Security
Passwords
Artemis uses configuration files that contain default passwords and secrets. These must be overridden in your own configuration or via environment variables. The Spring Relaxed Binding documentation shows how to translate YAML keys into the corresponding environment variable names.
artemis:
user-management:
internal-admin:
username: "artemis-admin"
password: "artemis-admin"
version-control:
build-agent-git-username: "buildagent_user"
build-agent-git-password: "buildagent_password"
jhipster:
security:
authentication:
jwt:
base64-secret: ""
registry:
password: "change-me"
Always replace default credentials before deploying. Failing to do so exposes your system to serious security risks.
Always restrict read access to configuration files for the minimum required set of users (usually only the system user that runs the Artemis service) only.
LDAP Authentication
Artemis supports authenticating users against an external LDAP (Lightweight Directory Access Protocol) server. When enabled, users can log in using their institutional credentials, and Artemis will automatically retrieve user information such as name, email, and registration number from the LDAP directory.
How It Works
When a user attempts to log in with LDAP authentication enabled:
- Artemis queries the LDAP server to find the user by their login or email
- The user's password is verified against the LDAP server
- If authentication succeeds, Artemis creates or updates the local user record with information from LDAP
- The user is granted access to Artemis
Configuration
To enable LDAP authentication, activate the ldap Spring profile and configure the LDAP connection settings in your application-artemis.yml:
Enable the ldap Spring profile
--spring.profiles.active=dev,localci,localvc,artemis,scheduling,buildagent,core,local,ldap
Configure LDAP Connection
artemis:
user-management:
ldap:
url: ldaps://ldap.example.com:636
user-dn: cn=artemis-service,ou=services,dc=example,dc=com
password: <ldap-service-password>
base: ou=users,dc=example,dc=com
allowed-username-pattern: '^([a-z]{2}\d{2}[a-z]{3})$'
Configuration Options:
artemis.user-management.ldap.url: The URL of your LDAP server (useldaps://for secure connections)artemis.user-management.ldap.user-dn: The distinguished name (DN) of the service account used to bind to the LDAP serverartemis.user-management.ldap.password: The password for the service accountartemis.user-management.ldap.base: The base DN where user searches will be performedartemis.user-management.ldap.allowed-username-pattern: A regex pattern to validate usernames (optional)
Store LDAP credentials securely. Never commit them to version control. Use environment variables or a secrets manager in production.
LDAP authentication can be used alongside SAML2 authentication. See the SAML2 documentation for configuring single sign-on.
Passkey Authentication
Artemis supports passkey-based authentication as more secure authentication method compared to passwords. Passkeys provide phishing-resistant authentication using WebAuthn/FIDO2 standards.
Passkey Approval
When passkeys are activated and passkey enforcement is enabled for administrator feature access, an additional security layer is implemented:
- Super Admins: Can approve passkey registrations for administrators
- Admins: Require passkey approval from a Super Admin before accessing admin features
This approach minimizes the attack surface for the critical operation of registering new passkeys by limiting this privilege to a very small number of Super Admin users. This ensures that even if an administrator account is compromised, the attacker cannot bypass passkey enforcement by registering their own passkey without Super Admin approval.
Configuration
To enable passkeys and enforce them for administrator features, add the following to your configuration:
artemis:
user-management:
passkey:
enabled: true
require-for-administrator-features: true
Configuration Options:
artemis.user-management.passkey.enabled: Enables passkey authentication functionality (default:false)artemis.user-management.passkey.require-for-administrator-features: When enabled, administrators must have an approved passkey to access admin features (default:false)
When enabling require-for-administrator-features, the internal system admin artemis.user-management.internal-admin will automatically be granted the role Super Admin.
Passkeys of a super admin are automatically approved on registration or when logging in with an unapproved passkey for the first time.
Passkey enforcement only applies to administrator-level features. Regular users and course roles (instructors, TAs, students) are not affected by this setting.
SSH Access
To allow users to clone their programming exercises via SSH in the integrated code lifecycle setup, SSH must be configured correctly on the server.
Follow the next steps to create and manage SSH key pairs, distribute them across multiple nodes via Ansible, configure the system to use these keys, and adapt Nginx to enable SSH routing.
Generate Key Pairs
ssh-keygen -t rsa -b 4096 -f ~/artemis_ssh/id_rsa
ssh-keygen -t ed25519 -f ~/artemis_ssh/id_ed25519
Make sure the keys have the standard name for the according key type. E.g. id_rsa for RSA.
Distribute Keys via Ansible
You can use the example Ansible playbook below to distribute the keys to the Artemis host. In a multinode setup, ensure all nodes use the same SSH keys to ensure clients can communicate with all nodes.
- name: Distribute SSH keys
hosts: all
vars:
key_dir: "/path/to/keys"
tasks:
- name: Copy RSA key
copy:
src: "{{ key_dir }}/id_rsa"
dest: "~/.ssh/id_rsa"
mode: '0600'
Enable SSH Routing via Nginx
In a multi-node setup you might want to configure the Nginx proxy to also distribute SSH connections to different Artemis instances.
stream {
server {
listen 7921;
proxy_pass 127.0.0.1:7921;
}
}