I don't know that this is a bug or a feature, but I've noticed, that one cannot authenticate with a valid account through cli without giving Overall read permission for the Anonymous account.
I'm using LDAP security, and if I remove that right from Anonymous, I get the

build:~# java -jar jenkins-cli.jar -s http://localhost:8080/ help --username tyrael --password-file pwd
Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/cli
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:61)
at hudson.cli.CLI.<init>(CLI.java:91)
at hudson.cli.CLI.<init>(CLI.java:63)
at hudson.cli.CLI.main(CLI.java:176)

the same command works if I set the above mentioned right to the Anonymous account.