Security hardening

After installing P4 Server, take immediate steps to secure the server before allowing users to connect. A default installation is functional but not hardened, and leaving it unchanged can expose your data and infrastructure.

This section describes essential security tasks you should complete as part of your initial deployment.

To learn more, see Important security update: Secure by default.

Use ticket-based authentication

By default, P4 Server can allow password-based logins without enforced expiration. You should enable ticket-based authentication to ensure credentials expire and must be renewed.

We recommend to set the server security level to 4 or higher.

This configuration:

Requires users to authenticate using tickets.
Enforces stronger password and authentication rules.
Is especially important in multi-server and replicated environments.

For complete information about security, see Secure the server, including Configurables for security.

Restrict user creation and password management

Uncontrolled user creation is a common source of security issues in freshly installed servers.

After installation:

Ensure that only super users can create new users.
Prevent automatic user creation on first login.
Require users to reset their password when a super user assigns an initial password.

These settings help:

Prevent anonymous or accidental account creation.
Ensure all user accounts start with known, strong credentials.

To set (or reset) a user’s password, either:

Use p4 passwdusername (as a P4 Server superuser), and enter the new password for the user.
Invoke p4 user -f username (also a superuser) and enter the new password into the user specification form.

Assign strong passwords to privileged accounts

The security of the entire server depends on the super user account(s).

Immediately after installation:

Set a strong, unique password for all super users.
Avoid sharing privileged credentials.
Use individual named accounts for administrative access.

Before tightening password policies, ensure at least one super user account is fully functional to avoid locking yourself out.

Protect sensitive server information

Several commands display server and user information that may be useful to attackers if left unrestricted.

Enable settings that:

Hide sensitive details from unauthenticated users.
Limit the information returned by p4 info.
Prevent exposure of internal configuration values used by scripts or integrations.

This reduces the amount of server metadata visible without proper authorization.

Configure protections early

The protections table controls what users can do on the server. Before allowing general access:

Verify that a super user exists and has a strong password.
Review the default protections table.
Remove or restrict overly broad permissions.

Do not rely on default protections for production systems. A minimal, explicit protections table is safer and easier to audit over time.

Secure network access

P4 Server listens on a network port and should not be exposed unnecessarily.

Best practices include:

Running the server behind a firewall.
Allowing connections only from trusted networks.
Avoiding direct internet exposure unless absolutely required.

If remote access is necessary, use encrypted connections and strong authentication controls.

Use encrypted connections (SSL/TLS)

If clients connect over untrusted networks, configure SSL/TLS for P4 Server connections.

Encrypted connections:

Protect credentials and data in transit.
Prevent session interception.
Are strongly recommended for all non-local deployments.

This is especially important for cloud-hosted and geographically distributed servers.

Review security configurables regularly

P4 Server provides many configurables that affect authentication, authorization, and information disclosure.

After installation:

Review the recommended security configurables
Verify they match your organization’s security requirements
Revisit them periodically as your deployment grows

For a complete list, see Configurables for security