-
Bug
-
Resolution: Won't Fix
-
Critical
Hi,
If a user has a very old passwordhash defined in users/foo_xx/config.xml the new LTS release may lock the user out of jenkins.
This happened with my admin user (setup arund 2012).I spent > 1 day figuring this out and ruling out a security incident and would greatly appreciate that this was mentioned in the releasnotes of 2.277. I upgraded from 2.268.
- is duplicated by
-
JENKINS-64573 Cannot login in after 2.264
-
- Closed
-
- links to
Hi Mark, thank you for a throughout and quick followup.
I can confirm that the passwordHash did not contain a hash starting with #jbcrypt, something that suggests that the install was even older than I stated. I think it might be as old as from 2010.
Another issue that I had was that there were two admin entries in the users directory, but only one in the users.xml file. I do not know if the other entry was seen by jenkins at all or if if just existed in the directory without affecting any code at all.
> Did you follow the instructions in the Jenkins 2.277.1 upgrade guide by updating your authentication plugins before the upgrade to 2.277.1?
I have made sure that all plugins have been up to date at all times. It was my understanding reading the guide that that was what was needed.