Is there a way to reset all (or just disable the security settings) from the command line without a user/password as I have managed to completely lock myself out of Jenkins?

The simplest solution is to completely disable security - change true to false in /var/lib/jenkins/config.xml file.

<useSecurity>true</useSecurity>

Then just restart Jenkins, by

sudo service jenkins restart

And then go to admin panel and set everything once again.

One other way would be to manually edit the configuration file for your user (e.g. /var/lib/jenkins/users/username/config.xml) and update the contents of passwordHash:

<passwordHash>#jbcrypt:$2a$10$razd3L1aXndFfBNHO95aj.IVrFydsxkcQCcLmujmFQzll3hcUrY7S</passwordHash>

Once you have done this, just restart Jenkins and log in using this password:

test

I found the file in question located in /var/lib/jenkins called config.xml, modifying that fixed the issue.

The <passwordHash> element in users/<username>/config.xml will accept data of the format

salt:sha256("password{salt}")

So, if your salt is bar and your password is foo then you can produce the SHA256 like this:

echo -n 'foo{bar}' | sha256sum

You should get 7f128793bc057556756f4195fb72cdc5bd8c5a74dee655a6bfb59b4a4c4f4349 as the result. Take the hash and put it with the salt into <passwordHash>:

<passwordHash>bar:7f128793bc057556756f4195fb72cdc5bd8c5a74dee655a6bfb59b4a4c4f4349</passwordHash>

Restart Jenkins, then try logging in with password foo. Then reset your password to something else. (Jenkins uses bcrypt by default, and one round of SHA256 is not a secure way to store passwords. You'll get a bcrypt hash stored when you reset your password.)

In El-Capitan config.xml can not be found at

/var/lib/jenkins/

Its available in

~/.jenkins

then after that as other mentioned open the config.xml file and make the following changes

• In this replace <useSecurity>true</useSecurity> with <useSecurity>false</useSecurity>

• Remove <authorizationStrategy> and <securityRealm>

• Save it and restart the jenkins(sudo service jenkins restart)

The answer on modifying was correct. Yet, I think it should be mentioned that /var/lib/jenkins/config.xml looks something like this if you have activated "Project-based Matrix Authorization Strategy". Deleting /var/lib/jenkins/config.xml and restarting jenkins also does the trick. I also deleted the users in /var/lib/jenkins/users to start from scratch.

<authorizationStrategy class="hudson.security.ProjectMatrixAuthorizationStrategy">
    <permission>hudson.model.Computer.Configure:jenkins-admin</permission>
    <permission>hudson.model.Computer.Connect:jenkins-admin</permission>
    <permission>hudson.model.Computer.Create:jenkins-admin</permission>
    <permission>hudson.model.Computer.Delete:jenkins-admin</permission>
    <permission>hudson.model.Computer.Disconnect:jenkins-admin</permission>
    <!-- if this is missing for your user and it is the only one, bad luck -->
    <permission>hudson.model.Hudson.Administer:jenkins-admin</permission>
    <permission>hudson.model.Hudson.Read:jenkins-admin</permission>
    <permission>hudson.model.Hudson.RunScripts:jenkins-admin</permission>
    <permission>hudson.model.Item.Build:jenkins-admin</permission>
    <permission>hudson.model.Item.Cancel:jenkins-admin</permission>
    <permission>hudson.model.Item.Configure:jenkins-admin</permission>
    <permission>hudson.model.Item.Create:jenkins-admin</permission>
    <permission>hudson.model.Item.Delete:jenkins-admin</permission>
    <permission>hudson.model.Item.Discover:jenkins-admin</permission>
    <permission>hudson.model.Item.Read:jenkins-admin</permission>
    <permission>hudson.model.Item.Workspace:jenkins-admin</permission>
    <permission>hudson.model.View.Configure:jenkins-admin</permission>
    <permission>hudson.model.View.Create:jenkins-admin</permission>
    <permission>hudson.model.View.Delete:jenkins-admin</permission>
    <permission>hudson.model.View.Read:jenkins-admin</permission>
  </authorizationStrategy>

To reset it without disabling security if you're using matrix permissions (probably easily adaptable to other login methods):

1. In config.xml, set disableSignup to false.
2. Restart Jenkins.
3. Go to the Jenkins web page and sign up with a new user.
4. In config.xml, duplicate one of the <permission>hudson.model.Hudson.Administer:username</permission> lines and replace username with the new user.
5. If it's a private server, set disableSignup back to true in config.xml.
6. Restart Jenkins.
7. Go to the Jenkins web page and log in as the new user.
8. Reset the password of the original user.
9. Log in as the original user.

Optional cleanup:

1. Delete the new user.
2. Delete the temporary <permission> line in config.xml.

No securities were harmed during this answer.

To disable Jenkins security in simple steps in Linux, run these commands:

sudo ex +g/useSecurity/d +g/authorizationStrategy/d -scwq /var/lib/jenkins/config.xml
sudo /etc/init.d/jenkins restart

It will remove useSecurity and authorizationStrategy lines from your config.xml root config file and restart your Jenkins.

See also: Disable security at Jenkins website

After gaining the access to Jenkins, you can re-enable security in your Configure Global Security page by choosing the Access Control/Security Realm. After than don't forget to create the admin user.

On the offchance you accidentally lock yourself out of Jenkins due to a permission mistake, and you dont have server-side access to switch to the jenkins user or root... You can make a job in Jenkins and add this to the Shell Script:

sed -i 's/<useSecurity>true/<useSecurity>false/' ~/config.xml

Then click Build Now and restart Jenkins (or the server if you need to!)

\.jenkins\secrets\initialAdminPassword

Copy the password from the initialAdminPassword file and paste it into the Jenkins.

In order to remove the by default security for jenkins in Windows OS,

You can traverse through the file Config.xml created inside /users/{UserName}/.jenkins.

Inside this file you can change the code from

<useSecurity>true</useSecurity>

To,

<useSecurity>false</useSecurity>

changing the <useSecurity>true</useSecurity> to <useSecurity>false</useSecurity> will not be enough, you should remove <authorizationStrategy> and <securityRealm> elements too and restart your jenkins server by doing sudo service jenkins restart .

remember this, set <usesecurity> to false only may cause a problem for you, since these instructions are mentioned in thier official documentation here.

1 first check location if you install war or Linux or windows based on that

for example if war under Linux and for admin user

/home/"User_NAME"/.jenkins/users/admin/config.xml

go to this tag after #jbcrypt:

<passwordHash>#jbcrypt:$2a$10$3DzCGLQr2oYXtcot4o0rB.wYi5kth6e45tcPpRFsuYqzLZfn1pcWK</passwordHash>

change this password using use any website for bcrypt hash generator

https://www.dailycred.com/article/bcrypt-calculator

make sure it start with $2a cause this one jenkens uses

We can reset the password while leaving security on.

The config.xml file in /var/lib/Jenkins/users/admin/ acts sort of like the /etc/shadow file Linux or UNIX-like systems or the SAM file in Windows, in the sense that it stores the hash of the account's password.

If you need to reset the password without logging in, you can edit this file and replace the old hash with a new one generated from bcrypt:

$ pip install bcrypt
$ python
>>> import bcrypt
>>> bcrypt.hashpw("yourpassword", bcrypt.gensalt(rounds=10, prefix=b"2a"))
'YOUR_HASH'

This will output your hash, with prefix 2a, the correct prefix for Jenkins hashes.

Now, edit the config.xml file:

...
<passwordHash>#jbcrypt:REPLACE_THIS</passwordHash>
...

Once you insert the new hash, reset Jenkins:

(if you are on a system with systemd):

sudo systemctl restart Jenkins

You can now log in, and you didn't leave your system open for a second.

step-1 : go to the directory cd .jenkins/secrets then you will get a 'initialAdminPassword'.

step-2 : nano initialAdminPassword

you will get a password

Easy way out of this is to use the admin psw to login with your admin user:

• Change to root user: sudo su -
• Copy the password: xclip -sel clip < /var/lib/jenkins/secrets/initialAdminPassword
• Login with admin and press ctrl + v on password input box.

Install xclip if you don't have it:

• $ sudo apt-get install xclip

Jenkins over KUBENETES and Docker

In case of Jenkins over a container managed by a Kubernetes POD is a bit more complex since: kubectl exec PODID --namespace=jenkins -it -- /bin/bash will you allow to access directly to the container running Jenkins, but you will not have root access, sudo, vi and many commands are not available and therefore a workaround is needed.

Use kubectl describe pod [...] to find the node running your Pod and the container ID (docker://...)

• SSH into the node
• run docker exec -ti -u root -- /bin/bash to access the container with Root privileges
• apt-get update
• sudo apt-get install vim

The second difference is that the Jenkins configuration file are placed in a different path that corresponds to the mounting point of the persistent volume, i.e. /var/jenkins_home, this location might change in the future, check it running df.

Then disable security - change true to false in /var/jenkins_home/jenkins/config.xml file.

<useSecurity>false</useSecurity>

Now it is enough to restart the Jenkins, action that will cause the container and the Pod to die, it will created again in some seconds with the configuration updated (and all the chance like vi, update erased) thanks to the persistent volume.

The whole solution has been tested on Google Kubernetes Engine. UPDATE Notice that you can as well run ps -aux the password in plain text is shown even without root access.

jenkins@jenkins-87c47bbb8-g87nw:/$ps -aux
[...]
jenkins [..] -jar /usr/share/jenkins/jenkins.war --argumentsRealm.passwd.jenkins=password --argumentsRealm.roles.jenkins=admin
[...]

I had a similar issue, and following reply from ArtB,

I found that my user didn't have the proper configurations. so what I did:

Note: manually modifying such XML files is risky. Do it at your own risk. Since I was already locked out, I didn't have much to lose. AFAIK Worst case I would have deleted the ~/.jenkins/config.xml file as prev post mentioned.

**> 1. ssh to the jenkins machine

1. cd ~/.jenkins (I guess that some installations put it under /var/lib/jenkins/config.xml, but not in my case )
2. vi config.xml, and under authorizationStrategy xml tag, add the below section (just used my username instead of "put-your-username")
3. restart jenkins. in my case as root service tomcat7 stop; ; service tomcat7 start
4. Try to login again. (worked for me)**

under

add:

<permission>hudson.model.Computer.Build:put-your-username</permission>
<permission>hudson.model.Computer.Configure:put-your-username</permission>
<permission>hudson.model.Computer.Connect:put-your-username</permission>
<permission>hudson.model.Computer.Create:put-your-username</permission>
<permission>hudson.model.Computer.Delete:put-your-username</permission>
<permission>hudson.model.Computer.Disconnect:put-your-username</permission>
<permission>hudson.model.Hudson.Administer:put-your-username</permission>
<permission>hudson.model.Hudson.ConfigureUpdateCenter:put-your-username</permission>
<permission>hudson.model.Hudson.Read:put-your-username</permission>
<permission>hudson.model.Hudson.RunScripts:put-your-username</permission>
<permission>hudson.model.Hudson.UploadPlugins:put-your-username</permission>
<permission>hudson.model.Item.Build:put-your-username</permission>
<permission>hudson.model.Item.Cancel:put-your-username</permission>
<permission>hudson.model.Item.Configure:put-your-username</permission>
<permission>hudson.model.Item.Create:put-your-username</permission>
<permission>hudson.model.Item.Delete:put-your-username</permission>
<permission>hudson.model.Item.Discover:put-your-username</permission>
<permission>hudson.model.Item.Read:put-your-username</permission>
<permission>hudson.model.Item.Workspace:put-your-username</permission>
<permission>hudson.model.Run.Delete:put-your-username</permission>
<permission>hudson.model.Run.Update:put-your-username</permission>
<permission>hudson.model.View.Configure:put-your-username</permission>
<permission>hudson.model.View.Create:put-your-username</permission>
<permission>hudson.model.View.Delete:put-your-username</permission>
<permission>hudson.model.View.Read:put-your-username</permission>
<permission>hudson.scm.SCM.Tag:put-your-username</permission>

Now, you can go to different directions. For example I had github oauth integration, so I could have tried to replace the authorizationStrategy with something like below:

Note:, It worked in my case because I had a specific github oauth plugin that was already configured. So it is more risky than the previous solution.

  <authorizationStrategy class="org.jenkinsci.plugins.GithubAuthorizationStrategy" plugin="github-oauth@0.14">
    <rootACL>
      <organizationNameList class="linked-list">
        <string></string>
      </organizationNameList>
      <adminUserNameList class="linked-list">
        <string>put-your-username</string>
        <string>username2</string>
        <string>username3</string>
        <string>username_4_etc_put_username_that_will_become_administrator</string>
      </adminUserNameList>
      <authenticatedUserReadPermission>true</authenticatedUserReadPermission>
      <allowGithubWebHookPermission>false</allowGithubWebHookPermission>
      <allowCcTrayPermission>false</allowCcTrayPermission>
      <allowAnonymousReadPermission>false</allowAnonymousReadPermission>
    </rootACL>
  </authorizationStrategy>

Edit the file $JENKINS_HOME/config.xml and change de security configuration with this:

<authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>

After that restart Jenkins.