Jenkins user conflicts with another LDAP jenkins user

Hello Community,

I have a LDAP enabled Rocky 8.8 system. I installed Jenkins on that server. But, it seems that there already exits a LDAP user called jenkins with home directory at /home/jenkins. The following is the result of id jenkins.

[root@devops ~]$ id jenkins
uid=151(jenkins) gid=1500(masked) groups=1500(masked)

I am a new user of Jenkins. Will there be any issue now or in the future considering this fact?

I can see that when I connect an agent to my jenkins controller, the log shows that it is taking the known_hosts file from /home/jenkins instead of /var/lib/jenkins which is described in jenkins.service file. How do I make it search for known_hosts in /var/lib/jenkins/.ssh?

Warning: no key algorithms provided; JENKINS-42959 disabled
SSHLauncher{host='10.XXX.XXX.XXX', port=22, credentialsId='SAN_ca', jvmOptions='', javaPath='/usr/bin/java', prefixStartSlaveCmd='', suffixStartSlaveCmd='', launchTimeoutSeconds=60, maxNumRetries=10, retryWaitTime=15, sshHostKeyVerificationStrategy=hudson.plugins.sshslaves.verifiers.KnownHostsFileKeyVerificationStrategy, tcpNoDelay=true, trackCredentials=true}
[06/14/24 14:55:12] [SSH] Opening SSH connection to 10.XXX.XXX.XXX:22.
Searching for 10.XXX.XXX.XXX in /home/jenkins/.ssh/known_hosts
Searching for 10.XXX.XXX.XXX:22 in /home/jenkins/.ssh/known_hosts
[06/14/24 14:55:12] [SSH] SSH host key matches key in Known Hosts file. Connection will be allowed.

An excerpt from my jenkins.service file is as follows:

[Unit]
Description=Jenkins Continuous Integration Server
Requires=network.target
After=network.target

[Service]
Type=notify
NotifyAccess=main
ExecStart=/usr/bin/jenkins
Restart=on-failure
SuccessExitStatus=143

# Unix account that runs the Jenkins daemon
# Be careful when you change this, as you need to update the permissions of
# $JENKINS_HOME, $JENKINS_LOG, and (if you have already run Jenkins)
# $JENKINS_WEBROOT.
User=jenkins
Group=jenkins

# Directory where Jenkins stores its configuration and workspaces
Environment="JENKINS_HOME=/var/lib/jenkins"
WorkingDirectory=/var/lib/jenkins

# Location of the Jenkins WAR
#Environment="JENKINS_WAR=/usr/share/java/jenkins.war"

# Location of the exploded WAR
Environment="JENKINS_WEBROOT=%C/jenkins/war"

# Arguments for the Jenkins JVM
Environment="JAVA_OPTS=-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Djava.io.tmpdir=/var/cache/jenkins/tmp/ -Dorg.apache.commons.jelly.tags.fmt.timeZone=Europe/Helsinki -Duser.timezone=Europe/Helsinki"

Thank you for your time.

→
Jenkins setup:

Jenkins: 2.452.2
OS: Linux - 6.1.53-1.x86_64
Java: 21.0.3 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)

ansicolor:1.0.4
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
apache-httpcomponents-client-5-api:5.3.1-1.0
asm-api:9.7-33.v4d23ef79fcc8
atlassian-jira-software-cloud:2.0.14
authentication-tokens:1.113.v81215a_241826
authorize-project:1.7.1
blueocean:1.27.13
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.27.13
blueocean-commons:1.27.13
blueocean-config:1.27.13
blueocean-core-js:1.27.13
blueocean-dashboard:1.27.13
blueocean-display-url:2.4.2
blueocean-events:1.27.13
blueocean-git-pipeline:1.27.13
blueocean-github-pipeline:1.27.13
blueocean-i18n:1.27.13
blueocean-jira:1.27.13
blueocean-jwt:1.27.13
blueocean-personalization:1.27.13
blueocean-pipeline-api-impl:1.27.13
blueocean-pipeline-editor:1.27.13
blueocean-pipeline-scm-api:1.27.13
blueocean-rest:1.27.13
blueocean-rest-impl:1.27.13
blueocean-web:1.27.13
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-233.vfdcdeb_0a_08a_a_
branch-api:2.1169.va_f810c56e895
build-blocker-plugin:166.vc82fc20b_a_ed6
build-timeout:1.32
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.0
cloud-stats:336.v788e4055508b_
cloudbees-bitbucket-branch-source:886.v44cf5e4ecec5
cloudbees-folder:6.928.v7c780211d66e
command-launcher:107.v773860566e2e
commons-lang3-api:3.14.0-76.vda_5591261cfe
commons-text-api:1.12.0-119.v73ef73f2345d
conditional-buildstep:1.4.3
config-file-provider:973.vb_a_80ecb_9a_4d0
coverage:1.15.0
credentials:1337.v60b_d7b_c7b_c9f
credentials-binding:677.vdc9d38cb_254d
dark-theme:439.vdef09f81f85e
dashboard-view:2.508.va_74654f026d1
data-tables-api:2.0.8-1
display-url-api:2.204.vf6fddd8a_8b_e9
docker-commons:439.va_3cb_0a_6a_fb_29
docker-java-api:3.3.6-90.ve7c5c7535ddd
docker-plugin:1.6.2
docker-workflow:580.vc0c340686b_54
dtkit-api:3.0.2
durable-task:555.v6802fe0f0b_82
echarts-api:5.5.0-1
eddsa-api:0.3.0-4.v84c6f0f4969e
email-ext:1814.v404722f34263
envinject:2.908.v66a_774b_31d93
envinject-api:1.199.v3ce31253ed13
extended-read-permission:53.v6499940139e5
external-monitor-job:215.v2e88e894db_f8
favorite:2.208.v91d65b_7792a_c
font-awesome-api:6.5.2-1
forensics-api:2.4.0
gerrit-code-review:0.4.9
gerrit-trigger:2.41.1
git:5.2.2
git-client:4.7.0
git-server:126.v0d945d8d2b_39
git-tag-message:1.7.1
github:1.39.0
github-api:1.318-461.v7a_c09c9fa_d63
github-branch-source:1789.v5b_0c0cea_18c3
gitlab-api:5.3.0-91.v1f9a_fda_d654f
gitlab-branch-source:704.vc7f1202d7e14
gitlab-merge-request-jenkins:2.0.0
gitlab-oauth:1.19
gitlab-plugin:1.8.1
gradle:2.12
gson-api:2.11.0-41.v019fcf6125dc
handy-uri-templates-2-api:2.1.8-30.v7e777411b_148
htmlpublisher:1.34
inline-pipeline:1.0.3
instance-identity:185.v303dc7c645f9
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javadoc:243.vb_b_503b_b_45537
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
jdk-tool:73.vddf737284550
jenkins-design-language:1.27.13
jersey2-api:2.42-147.va_28a_44603b_d5
jira:3.13
jjwt-api:0.11.5-112.ve82dfb_224b_a_d
jnr-posix-api:3.1.19-2
joda-time-api:2.12.7-29.v5a_b_e3a_82269a_
jquery3-api:3.7.1-2
jsch:0.2.16-86.v42e010d9484b_
json-api:20240303-41.v94e11e6de726
json-path-api:2.9.0-58.v62e3e85b_a_655
junit:1265.v65b_14fa_f12f0
ldap:725.v3cb_b_711b_1a_ef
lockable-resources:1255.vf48745da_35d0
mail-watcher-plugin:1.19
mailer:472.vf7c289a_4b_420
mapdb-api:1.0.9-40.v58107308b_7a_7
matrix-auth:3.2.2
matrix-project:832.va_66e270d2946
maven-plugin:3.23
metrics:4.2.21-451.vd51df8df52ec
mina-sshd-api-common:2.12.1-113.v4d3ea_5eb_7f72
mina-sshd-api-core:2.12.1-113.v4d3ea_5eb_7f72
monitoring:1.99.0
multiple-scms:0.8
naginator:1.449.ve19751d70eb_0
okhttp-api:4.11.0-172.vda_da_1feeb_c6e
openstack-cloud:2.65
pam-auth:1.11
parameterized-trigger:806.vf6fff3e28c3e
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-github-lib:61.v629f2cc41d83
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-graph-view:287.v3ef017b_780d5
pipeline-groovy-lib:710.v4b_94b_077a_808
pipeline-input-step:495.ve9c153f6067b_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2198.v41dd8ef6dd56
pipeline-model-definition:2.2198.v41dd8ef6dd56
pipeline-model-extensions:2.2198.v41dd8ef6dd56
pipeline-multibranch-defaults:2.1
pipeline-rest-api:2.34
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2198.v41dd8ef6dd56
pipeline-stage-view:2.34
pipeline-timeline:1.0.3
pipeline-utility-steps:2.16.2
plain-credentials:182.v468b_97b_9dcb_8
plugin-util-api:4.1.0
prism-api:1.29.0-15
pubsub-light:1.18
rebuild:332.va_1ee476d8f6d
resource-disposer:0.23
role-strategy:727.vd344b_eec783d
run-condition:1.7
scm-api:690.vfc8b_54395023
script-security:1341.va_2819b_414686
sectioned-view:1.26
snakeyaml-api:2.2-111.vc6598e30cc65
sse-gateway:1.27
ssh:2.6.1
ssh-credentials:337.v395d2403ccd4
ssh-slaves:2.968.v6f8823c91de4
sshd:3.330.vc866a_8389b_58
structs:337.v1b_04ea_4df7c8
theme-manager:262.vc57ee4a_eda_5d
timestamper:1.27
token-macro:400.v35420b_922dcb_
trilead-api:2.147.vb_73cc728a_32e
variant:60.v7290fc0eb_b_cd
workflow-aggregator:596.v8c21c963d92d
workflow-api:1316.v33eb_726c50b_a_
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:3894.3896.vca_2c931e7935
workflow-durable-task-step:1353.v1891a_b_01da_18
workflow-job:1400.v7fd111b_ec82f
workflow-multibranch:783.va_6eb_ef636fb_d
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:657.v03b_e8115821b_
workflow-support:907.v6713a_ed8a_573
ws-cleanup:0.46
xunit:3.1.4

When you configure agents with ssh, you have the choice how to verify the host key. By default it will use the known_hosts file from the users HOME directory which is in your case /home/jenkins
For now I don’t expect any issues with that. The only concern might be that the user is in LDAP and you’re not controlling the user. So if the one that added the user to LDAP decides that it should be removed you might have a problem that suddenly the user is not found anymore when the service starts.

@mawinter69 Thank you for your reply.

Why is it that the home directory does not get picked up from JENKINS_HOME variable?

Can you suggest any alternate ways to configure Jenkins to go around this issue? How about running Jenkins with a different user name like myjenkins?

I plan to do

systemctl stop jenkins.service

systemctl --full edit jenkins.service

modify 
user=myjenkins
group=myjenkins

systemctl start jenkins.service

What do you think about this?

Thank you very much for your time.

The HOME directory is related to the user on OS level and has nothing to do with Jenkins.
You can run Jenkins as a different user but not sure how this behaves when you update Jenkins with a package manager. A while ago I noticed that the update was resetting ownership of /var/lib/jenkins and some other folders.

You can also avoid that the known_hosts is used by changing the configuration of your ssh agents to either manually provide the host key (a bit cumbersome when you have many agents), or accept the host key on first usage or manually approve it.