gem nexus --secrets /path/to/file

anything can be reverted anytime ! but encryption always prompts for the master password (unlike the setup of maven settings)

so please give also feedback if you find something done oddly or not working as stated or . . .

mkristian commented 10 years ago

time to close - just reopen it if there are problems