External ssh using cli stopped working

[eric....@gmail.com]

Yesterday I had to update AD since we moved to 2.516.1.  Not sure how I had it set up before but I can no longer ssh from an automated job to start a build.  It's giving permission denied.  Looking at the documentation for the CLI, it looks like I had a user set up with their public key under Security/Users.  Well since I have AD selected for security realm, I don't have the option to set up my users.  How do I do both like I did before?  Thanks!

[Eric Fetzer]

Anyone have any clue on this?  Thanks!

On Fri, Sep 5, 2025 at 7:44 AM eric....@gmail.com <eric....@gmail.com> wrote:

Yesterday I had to update AD since we moved to 2.516.1.  Not sure how I had it set up before but I can no longer ssh from an automated job to start a build.  It's giving permission denied.  Looking at the documentation for the CLI, it looks like I had a user set up with their public key under Security/Users.  Well since I have AD selected for security realm, I don't have the option to set up my users.  How do I do both like I did before?  Thanks!

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/BGiM4-7v0NI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/jenkinsci-users/74a21acd-c768-4317-acf5-68fb4a6bcad4n%40googlegroups.com.

[Björn Pedersen]

Use your user profile (the head icon in the top right). Then under security you can add your public keys.

[Eric Fetzer]

Gonna try to respond from my email rather than the forum.  My posts keep being deleted.

The ssh is being initiated using a user in the Jenkins Internal User Database, not my AD user.  The build is done by another automation application that calls it using its ssh key (ssh -p 2222 internalJ...@machineName.domain command...).  That user is set up in the internal user database.  This worked fine until Jenkins 2.516.1.  With this upgrade, we no longer have the checkbox with AD to allow the internal user database to work also.  From my research it appears that this is supposed to now be default but I'm not finding that to be the case.  If I set security realm to internal user database, my ssh succeeds.  If I set it to AD, it does not.  Any help would be greatly appreciated!  Thanks!

To view this discussion visit https://groups.google.com/d/msgid/jenkinsci-users/024b09cb-5b30-4e7a-ba8a-06eea0508969n%40googlegroups.com.

[eric....@gmail.com]

OK, well here's what I'm finding.  You were, at least before, able to use AD AND Jenkins own user database.  Here are instructions I found for using both:

Go to Manage Jenkins > Configure Global Security. Set Security Realm.

Under the Security Realm section, select Active Directory as the authentication method. Configure Active Directory Settings.

• Enable "Allow login with Jenkins' own user database":

Crucially, to allow local Jenkins users to also authenticate, you need to enable the option "Allow login with Jenkins' own user database" within the Active Directory security realm configuration. This option instructs Jenkins to first attempt authentication against Active Directory, and if that fails, to then try authenticating against its internal user database. Configure Authorization Strategy (Optional but Recommended).

That said, the option "Allow login with Jenkins' own user database" is no longer available in the latest build of Jenkins.  Was this intentionally removed?  Is there a workaround so that I can still use the CLI from my automation tool?  Any help would be GREATLY appreciated!

Thanks,

Eric

[eric....@gmail.com]

It's not my user that authenticates.  The cli connection is initiated by an external application on a different server over ssh.  It connects via a user in the Jenkins internal user database that is set up with ssh key.  As of 2.516.1, these users are not usable with AD activated, which we have to have for security purposes.  The only 2 ways I can get the ssh to authenticate is 1) turn off security or 2) set the security realm to the internal jenkins user database.  As soon as I turn on AD, it ceases to work.  The research I've done says that with 2.516.1, it is now default that the internal user database will be used if AD fails, but that doesn't seem to be the case from what I'm trying.  Any ideas?  Thanks!

[eric....@gmail.com]

I turned off AD, enabled the local jenkins users database, and created a local user with ssh key.  I can ssh remotely with that user and interact with jenkins.  I can also login with that user directly.  In Jenkins 2.516.1, there is no longer the option to fallback to local user if AD fails.  I don't believe this is working because as soon as I enable AD again, the local user fails on all fronts.  I know it used to work because that's how I had it set up prior to 2.516.1.  Does anyone have an information on this?  Thanks!

On Monday, September 8, 2025 at 8:42:17 AM UTC-6 eric....@gmail.com wrote:

[eric....@gmail.com]

I tried using Mixing Security Realm.  I saw an issue in the plugin where AD stopped working in it quite some time ago that never appears to have been addressed so I wasn't confident going in.  I installed it, set the security realm to mixing.  I noticed that none of the options for realms under mixing was "Jenkins own user database" but tried to turn on AD thinking maybe that one came by default.  The AD integration didn't work.  I was able to test the AD connection (succeeded), but once I saved down the changes, it errored restarting jenkins.  After that I tried a logon but neither my AD user nor a local user succeeded.  Disabled security and went back to local jenkins user database.  That seems to be the only way I can continue to have my CLI integration work.  Is there someplace I can open a ticket on this?  Thanks!

[eric....@gmail.com]

Actually, with the local jenkins user database, my CLI connection doesn't really work.  It succeeds to start a build, but my build won't work because my node goes away.  It only seems to have the built in internal node.  So the only way my jenkins install is now functional is with security completely turned off.  Is there ANYONE able to help me with this?