Securing Repository Credentials With Nexus Professional User Tokens
By Tim OBrien
2 minute read time
Until yesterday, I had a Maven Settings file in ~/.m2/settings.xml that contained the following XML:
<server> <id>central</id> <username>tobrien</username> <password>ch1c@g0r00lz</password> </server>
Silly, right? The only way to authenticate against Nexus was to drop my plaintext username and password in my Settings file, for anyone who gained access to my laptop to see. I've never been too happy with this approach, and even built-in encryption support in Maven didn't seem like much improvement over a plaintext password. The Maven-specific approach to password encryption still has to decrypt the password on the client. If someone uses password encryption in Maven Settings files, all you need to do to intercept the password is fire up Wireshark and read what Maven sends over the wire. (Maven's built-in password encryption isn't security at all, it's security theater.)
Nexus Professional (now known as Sonatype Nexus Repository) 2.1 takes a different approach, an approach that keeps the password encrypted in transit, and shifts the responsibility to the repository manager.
[iframe width="560" height="315" src="http://www.youtube.com/embed/sVeEesimReQ" frameborder="0" allowfullscreen/]
With Nexus Professional 2.1, we've taken one step further toward a more secure approach to distributing credentials - User Tokens. You can think of a User Token as an SSH key or sorts. When you configure your Maven Settings, you'll need to supply some credentials (preferably not your plaintext username and password).
With Nexus Professional, all you need to do is:
-
Login into Nexus with your user credentials.
-
Open up your profile.
-
Select User Token from the profile settings dropdown.
-
Press Access User Token
At this point, Nexus Professional will ask you for your username and password again, just to make sure you are who you say you are, and it will present you with a User Token that looks like this:
<server>
<id>${server}</id>
<username>jBVaDogW</username>
<password>o3TsgGP+EkF1eEayn/+M2Vk9kwS8ieajAjXwoCLb2HCw</password>
</server>
But, wait, how is this more secure? First, an attacker could still grab your user token and deploy to Nexus, but the damage would be limited to deployment and download. User Tokens are more secure because they are limited. You won't use a User Token to login to the UI and make changes to Nexus. If your User Tokens happen to be compromised, you can reset them. Lastly, your plaintext password is never transferred over the wire.
What this change is doing is moving Nexus toward an authentication system on the same level as the security of a system that relies on public SSH keys (a system such as GitHub). This is the first step toward making Nexus authentication more secure, and it's a big step. If you find this feature useful, please let us know, and we hope you enjoy Nexus Professional 2.1.
Tim is a Software Architect with experience in all aspects of software development from project inception to developing scaleable production architectures for large-scale systems during critical, high-risk events such as Black Friday. He has helped many organizations ranging from small startups to ...
Explore All Posts by Tim OBrienTags
Try Nexus Repository Free Today
Sonatype Nexus Repository is the world’s most trusted artifact repository manager. Experience the difference and download Community Edition for free.