Thursday, June 23, 2011

Public Key Authentication in Jenkins CLI

In Jenkins, the security mechanism is completely pluggable (see my earlier webinar for more details.) While this is good thing, it does make my life difficult in several places. One of them is to authenticate users with Jenkins CLI.

For those of you who haven't heard of Jenkins CLI, it is yet another mechanism to non-interactively access Jenkins from a remote machine and perform a bunch of useful operations, such as create a job, start a build, etc.

Jenkins is primarily a web app, so some of its authentication mechanisms revolves around web protocols that are just plain impossible for authenticating CLI clients (think OpenID and OAuth.) So up until now, support for authentication in Jenkins CLI was limited to those security realm that uses username and password.

This is where one of the fruits of the JAX San Jose Jenkins hackathon comes into play.

Starting 1.419 (which will be out July 4th), Jenkins CLI supports authentication based on the SSH key pair. Just like CloudBees DEV@cloud (or GitHub, or other similar sites), you interactively login from the web UI, then associate your public keys with your user account. Then CLI will silently authenticates itself using your ~/.ssh/id_rsa, ~/.ssh/id_dsa, or ~/.ssh/identity.

Aside from the fact that this is completely independent of the authentication mechanism currently employed on your Jenkins, what I really like about this is that in many places you already use SSH public key to access Git, Subversion, or doing deployment. So it nicely takes advantages of your existing investment, and "it just works."

See the Wiki page about Jenkins CLI for more details, and I hope you like this.

Kohsuke Kawaguchi

2 comments:

  1. Using ssh public keys for API authentication is brilliant! Hopefully this becomes a trend in aithentication for developer end-users. Probably not great for non-developers but for developers - perfecto!

    ReplyDelete
  2. The seminar is missing on - http://blog.cloudbees.com/2011/04/tgif-gift-video-recording-slides-of.html .

    I have my Jenkins and my GIT on the same server.
    All my members are using key-based ssh login to GIT.
    How can I let a user in 'Jenkins' Checkout my code from git with a key-based-login?

    Regards, i

    ReplyDelete