Securing Repository Credentials with Nexus Pro User Tokens
By Tim OBrien
2 minute read time
Until yesterday I had a Maven Settings file in ~/.m2/settings.xml that contained following XML:
<server> <id>central</id> <username>tobrien</username> <password>ch1c@g0r00lz</password> </server>
Silly, right? The only way to authenticate against Nexus was to drop my plaintext username and password in my Settings file, for anyone who gained access to my laptop to see. I've never been too happy with this approach, and even built-in support for encryption in Maven didn't seem like much of an improvement over a plaintext password. The Maven-specific approach to password encryption still has to decrypt the password on the client, and if someone is using password encryption in Maven Settings file all you need to do to intercept the password is fire up Wireshark and read what Maven sends over the wire. (Maven's built-in password encryption isn't security at all, it's security theater.)
Nexus Professional 2.1 takes a different approach, an approach that keeps the password encrypted in transit and which shifts the responsibility to the repository manager.
[iframe width="560" height="315" src="http://www.youtube.com/embed/sVeEesimReQ" frameborder="0" allowfullscreen/]
- Login into Nexus with your user credentials.
- Open up your profile.
- Select User Token from the profile settings dropdown.
- Press Access User Token
At this point, Nexus Professional will ask you for your username and password again just to make certain that you are who you say you are, and it will present you with a User Token that looks like this:
<server> <id>${server}</id> <username>jBVaDogW</username> <password>o3TsgGP+EkF1eEayn/+M2Vk9kwS8ieajAjXwoCLb2HCw</password> </server>
But, wait, how is this more secure? First, an attacker could still grab your user token and deploy to Nexus, but the damage would be limited to deployment and download. User Tokens are more secure because they are limited, you won't use a User Token to login to the UI and make changes to Nexus, and, if your User Tokens happed to be compromised, you can reset them. Lastly, your plaintext password is never transferred over the wire.
What this change is doing is moving Nexus toward an authentication system on par with the security of a system that relies on public SSH keys (a system such as Github). This is just the first step toward making Nexus authentication more secure, and it's a big step. If you find this feature useful, please let us know, and we hopeyou enjoy Nexus Professional 2.1. Download it today.
Written by Tim OBrien
Tim is a Software Architect with experience in all aspects of software development from project inception to developing scaleable production architectures for large-scale systems during critical, high-risk events such as Black Friday. He has helped many organizations ranging from small startups to Fortune 100 companies take a more strategic approach to adopting and evaluating technology and managing the risks associated with change.
Explore All Posts by Tim OBrien