How to reset Jenkins security settings from the command line

Question

Is there a way to reset all  or just disable the security settings  from the command line without a user password as I have managed to completely lock myself out of Jenkins

User · Answer

We can reset the password while leaving security on.

The config.xml file in /var/lib/Jenkins/users/admin/ acts sort of like the /etc/shadow file Linux or UNIX-like systems or the SAM file in Windows, in the sense that it stores the hash of the account's password.

If you need to reset the password without logging in, you can edit this file and replace the old hash with a new one generated from bcrypt:

$ pip install bcrypt
$ python
>>> import bcrypt
>>> bcrypt.hashpw("yourpassword", bcrypt.gensalt(rounds=10, prefix=b"2a"))
'YOUR_HASH'

This will output your hash, with prefix 2a, the correct prefix for Jenkins hashes.

Now, edit the config.xml file:

...
<passwordHash>#jbcrypt:REPLACE_THIS</passwordHash>
...

Once you insert the new hash, reset Jenkins:

(if you are on a system with systemd):

sudo systemctl restart Jenkins

You can now log in, and you didn't leave your system open for a second.

User · Answer

For one who is using macOS  the new version just can be installed by homebrew  so for resting  this command line must be using   brew services restart jenkins-lts

User · Answer

jenkins secrets initialAdminPassword   Copy the password from the initialAdminPassword file and paste it into the Jenkins

User · Answer

Using bcrypt you can solve this issue  Extending the  Reem answer for someone who is trying to automate the process using bash and python      bin bash  pip install bcrypt yum install -y https   dl fedoraproject org pub epel epel-release-latest-7 noarch rpm yum -y install xmlstarlet  cat  gt   tmp jenkinsHash py  lt  lt EOF import bcrypt import sys  if not sys argv 1     sys exit 10   plaintext pwd sys argv 1  encrypted pwd bcrypt hashpw sys argv 1   bcrypt gensalt rounds 10  prefix b 2a    isCorrect bcrypt checkpw plaintext pwd  encrypted pwd   if not isCorrect     sys exit 20    print      format encrypted pwd  EOF  chmod  x  tmp jenkinsHash py cd  var lib jenkins users admin  pwd while    1     do     echo  Waiting for Jenkins to generate admin user s config file           if    -f    config xml      then         break     fi      sleep 10 done  echo  Admin config file created   admin password   python  tmp jenkinsHash py password 2 gt  amp 1     Repalcing the new passowrd xmlstarlet -q ed --inplace -u   user properties hudson security HudsonPrivateSecurityRealm -Details passwordHash  -v   jbcrypt    admin password  config xml    Restart systemctl restart jenkins sleep 10   I have kept password hardcoded here but it can be a user input depending upon the requirement  Also make sure to add that sleep otherwise any other command revolving around Jenkins will fail

User · Answer

On the offchance you accidentally lock yourself out of Jenkins due to a permission mistake  and you dont have server-side access to switch to the jenkins user or root    You can make a job in Jenkins and add this to the Shell Script   sed -i  s  lt useSecurity gt true  lt useSecurity gt false     config xml   Then click Build Now and restart Jenkins  or the server if you need to

User · Answer

To reset it without disabling security if you re using matrix permissions  probably easily adaptable to other login methods     In config xml  set disableSignup to false  Restart Jenkins  Go to the Jenkins web page and sign up with a new user  In config xml  duplicate one of the  lt permission gt hudson model Hudson Administer username lt  permission gt  lines and replace username with the new user  If it s a private server  set disableSignup back to true in config xml  Restart Jenkins  Go to the Jenkins web page and log in as the new user  Reset the password of the original user  Log in as the original user    Optional cleanup    Delete the new user  Delete the temporary  lt permission gt  line in config xml    No securities were harmed during this answer

User · Answer

In order to remove the by default security for jenkins in Windows OS   You can traverse through the file Config xml created inside  users  UserName   jenkins   Inside this file you can change the code from    lt useSecurity gt true lt  useSecurity gt    To    lt useSecurity gt false lt  useSecurity gt

User · Answer

I had a similar issue  and following reply from ArtB   I found that my user didn t have the proper configurations  so what I did   Note  manually modifying such XML files is risky  Do it at your own risk  Since I was already locked out  I didn t have much to lose  AFAIK Worst case I would have deleted the    jenkins config xml file as prev post mentioned       1  ssh to the jenkins machine        cd    jenkins    I guess that some installations put it under  var lib jenkins config xml  but not in my case     vi config xml  and under authorizationStrategy xml tag  add the below section  just used my username instead of  put-your-username     restart jenkins  in my case as root service tomcat7 stop    service tomcat7 start   Try to login again   worked for me         under      add    lt permission gt hudson model Computer Build put-your-username lt  permission gt   lt permission gt hudson model Computer Configure put-your-username lt  permission gt   lt permission gt hudson model Computer Connect put-your-username lt  permission gt   lt permission gt hudson model Computer Create put-your-username lt  permission gt   lt permission gt hudson model Computer Delete put-your-username lt  permission gt   lt permission gt hudson model Computer Disconnect put-your-username lt  permission gt   lt permission gt hudson model Hudson Administer put-your-username lt  permission gt   lt permission gt hudson model Hudson ConfigureUpdateCenter put-your-username lt  permission gt   lt permission gt hudson model Hudson Read put-your-username lt  permission gt   lt permission gt hudson model Hudson RunScripts put-your-username lt  permission gt   lt permission gt hudson model Hudson UploadPlugins put-your-username lt  permission gt   lt permission gt hudson model Item Build put-your-username lt  permission gt   lt permission gt hudson model Item Cancel put-your-username lt  permission gt   lt permission gt hudson model Item Configure put-your-username lt  permission gt   lt permission gt hudson model Item Create put-your-username lt  permission gt   lt permission gt hudson model Item Delete put-your-username lt  permission gt   lt permission gt hudson model Item Discover put-your-username lt  permission gt   lt permission gt hudson model Item Read put-your-username lt  permission gt   lt permission gt hudson model Item Workspace put-your-username lt  permission gt   lt permission gt hudson model Run Delete put-your-username lt  permission gt   lt permission gt hudson model Run Update put-your-username lt  permission gt   lt permission gt hudson model View Configure put-your-username lt  permission gt   lt permission gt hudson model View Create put-your-username lt  permission gt   lt permission gt hudson model View Delete put-your-username lt  permission gt   lt permission gt hudson model View Read put-your-username lt  permission gt   lt permission gt hudson scm SCM Tag put-your-username lt  permission gt    Now  you can go to different directions  For example I had github oauth integration  so I could have tried to replace the authorizationStrategy with something like below   Note   It worked in my case because I had a specific github oauth plugin that was already configured  So it is more risky than the previous solution      lt authorizationStrategy class  org jenkinsci plugins GithubAuthorizationStrategy  plugin  github-oauth 0 14  gt       lt rootACL gt         lt organizationNameList class  linked-list  gt           lt string gt  lt  string gt         lt  organizationNameList gt         lt adminUserNameList class  linked-list  gt           lt string gt put-your-username lt  string gt           lt string gt username2 lt  string gt           lt string gt username3 lt  string gt           lt string gt username 4 etc put username that will become administrator lt  string gt         lt  adminUserNameList gt         lt authenticatedUserReadPermission gt true lt  authenticatedUserReadPermission gt         lt allowGithubWebHookPermission gt false lt  allowGithubWebHookPermission gt         lt allowCcTrayPermission gt false lt  allowCcTrayPermission gt         lt allowAnonymousReadPermission gt false lt  allowAnonymousReadPermission gt       lt  rootACL gt     lt  authorizationStrategy gt

User · Answer

I found the file in question located in  var lib jenkins called config xml  modifying that fixed the issue

User · Answer

The  lt passwordHash gt  element in users  lt username gt  config xml will accept data of the format  salt sha256  password salt      So  if your salt is bar and your password is foo then you can produce the SHA256 like this   echo -n  foo bar     sha256sum   You should get 7f128793bc057556756f4195fb72cdc5bd8c5a74dee655a6bfb59b4a4c4f4349 as the result  Take the hash and put it with the salt into  lt passwordHash gt     lt passwordHash gt bar 7f128793bc057556756f4195fb72cdc5bd8c5a74dee655a6bfb59b4a4c4f4349 lt  passwordHash gt    Restart Jenkins  then try logging in with password foo  Then reset your password to something else   Jenkins uses bcrypt by default  and one round of SHA256 is not a secure way to store passwords  You ll get a bcrypt hash stored when you reset your password

User · Answer

Jenkins over KUBENETES and Docker   In case of Jenkins over a container managed by a Kubernetes POD is a bit more complex since  kubectl exec PODID --namespace jenkins  -it --  bin bash will you allow to access directly to the container running Jenkins  but you will not have root access  sudo  vi and many commands are not available and therefore a workaround is needed   Use kubectl describe pod       to find the node running your Pod and the container ID  docker          SSH into the node run docker exec -ti -u root --  bin bash to access the container with Root privileges apt-get update sudo apt-get install vim   The second difference is that the Jenkins configuration file are placed in a different path that corresponds to the mounting point of the persistent volume  i e   var jenkins home  this location might change in the future  check it running df    Then disable security - change true to false in  var jenkins home jenkins config xml file    lt useSecurity gt false lt  useSecurity gt    Now it is enough to restart the Jenkins  action that will cause the container and the Pod to die  it will created again in some seconds with the configuration updated  and all the chance like vi  update erased  thanks to the persistent volume   The whole solution has been tested on Google Kubernetes Engine  UPDATE Notice that you can as well run ps -aux the password in plain text is shown even without root access   jenkins jenkins-87c47bbb8-g87nw   ps -aux       jenkins      -jar  usr share jenkins jenkins war --argumentsRealm passwd jenkins password --argumentsRealm roles jenkins admin

User · Answer

The answer on modifying was correct  Yet  I think it should be mentioned that  var lib jenkins config xml looks something like this if you have activated  Project-based Matrix Authorization Strategy   Deleting  var lib jenkins config xml and restarting jenkins also does the trick  I also deleted the users in  var lib jenkins users to start from scratch    lt authorizationStrategy class  hudson security ProjectMatrixAuthorizationStrategy  gt       lt permission gt hudson model Computer Configure jenkins-admin lt  permission gt       lt permission gt hudson model Computer Connect jenkins-admin lt  permission gt       lt permission gt hudson model Computer Create jenkins-admin lt  permission gt       lt permission gt hudson model Computer Delete jenkins-admin lt  permission gt       lt permission gt hudson model Computer Disconnect jenkins-admin lt  permission gt       lt  -- if this is missing for your user and it is the only one  bad luck -- gt       lt permission gt hudson model Hudson Administer jenkins-admin lt  permission gt       lt permission gt hudson model Hudson Read jenkins-admin lt  permission gt       lt permission gt hudson model Hudson RunScripts jenkins-admin lt  permission gt       lt permission gt hudson model Item Build jenkins-admin lt  permission gt       lt permission gt hudson model Item Cancel jenkins-admin lt  permission gt       lt permission gt hudson model Item Configure jenkins-admin lt  permission gt       lt permission gt hudson model Item Create jenkins-admin lt  permission gt       lt permission gt hudson model Item Delete jenkins-admin lt  permission gt       lt permission gt hudson model Item Discover jenkins-admin lt  permission gt       lt permission gt hudson model Item Read jenkins-admin lt  permission gt       lt permission gt hudson model Item Workspace jenkins-admin lt  permission gt       lt permission gt hudson model View Configure jenkins-admin lt  permission gt       lt permission gt hudson model View Create jenkins-admin lt  permission gt       lt permission gt hudson model View Delete jenkins-admin lt  permission gt       lt permission gt hudson model View Read jenkins-admin lt  permission gt     lt  authorizationStrategy gt

User · Answer

In El-Capitan config xml can not be found at       var lib jenkins    Its available in         jenkins   then after that as other mentioned open the config xml file and make the following changes   In this replace  lt useSecurity gt true lt  useSecurity gt  with  lt useSecurity gt false lt  useSecurity gt  Remove  lt authorizationStrategy gt  and  lt securityRealm gt  Save it and restart the jenkins sudo service jenkins restart

User · Answer

To very simply disable both security and the startup wizard  use the JAVA property   -Djenkins install runSetupWizard false   The nice thing about this is that you can use it in a Docker image such that your container will always start up immediately with no login screen     Dockerfile FROM jenkins jenkins lts ENV JAVA OPTS -Djenkins install runSetupWizard false   Note that  as mentioned by others  the Jenkins config xml is in  var jenkins home in the image  but using sed to modify it from the Dockerfile fails  because  presumably  the config xml doesn t exist until the server starts

User · Answer

To disable Jenkins security in simple steps in Linux  run these commands   sudo ex  g useSecurity d  g authorizationStrategy d -scwq  var lib jenkins config xml sudo  etc init d jenkins restart   It will remove useSecurity and authorizationStrategy lines from your config xml root config file and restart your Jenkins   See also  Disable security at Jenkins website    After gaining the access to Jenkins  you can re-enable security in your Configure Global Security page by choosing the Access Control Security Realm  After than don t forget to create the admin user

User · Answer

The simplest solution is to completely disable security - change true to false in  var lib jenkins config xml file    lt useSecurity gt true lt  useSecurity gt    Then just restart Jenkins  by  sudo service jenkins restart   And then go to admin panel and set everything once again   If you in case are running your Jenkins inside k8s pod from a docker  which is my case and can not run service command  then you can just restart Jenkins by deleting the pod   kubectl delete pod  lt jenkins-pod-name gt    Once the command was issued  the k8s will terminate the old pod and start a new one

User · Answer

1 first check location if you install war or Linux or windows based on that  for example if war under Linux and for admin user      home  User NAME   jenkins users admin config xml   go  to this tag after  jbcrypt    lt passwordHash gt  jbcrypt  2a 10 3DzCGLQr2oYXtcot4o0rB wYi5kth6e45tcPpRFsuYqzLZfn1pcWK lt  passwordHash gt    change this password using use any website for bcrypt hash generator  https   www dailycred com article bcrypt-calculator   make sure it start with  2a cause this one jenkens uses

User · Answer

A lot of times you wont be having permissions to edit the config xml file    The simplest thing would be to take a back of config xml and delete using sudo command    Restart the jenkins using the command sudo  etc init d jenkins restart  This will disable all the security in the Jenkins and the login option would disappear

User · Answer

Easy way out of this is to use the admin psw to login with your admin user    Change to root user  sudo su - Copy the password  xclip -sel clip  lt   var lib jenkins secrets initialAdminPassword Login with admin and press ctrl   v on password input box    Install xclip if you don t have it      sudo apt-get install xclip

User · Answer

step-1   go to the directory cd  jenkins secrets then you will get a  initialAdminPassword    step-2   nano initialAdminPassword  you will get a password

User · Answer

Edit the file  JENKINS HOME config xml and change de security configuration with this    lt authorizationStrategy class  hudson security AuthorizationStrategy Unsecured   gt    After that restart Jenkins

User · Answer

One other way would be to manually edit the configuration file for your user  e g   var lib jenkins users username config xml  and update the contents of passwordHash    lt passwordHash gt  jbcrypt  2a 10 razd3L1aXndFfBNHO95aj IVrFydsxkcQCcLmujmFQzll3hcUrY7S lt  passwordHash gt    Once you have done this  just restart Jenkins and log in using this password   test

User · Answer

changing the  lt useSecurity gt true lt  useSecurity gt  to  lt useSecurity gt false lt  useSecurity gt  will not be enough  you should remove  lt authorizationStrategy gt  and  lt securityRealm gt  elements too and restart your jenkins server by doing sudo service jenkins restart    remember this  set  lt usesecurity gt  to false only may cause a problem for you  since these instructions are mentioned in thier official documentation here

[linux] How to reset Jenkins security settings from the command line?

Examples related to linux

Examples related to security

Examples related to jenkins

Examples related to command-line