Security is a never-ending battle to guard against malicious software. An unauthorized upload of an artifact could infect downstream applications that use them. This talk will discuss our implementation using an SSH Certificate Authority to restrict artifact uploads.
Our solution prevents uploads to Artifactory via REST API, forcing jobs to use the Artifactory SSHD Proxy,. Using OpenSSH 6.6 we force authentication based on supplied SSH-CA and performing the authorization through the SSHD “ForceCommand” sshd_config directive. The program invoked uses Artifactory “properties” to activate this authentication mechanism and to validate the initiating user’s principal access to the target artifact.
