Securing Repository Credentials with Nexus Pro User Tokens

Written by Tim OBrien | August 08, 2012

Until yesterday I had a Maven Settings file in ~/.m2/settings.xml that contained following XML:

&lt;server&gt;
  &lt;id&gt;central&lt;/id&gt;
  &lt;username&gt;tobrien&lt;/username&gt;
  &lt;password&gt;ch1c@g0r00lz&lt;/password&gt;
&lt;/server&gt;

Silly, right? The only way to authenticate against Nexus was to drop my plaintext username and password in my Settings file, for anyone who gained access to my laptop to see. I've never been too happy with this approach, and even built-in support for encryption in Maven didn't seem like much of an improvement over a plaintext password. The Maven-specific approach to password encryption still has to decrypt the password on the client, and if someone is using password encryption in Maven Settings file all you need to do to intercept the password is fire up Wireshark and read what Maven sends over the wire. (Maven's built-in password encryption isn't security at all, it's security theater.)

Nexus Professional 2.1 takes a different approach, an approach that keeps the password encrypted in transit and which shifts the responsibility to the repository manager.

[iframe width="560" height="315" src="http://www.youtube.com/embed/sVeEesimReQ" frameborder="0" allowfullscreen/] With Nexus Professional 2.1 we've taken one step further toward a more secure approach to distributing credentials - User Tokens. You can think of a User Token as you would an SSH key or sorts. When you configure your Maven Settings, you'll need to supply some credentials (preferably not your plaintext username and password). With Nexus Professional, all you need to do is:

Login into Nexus with your user credentials.
Open up your profile.
Select User Token from the profile settings dropdown.
Press Access User Token

At this point, Nexus Professional will ask you for your username and password again just to make certain that you are who you say you are, and it will present you with a User Token that looks like this:

&lt;server&gt;
  &lt;id&gt;${server}&lt;/id&gt;
  &lt;username&gt;jBVaDogW&lt;/username&gt;
  &lt;password&gt;o3TsgGP+EkF1eEayn/+M2Vk9kwS8ieajAjXwoCLb2HCw&lt;/password&gt;
&lt;/server&gt;

But, wait, how is this more secure? First, an attacker could still grab your user token and deploy to Nexus, but the damage would be limited to deployment and download. User Tokens are more secure because they are limited, you won't use a User Token to login to the UI and make changes to Nexus, and, if your User Tokens happed to be compromised, you can reset them. Lastly, your plaintext password is never transferred over the wire.

What this change is doing is moving Nexus toward an authentication system on par with the security of a system that relies on public SSH keys (a system such as Github). This is just the first step toward making Nexus authentication more secure, and it's a big step. If you find this feature useful, please let us know, and we hopeyou enjoy Nexus Professional 2.1. Download it today.

View full post