Auto-Generate Jenkins Password Hash

Jenkins Password | Why Auto Generate?

A Jenkins instance for every developer is DevOps best practice. Auto-generated passwords for every internal service instance eg Jenkins, MongoDb, Tomcat, ec2 servers is not only secure, it is simple – only external services should require long lived passwords.

If you’ve forgotten your Jenkins password, the below steps will help you set another one and log in.

Jenkins SHA-256 Password Hash

We will auto-generate both the password and the salt but let’s keep it simple and make

  • the password string p455w0rd
  • the salt string s4lt

Jenkins will expect the SHA-256 sum of the combined string p455w0rd{s4lt} with the squiggles included.

What is Salt? Without salts, 2 users with the same password have the same hash thereby allowing brute force attacks to enumerate and derive the password.

SHA-256 Sum | Bash and Ruby

Bash, Ruby and Python are the most popular languages for writing DevOps IAAS provisioning software. Using Bash and Ruby – how do you derive the Jenkins pasword hash?

Bash | The SHA256 Sum

Run this command in a Linux (bash) shell or within a script.

echo -n 'p455w0rd{s4lt}' | sha256sum

The result looks like this – do strip out the trailing spaces and hyphen.

96d444b3eb7de866099c46e1ab72d5471f1c7f551a6e81e22876fe19b88fcb75  -

The -n excludes a new line character. Without it the password hash will be wrong because it will include an undesriable carriage return.

Ruby | The SHA256 Sum

We use Ruby to drive our DevOps provisioning software. Ruby easily generates the Jenkins password hash via the SHA256 algorithm. You need

  • require 'digest' # (to include the Ruby Gem)
  • jenkinsPasswordHash = Digest::SHA256.hexdigest("p455w0rd{s4lt}")
  • puts "Jenkins SHA256 is #{jenkinsPasswordHash}"

When Ruby executes the above – especially the core command Digest::SHA256.hexdigest("p455w0rd{s4lt}") – the below line will be printed out.

  • Jenkins SHA256 is 96d444b3eb7de866099c46e1ab72d5471f1c7f551a6e81e22876fe19b88fcb75

Its time to configure Jenkins with our password hash.

How to Configure Jenkins Password Hash

Both Ruby and Bash (after stripping) have given us the same password hash. How do we communicate this to Jenkins. We start at JENKINS_HOME which is /var/jenkins_home if using the Jenkins Docker image or /var/lib/jenkins if installing jenkins with apt-get or yum.

As my username is apollo the config file will sit at users/apollo/config.xml under the jenkins home.


    <hudson.security.HudsonPrivateSecurityRealm_-Details>
      <passwordHash>s4lt:96d444b3eb7de866099c46e1ab72d5471f1c7f551a6e81e22876fe19b88fcb75</passwordHash>
    </hudson.security.HudsonPrivateSecurityRealm_-Details>

Why doesn’t it start with #jbcrypt – that’s because Jenkins can handle many password hash algorithms – and SHA-256 is amongst the most secure and simplest to auto-generate.

Test Jenkins Auto Generated Password Hash

After you have changed the appropriate config.xml under users – we can smoke test our Jenkins password hash. Just restart jenkins and click on Log In.

  • Username : apollo
  • Password : p455w0rd

It works! For some it’s lights out and away you go! If you forgot your Jenkins password and wanted to reset it then you’re done.

For serious DevOps engineers who wish to auto-install Jenkins – there is more.

Auto Generating the Jenkins Password Hash

DevOps best practice is to auto generate the password – configure it into Jenkins and let the user/s know the password to use for the Jenkins instance in question.

Mathematics tells us that roughly equivalent character counts for the password and its salt give the best results. Here we use the SecureRandom Ruby class to give us random character sequences ideally with a length between 16 and 20.


require 'securerandom'
require 'digest'
    
j_pass_word = SecureRandom.urlsafe_base64(16);
salt_string = SecureRandom.urlsafe_base64(16);
j_pass_hash = Digest::SHA256.hexdigest("#{j_pass_word}{#{salt_string}}")

puts "Pass Hash => #{salt_string}:#{j_pass_hash}"
puts "Pass Word => #{j_pass_word}"

Put the Pass hash into the Jenkins config file and provide the Pass word should the user need to log in to Jenkins.


Pass hash => B5C3T_Ny3o0Zqr2jrV23CQ:1b163b005f56aa8037d390ae781233bb225b15d7f8273872328f71f149eb907e
Pass word => ZOwISjiDVx4vq0xIM16Etw

Leave a Reply

Your email address will not be published. Required fields are marked *