Mask Passwords Plugin

Skip to end of metadata
Go to start of metadata

This plugin allows masking passwords that may appear in the console

Plugin Information

Plugin ID mask-passwords Changes In Latest Release
Since Latest Release
Latest Release
Latest Release Date
Required Core
Dependencies
2.7.2
Dec 07, 2011
1.409
Source Code
Issue Tracking
Maintainer(s)
Subversion
Open Issues
Romain Seguy (id: rseguy)
Usage Installations 2013-Jun 1927
2013-Jul 2118
2013-Aug 2147
2013-Sep 2231
2013-Oct 2403
2013-Nov 2402
2013-Dec 2398
2014-Jan 2591
2014-Feb 2770
2014-Mar 2904
2014-Apr 3057
2014-May 3200

About this plugin

This plugin allows masking passwords that may appear in the console, including the ones defined as build parameters. This often happens, for example, when you use build steps which can't handle passwords properly. Take a look at the following example.

Before

Consider you're using an Invoke Ant build step to run an Ant target. This target requires a password to achieve its goal. You would end up having a job configuration like this:

Of course, you could have created a variable to store the password and use this variable in the build step configuration so that it doesn't appear as plain text. But you would still end with a console output like this:

After

When activating the Mask passwords option in a job, the builds' Password Parameters (or any other type of build parameters selected for masking in Manage Hudson > Configure System) are automatically masked from the console. Furthermore, you can also safely define a list of static passwords to be masked (you can also define a list of static password shared by all jobs in Jenkins' main configuration screen). As such, the passwords don't appear anymore as plain text in the job configuration (plus it is ciphered in the job configuration file):

Once done, new builds will have the passwords masked from the console output:

User guide

First, go to Jenkins' main configuration screen (Manage Hudson > Configure System) and select, in the Mask Passwords - Configuration section, which kind of build parameters have to be automatically masked from the console output:

Notice that, as of version 2.7, you can also define global passwords (defined as pairs of name/password) that can be accessed across all jobs.

Then, for a specific job, activate the Mask passwords option in the Build Environment section to mask passwords from the console:

  1. All the password parameters defined for the job will be automatically hidden.
  2. For each other kind of password (that is, static ones) that may appear in the console output, add an entry (by clicking on the Add button) and set the Password field.
    You may additionally set the Name field. If you do so, the password will then be available as a standard variable. It is then possible to refer to this password using this variable rather than keying it in a field which is not ciphered. Take a look at the screenshots above for an example.

Version history

Version 2.7.3 (not yet released)

  • Fixed issue #12161: Env-inject vars could have been not masked because of plugins loading order

Version 2.7.2 (12/07/2011)

  • Fixed issue #11934: Once a job config was submitted, new/updated global passwords were not masked
  • Implemented issue #11924: Improved global passwords-related labels

Version 2.7.1 (10/27/2011)

  • Fixed issue #11514: When migrating from an older version of the plugin, NullPointerExceptions were preventing the jobs using Mask Passwords to load
  • Fixed issue #11515: Mask Passwords global config was not actually saved when no global passwords were defined

Version 2.7 (10/20/2011)

  • Implemented issue #11399: It is now possible to define name/password pairs in Jenkins' main configuration screen (Manage Hudson > Configure System)

Version 2.6.1 (05/26/2011)

  • Fixed a bug which was emptying the console output if there was no password to actually mask

Version 2.6 (04/29/2011)

  • Added a new type of build parameter: Non-Stored Password Parameter
  • Blank passwords are no more masked, avoiding overcrowding the console with stars

Version 2.5 (03/11/2011)

  • New configuration screen (in Manage Hudson > Configure System) allowing to select which build parameters have to be masked (Password Parameter are selected by default)
  • Fixed a bug which was preventing to mask passwords containing regular expressions' meta-characters or escape sequences

Version 2.0 (02/23/2011)

  • Builds' Password Parameters are now automatically masked.

Version 1.0 (09/01/2010)

  • Initial release

Labels

plugin-misc plugin-misc Delete
plugin-buildwrapper plugin-buildwrapper Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Sep 01, 2010

    cringe - says:

    When will this plugin be available from the Update Center? I removed one buildst...

    When will this plugin be available from the Update Center? I removed one buildstep from my current build because I had to provide my personalized user account/password for it... so I'll be happy if the plugin will be at my hands soon.

    1. Sep 02, 2010

      Romain Seguy says:

      It should already be there, if not it'll be there in the hours to come (I've rel...

      It should already be there, if not it'll be there in the hours to come (I've released it yesterday). You need Hudson 1.374 at least.

  2. Sep 02, 2010

    Patrick Renaud says:

    Very nice initiative Romain. This is a function that we had in Build Forge for a...

    Very nice initiative Romain. This is a function that we had in Build Forge for a long time and that we were badly missing in Hudson.

    Tx for adding it

  3. Mar 11, 2011

    Ossa Huang says:

    Hello world!  Thanks Romain. It is a great plug-in. BTW, I noticed tha...

    Hello world! 

    Thanks Romain. It is a great plug-in. BTW, I noticed that if the password contains $, the entire password is not masked off from the log file.  Not sure about any other special characters.

    1. Mar 12, 2011

      Romain Seguy says:

      Thanks for pointing this. I've fixed it and rolled out release 2.5.

      Thanks for pointing this. I've fixed it and rolled out release 2.5.

  4. Mar 21, 2011

    Sébastien Grellier says:

    I have tried using this plugin with a maven build but could not get it do the jo...

    I have tried using this plugin with a maven build but could not get it do the job.

    I want to provide a login/password with system properties like -Dmy.username=$MY_SECRET_LOGIN -Dmy.password=$MY_SECRET_PASSWORD. I do set those in the MAVEN_OPTS variable in the job configuration and define the masked login and password with the plugin.

    Has anyone tried to use it in a similar situation ?

    1. Mar 22, 2011

      Romain Seguy says:

      Hi, I've checked and yes there is an issue with Maven jobs which don't seem abl...

      Hi,

      I've checked and yes there is an issue with Maven jobs which don't seem able to use vars defined using the Mask Passwords plugin. I suggest to inspect the Hudson/Maven code to see how it handles env vars.

      Anyway, the following works: Define your password as a build parameter.

      1. Mar 24, 2011

        Sébastien Grellier says:

        Thanks for confirming the problem. If I define my password as a build paramete...

        Thanks for confirming the problem.

        If I define my password as a build parameter, I lose the ability to trigger my job automatically.

        1. Mar 24, 2011

          Romain Seguy says:

          You won't lose the ability to trigger the job automatically as long as you defin...

          You won't lose the ability to trigger the job automatically as long as you define a default value.

          1. Sep 06, 2013

            dma_k - says:

            Indeed the solution to define password as "Build parameters" worked fine. Howeve...

            Indeed the solution to define password as "Build parameters" worked fine. However it adds some inflexibilities:

            • I need to define the password twice: one time for Mask Passwords Plugin and another time for Maven.
            • One-click-build is not possible anymore, as there is one extra page shown where one can redefine default parameters.
            • The person, who can run a build, may steal the values of the password (from page HTML source).

            I wonder if better solution possible. Maybe changing the type of job from Maven2 to Free-style will work better?

          2. Sep 09, 2013

            dma_k - says:

            I think I got the working solution. Indeed, Free-Style job worked well for me: v...

            I think I got the working solution. Indeed, Free-Style job worked well for me: variables are substituted without extra build parametrization. There is only one minor unimportant side effect: all variables are also passed to maven via -D. For example if the build option is:

            -Dgpg.passphrase=${PGP_PASSWORD} install gpg:sign
            

            actual command line becomes

            mvn -DPGP_PASSWORD=******** -B -Dgpg.passphrase=******** install gpg:sign
            
  5. Apr 20, 2011

    Prakash Achuthan says:

    Hi, I am trying to use this plugin (ver 2.5) with Hudson 1.398.  I get the...

    Hi,

    I am trying to use this plugin (ver 2.5) with Hudson 1.398.  I get the following error in "hudson.err.log" every time I click on Manage Hudson > Configure System.

    Apr 20, 2011 2:42:36 PM com.michelin.cio.hudson.plugins.maskpasswords.MaskPasswordsConfig load

    WARNING: No configuration found for Mask Passwords plugin

    Also, I don't get the check boxes under "Mask Passwords Configuration" section

    Please let me know if this plug-in is compatible with both Hudson and Jenkins. 

    1. Apr 20, 2011

      Romain Seguy says:

      Hi, The plugin is compatible with both Jenkins and Hudson (it is built for Huds...

      Hi,

      The plugin is compatible with both Jenkins and Hudson (it is built for Hudson 1.375).
      I guess the issue you face is because of Hudson's new plugin mechanism which breaks compatibility with some plugins. Try to use the hudson.PluginStrategy=hudson.ClassicPluginStrategy parameter (cf. Hudson's mailing for more details).

      1. Jun 29, 2011

        yugi oussi says:

        Hi, I have the same issue "Mask Passwords configuration section is not visible"...

        Hi,

        I have the same issue "Mask Passwords configuration section is not visible" but the plugin is running correctely.

        Where I can find "hudson.PluginStrategy=hudson.ClassicPluginStrategy parameter"

        1. Jun 30, 2011

          Romain Seguy says:

          Take a look at this document: Features controlled by system properties.

          Take a look at this document: Features controlled by system properties.

          1. Jul 04, 2011

            yugi oussi says:

            Thanks for your help, I start hudson like that : sudo /etc/init.d/hudson start,...

            Thanks for your help,

            I start hudson like that : sudo /etc/init.d/hudson start, I don't know how to pass the parameter in the startup of hudson, can you help me please.

  6. Oct 13, 2011

    P Y says:

    hi Romain, first, thanks for the useful plugin. second, my use case is more co...

    hi Romain,

    first, thanks for the useful plugin.

    second, my use case is more complicated, i have to run several jobs with the same password. of course I can add for each job the masked password but I would like to better have it centrally defined once.

    for me this would be  Manage -> Configure System -> Global properties

    there I would like to define the password, masked, and use it thorough all jobs.

    is this somehow possible?

    1. Oct 13, 2011

      Romain Seguy says:

      This can be done. Please create an issue in JIRA.

      This can be done. Please create an issue in JIRA.

      1. Nov 16, 2011

        Kevin Chow says:

        Hi Romain, I'd like to follow up on this feature request thread. Was it impleme...

        Hi Romain,

        I'd like to follow up on this feature request thread. Was it implemented in Version 2.7 (issue #11399)?

        If it is the case, do I set the variable name/value at Manage->Configure System->Global properties->Enviornment variables?

        At Configure System->Mask Passwords Configuration, which options should I select?

        "Password Parameter" only?

        Thanks!

        Kevin

        1. Nov 16, 2011

          Romain Seguy says:

          It's in 2.7 (2.7.1 actually, there was a bug in 2.7). Its' in Manage -> Confi...

          It's in 2.7 (2.7.1 actually, there was a bug in 2.7). Its' in Manage -> Configure System, after that I don't remember the section, but it's a dedicated one, maybe named "Mask Passwords - Global Passwords", or something similar.

          1. Nov 17, 2011

            Kevin Chow says:

            Hi Romain, It works. The field is "Mask Passwords - Global name/password pairs"...

            Hi Romain,

            It works. The field is "Mask Passwords - Global name/password pairs".

            Thanks!

            KC

  7. Feb 02, 2012

    s s says:

    Am using 2.7.1 version of the plugin. It does not mask password when the passwor...

    Am using 2.7.1 version of the plugin. It does not mask password when the password contains certain special characters like " or ' . I doubt that it is also adding single quotes to start and end of password when it has special character like * or ( or )

    1. Feb 03, 2012

      Romain Seguy says:

      I can't reproduce, it's masked on my side.

      I can't reproduce, it's masked on my side.

      1. Feb 09, 2012

        s s says:

        Am using firefox 7.0.1 on Windows 7. If it was anything else, I can take a scree...

        Am using firefox 7.0.1 on Windows 7. If it was anything else, I can take a screen shot and send.... my password had alphanumeric and one quote .. e.g Jenkin"is3

        1. Feb 10, 2012

          Romain Seguy says:

          Still can't reproduce...

          Still can't reproduce...

  8. Feb 02, 2012

    s s says:

    The password is masked only in the output console.When jenkins runs shell script...

    The password is masked only in the output console.When jenkins runs shell script which takes this password parameter as the command line parameter and if you do a ps on the system on which this process runs the password is not masked.

  9. Apr 25, 2012

    Frank Merrow says:

    I've been using this plugin with good effect for some time now, but was told to ...

    I've been using this plugin with good effect for some time now, but was told to stop . . . the claim is that when I type the password into the web page and press save, the resulting get/post commands via unsecure http could be sniffed and would have the password in the clear . . . 

    Is this true, or is that allowed for in some way?

    Frank

    1. Apr 25, 2012

      Romain Seguy says:

      It's true, but it has nothing to see with the plugin, it has to see with Jenkins...

      It's true, but it has nothing to see with the plugin, it has to see with Jenkins itself. If you want passwords to not appear as plain text in HTTP requests, then you need to switch to full HTTPS. Enabling or disabling the plugin will do nothing for that.

      1. Apr 25, 2012

        Frank Merrow says:

        Is that currently possible . . . some plugin I missed or some obscure check box ...

        Is that currently possible . . . some plugin I missed or some obscure check box I missed?

        I'd be happy to turn that on in a heartbeat if it is possible, but AFAIK it's not.

        Frank

        1. Apr 25, 2012

          Romain Seguy says:

          It's possible by properly configuring your application server so that everything...

          It's possible by properly configuring your application server so that everything goes through HTTPS. Personnaly I do it by using an Apache HTTP server in front of Tomcat.

  10. May 16, 2012

    David Raymond says:

    I might be doing something wrong, but I'm trying to use this plugin together wit...

    I might be doing something wrong, but I'm trying to use this plugin together with the mercurial plugin.  I set the password to MERCURIAL_PWD in the global settings, enabled the mask passwords option in the job, and set the mercurial plugin to clone from http://jenkins:${MERCURIAL_PWD}@hg.example.com/repo, and it seems to not be substituting the password for the variable.  Any ideas?  Thanks.

    1. May 17, 2012

      Romain Seguy says:

      If I'm right, the mercurial plugin contributes an entry to the SCM part of jobs,...

      If I'm right, the mercurial plugin contributes an entry to the SCM part of jobs, which is actually not covered by build wrappers (mask-passwords is a build wrapper – build wrappers wrap only build steps). That's why the plugin has no effect. IMO, the mercurial plugin has to be modified to natively provide a way to externalize and secure the password.

      1. May 17, 2012

        David Raymond says:

        You are correct, the mercurial plugin is part of the SCM portion of the job.&nbs...

        You are correct, the mercurial plugin is part of the SCM portion of the job.  I did not realize that the mask password extension only wrapped the build portion.  It actually woks fine for the masking part, it is just the variable expansion that doesn't work.  The only way I could get the variable like behavior was to add a password parameter with a default value of the correct password.  It is too bad that Jenkins doesn't have any way to add global variables.  Anyway, thanks for the response.

  11. Sep 17, 2012

    Alex Vesely says:

    The plugin is TOO VISIBLE (takes up too much interface space) both on the global...

    The plugin is TOO VISIBLE (takes up too much interface space) both on the global config and on the job config screens.

    On the global config, the "Mask Passwords - Parameters to automatically mask" block is 11 (eleven!) lines that are arranged sparsely. On the job config, enabling the checkbox leads to a pretty large persistent ORANGE-colored block.

    Great plugin, but I'd like too see a bit less of it. :)

  12. Dec 18, 2012

    Ryan _ says:

    Is there a way to allow dollar sign characters ($) in the password value? They d...

    Is there a way to allow dollar sign characters ($) in the password value? They do not work as expected.

    If I have a password of abcd$$ the following appears in the log "abcd$".

    If I have a password of $abcd$$" the following appears in the log "$"

    I've tried escaping the character with a backslash () and also tried repeating the character, to no avail.

    We can not expect people to not have $'s in their password as it is an allowed character.

  13. Apr 19, 2013

    Alexander Artemov says:

    Looks like a good plugin, but... I was really surprised today to find my passowo...

    Looks like a good plugin, but... I was really surprised today to find my passoword in a plain way on the Environment Variables page of a build. Now I can see that this plugin is senseless.

    1. May 07, 2013

      Stefan Thurnherr says:

      Alexander: Read this plugin's page, and have a look at the different "Mask passw...

      Alexander: Read this plugin's page, and have a look at the different "Mask passwords" option both at the global jenkins configuration page and at the job-specific configuration page.

      1. May 07, 2013

        Stefan Thurnherr says:

        If by "Environment Variables" page you mean the page appearing when clicking on ...

        If by "Environment Variables" page you mean the page appearing when clicking on the "Parameters" link of a job run, the masking works for me.

        1. Jun 04, 2013

          Alexander Artemov says:

          No, I meant exactly "Environment Variables" link. Anyway, thank you, I tried "In...

          No, I meant exactly "Environment Variables" link. Anyway, thank you, I tried "Inject passwords to the build as environment variables" and now my passwords are encrypted in both in "Environment Variables" page and Pipeline View. Though, I don't understand why "Mask passwords (and enable global passwords)" is made in such way that it doesn't encrypt passwords.

          1. Jun 04, 2013

            Alexander Artemov says:

            No, I was wrong, in Pipeline View password is shown plainly, unencrypted. So, th...

            No, I was wrong, in Pipeline View password is shown plainly, unencrypted. So, there's another challenge.

            1. Jun 04, 2013

              Romain Seguy says:

              Had you fully read this page, you would have seen that (1) there's a version 2.7...

              Had you fully read this page, you would have seen that (1) there's a version 2.7.3 of the plugin which has not been released yet but which fixes an issue with the EnvInject plugin and that (2) the JIRA issue for this bug even provides an HPI which contains the bugfix.

              Anyway, EnvInject is a good workaround for your use (also, you might want to know that the EnvInject password masking mechanism is fully based on the source code of the Mask Passwords plugin).

              1. Jun 04, 2013

                Alexander Artemov says:

                Sorry, didn't read information about releases and 2.7.3 (everything else read). ...

                Sorry, didn't read information about releases and 2.7.3 (everything else read). It's a good news that it's fixed!

          2. Nov 21, 2013

            tommy l says:

            I'm running into the same issue. All of the "Mask Passwords - Global name/passwo...

            I'm running into the same issue. All of the "Mask Passwords - Global name/password pairs" configured in the Jenkins Configuration
            are shown in plain text in the Jenkins>job>build#>Environment Variables if I enable "Mask passwords (and enable globla passwords)" for that job. 

            Is there a way to fix this? Did I configured something incorrectly? Will the 2.7.3 version fix this issue? If this version will fix the issue when will it be released. 

  14. May 07, 2013

    Stefan Thurnherr says:

    Great plugin, Romain! Could you somewhere explain what the difference between "P...

    Great plugin, Romain! Could you somewhere explain what the difference between "Password parameter" and "Non-stored password parameter" is? Cant find any documentation, the '?' help text for these two parameter types is very generic.

    1. Jun 04, 2013

      Romain Seguy says:

      When you run a job, the parameters used as an input to this job are stored by Je...

      When you run a job, the parameters used as an input to this job are stored by Jenkins. So, if you use a "Password Parameter", the password will be kept along with the build. Whereas, if you use a "Non-stored password parameter", this password will not be kept. I recommend using the second choice.

  15. May 16, 2013

    Sven Delmas says:

    This looks like it's exactly what I need (already using it actually). My only qu...

    This looks like it's exactly what I need (already using it actually). My only question (not being a security expert) is how securely the passwords are stored within jenkins (or wherever). Who can access them, and how, and how much effort would that take? Sorry if this is a FAQ, I tried to look, but didn't see it.

    1. Jun 04, 2013

      Romain Seguy says:

      The password are encrypted using Jenkins' encryption mechanism, which entry poin...

      The password are encrypted using Jenkins' encryption mechanism, which entry point is the Secret class (cf. http://javadoc.jenkins-ci.org/hudson/util/Secret.html). These two lines in the class description bring the answer you need:

      Glorified String that uses encryption in the persisted form, to avoid accidental exposure of a secret.
      This is not meant as a protection against code running in the same VM, nor against an attacker who has local file system access on Jenkins master.

  16. May 16, 2013

    Sven Delmas says:

    This looks like it's exactly what I need (already using it actually). My only qu...

    This looks like it's exactly what I need (already using it actually). My only question (not being a security expert) is how securely the passwords are stored within jenkins (or wherever). Who can access them, and how, and how much effort would that take? Sorry if this is a FAQ, I tried to look, but didn't see it.

  17. Sep 17, 2013

    Dmitriy Korobskiy says:

    I've been using Mask Passwords for a while. It's a great plug-in! It worked...

    I've been using Mask Passwords for a while. It's a great plug-in!

    It worked fine for me with Ant and Gradle, however I just tried it with a job that is running via Execute Windows batch command and it did not seem to work.

    It's configured like this, using Mask Passwords' global pair variable:

    Command = featureTest.cmd userFoo ${AppPassword}
    

    The variable does not get expanded. I had to switch to parameterized build just to get around this.

    Any chance to add it to the to-do list?

    1. Sep 18, 2013

      Oleg Nenashev says:

      I suppose you should use %AppPassword% ...

      I suppose you should use %AppPassword% ...

      1. Sep 18, 2013

        Dmitriy Korobskiy says:

        That's what I ended up doing with parameterized build (AppUser and AppPassword a...

        That's what I ended up doing with parameterized build (AppUser and AppPassword are build parameters):

        Command = featureTest.cmd "%AppUser%" "%AppPassword%"
        

        It works, but parameterized builds have drawbacks:

        1. Extra click for all manual builds
        2. Can't share the same Mask Password variable between multiple jobs
        3. ?
        1. Nov 14, 2013

          Ian Macdonald says:

          I tried creating a new project and creating a "Execute Windows Command" with par...

          I tried creating a new project and creating a "Execute Windows Command" with paramaterized build, but I am not seeing the masking in the console log for "%PASS%". 

          what type of paramater did you use? string or something else?

          1. Nov 25, 2013

            Dmitriy Korobskiy says:

            For the password I'm using "Password Parameter"

            For the password I'm using "Password Parameter"

  18. Nov 14, 2013

    Ian Macdonald says:

    I am running jenkins on windows and I have the promoted builds plugin installed ...

    I am running jenkins on windows and I have the promoted builds plugin installed

    As part of a manual promotion I am kicking off an "Execute Windows command" that executes a psexec command.

    I have defined a password parameter call PASS contains the password

    I am running something like PsExec.exe
    HOST -u localhost\administrator -p "%PASS%" c:\stop.bat

    The Password still shows up in the in console log for the promotion. 

    I have tried defining a password variable in the system configuration page, but that doesn't get substituted. 

    Any suggestions?