Keys are stored as part of the configuration and are visibile to logged-in
Artifactory admins via the admin UI that displays the configuration as XML
and to O/S users with read access to the $ARTIFACTORY_HOME/etc folder, where
keys are visible in the artifactory.config.startup.xml file - so you should
protect this folder, letting only the Artifactory system user read from it.
HTH,
On Fri, Dec 4, 2009 at 6:37 AM, bman <[email protected]> wrote:
>
> Thanks Yossi!
>
> Where on the server are the keys stored? What measures are in place to keep
> the keys secure?
>
> Thanks,
> Barry
>
>
>
> Yossi Shaul-3 wrote:
> >
> > The private and public keys are both automatically generated and stored
> on
> > the server, using the Triple DES algorithm (aka DESede).
> > What you see in the ui and put in the settings.xml is the result of
> taking
> > the clear text password and encrypting it using the DESede keys.
> >
> > Yossi Shaul
> >
> > On Wed, Nov 25, 2009 at 1:45 AM, bman <[email protected]> wrote:
> >
> >>
> >> Thanks Fred!
> >>
> >> This helps a lot, but I still have some questions. So does this mean
> >> that
> >> the private key is stored on the user's machine, and the public key is
> >> stored on the server? What do you mean by "encrypt is clear text
> >> password
> >> in the UI?" Is the encryption method Triple DES as mentioned in the
> Jira
> >> request?
> >>
> >> Thanks,
> >> Barry
> >>
> >>
> >> freddy33 wrote:
> >> >
> >> > Hi,
> >> >
> >> > First, yes this is implemented.
> >> > Second, the SecretKey is actually generated per user when he is using
> >> the
> >> > Artifactory Web UI. I mean that the password is used to authenticate
> >> the
> >> > user against LDAP, then when going to the user profile page the user
> >> can
> >> > "Unlock" his password using it's personal private key with the same
> >> > password. Artifactory never store the LDAP password, just the pair
> >> > private/public key used to decrypt the grabbled text used by the user
> >> in
> >> > the
> >> > settings.xml and encrypt is clear text password in the UI.
> >> >
> >> > Is that clear? :)
> >> >
> >> > HTH,
> >> > Fred.
> >> >
> >> > On Sat, Nov 14, 2009 at 12:51 AM, bman <[email protected]> wrote:
> >> >
> >> >>
> >> >> Howdy,
> >> >>
> >> >> According to the original feature request for encrypted passwords
> >> >> (http://issues.jfrog.org/jira/browse/RTFACT-1191), the admin user
> >> should
> >> >> be
> >> >> able to set the key value:
> >> >> The basic concept is to allow an admin user the ability (via Web UI)
> >> to
> >> >> set
> >> >> a secret key value (javax.crypto.SecretKey) to be used for encrypting
> >> >> users
> >> >> passwords. Once the secret key has been set, the normal user would
> >> use
> >> >> the
> >> >> Web UI to input his password and then generate the encrypted (Triple
> >> >> DES?)
> >> >> version of the password. The user would then cut-and-paste the
> >> encrypted
> >> >> string into the settings.xml file.
> >> >> Was this part implemented? If so, how does one go about doing this?
> >> >>
> >> >> Otherwise, how is the key set and what security controls are around
> >> the
> >> >> key?
> >> >>
> >> >> We are integrating with LDAP, so we just want to be sure our domain
> >> >> credentials are well protected.
> >> >>
> >> >> Thanks,
> >> >> Barry
> >> >> --
> >> >> View this message in context:
> >> >> http://old.nabble.com/Encrypted-Passwords-tp26344800p26344800.html
> >> >> Sent from the Artifactory-Users mailing list archive at Nabble.com.
> >> >>
> >> >>
> >> >>
> >> >>
> >>
> ------------------------------------------------------------------------------
> >> >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> >> >> 30-Day
> >> >> trial. Simplify your report design, integration and deployment - and
> >> >> focus
> >> >> on
> >> >> what you do best, core application coding. Discover what's new with
> >> >> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> >> >> _______________________________________________
> >> >> Artifactory-users mailing list
> >> >> [email protected]
> >> >> https://lists.sourceforge.net/lists/listinfo/artifactory-users
> >> >>
> >> >
> >> >
> >> >
> >> > --
> >> > Co. Founder and Chief Architect
> >> > JFrog Ltd
> >> > http://www.jfrog.org/
> >> > http://twitter.com/freddy33
> >> >
> >> >
> >>
> ------------------------------------------------------------------------------
> >> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> >> > 30-Day
> >> > trial. Simplify your report design, integration and deployment - and
> >> focus
> >> > on
> >> > what you do best, core application coding. Discover what's new with
> >> > Crystal Reports now. http://p.sf.net/sfu/bobj-july
> >> > _______________________________________________
> >> > Artifactory-users mailing list
> >> > [email protected]
> >> > https://lists.sourceforge.net/lists/listinfo/artifactory-users
> >> >
> >> >
> >>
> >> --
> >> View this message in context:
> >> http://old.nabble.com/Encrypted-Passwords-tp26344800p26505325.html
> >> Sent from the Artifactory-Users mailing list archive at Nabble.com.
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> >> 30-Day
> >> trial. Simplify your report design, integration and deployment - and
> >> focus
> >> on
> >> what you do best, core application coding. Discover what's new with
> >> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> >> _______________________________________________
> >> Artifactory-users mailing list
> >> [email protected]
> >> https://lists.sourceforge.net/lists/listinfo/artifactory-users
> >>
> >
> >
> ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> > 30-Day
> > trial. Simplify your report design, integration and deployment - and
> focus
> > on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now. http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Artifactory-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/artifactory-users
> >
> >
>
> --
> View this message in context:
> http://old.nabble.com/Encrypted-Passwords-tp26344800p26635761.html
> Sent from the Artifactory-Users mailing list archive at Nabble.com.
>
>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Artifactory-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/artifactory-users
>
--
Yoav Landman
Artifactory Creator
Co-founder and Products Development Lead
JFrog Ltd.
http://www.jfrog.org/
------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Artifactory-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/artifactory-users
