lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Jenkins

Jenkins projectCI/CD6 credentials

Credentials6 documented
01

Initial Admin Password

jenkins / initial-admin-password

New Jenkins controllers generate an administrator unlock password during first startup. The setup wizard requires this password before plugin installation and first-user creation can continue.

generated on installsecretpassword

Looks like

example
example

automatically generated alphanumeric setup password; the value is printed in the console log and stored in initialAdminPassword

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Location

config file
/var/lib/jenkins/secrets/initialAdminPassword

default Linux package location documented by Jenkins

config file
/var/jenkins_home/secrets/initialAdminPassword

official jenkins/jenkins Docker image home directory

logs

Jenkins startup console log, between separator lines

public interface

Unlock Jenkins setup wizard administrator password field

Notes

This is not a reusable default login. It is a per-controller bootstrap secret used only to unlock the initial setup wizard, but leaked images, console logs, and copied JENKINS_HOME directories can preserve it long enough to matter during new deployments.

02

Local User / Administrator Password

jenkins / local-user-admin-password

Jenkins' own user database is the default security realm on modern Jenkins installations. Users, including the first administrator created during setup, authenticate with username/password credentials stored in per-user configuration under JENKINS_HOME.

user definedsecretusername/password

Looks like

pattern
pattern

Jenkins private security realm password hash in a user config.xml; the hash has no useful product-specific specimen beyond the XML key name

<passwordHash>[^<]+</passwordHash>
pattern

raw Basic-auth username:password form before Base64 encoding; request context identifies Jenkins

[^\s:@]+:[^\s:]+

Location

config file
$JENKINS_HOME/users/*/config.xml

per-user configuration for Jenkins' own user database

public interface
/login

Jenkins web login for local users and administrators

public interface
/job/*/build, /script, /computer/*

HTTP Basic authentication in older scripted-client flows

source code

legacy scripts and integrations that embed real Jenkins passwords

Notes

There is no universal shipped Jenkins administrator login. The initial-admin-password is a generated setup unlock secret, then the first administrator account is created by the setup flow or by an operator. Modern scripted clients should use API tokens instead of real passwords, but real password Basic auth is still supported for password-based security realms.

03

System Credentials Store

jenkins / system-credentials-store

Jenkins stores global credentials such as secret text, usernames and passwords, secret files, and SSH private keys in the system credentials provider. The credentials file is encrypted with Jenkins controller secrets that also live under JENKINS_HOME.

user definedsecretsecret value

Looks like

pattern
pattern

encrypted credential value in Jenkins XML; key names identify the credential, and the opaque value is only useful with the controller secret material

<(secret|password|privateKey)>\\{?[A-Za-z0-9+/=]+\\}?</(secret|password|privateKey)>

Location

config file
$JENKINS_HOME/credentials.xml

system credentials provider configuration file

config file
$JENKINS_HOME/secrets/master.key

unencrypted master key used to protect Jenkins encryption keys

config file
$JENKINS_HOME/secrets/hudson.util.Secret

common Jenkins secret key id used for generic secrets

build artifact

controller backups, copied JENKINS_HOME directories, images

Notes

credentials.xml by itself usually contains encrypted values. The security boundary is the controller filesystem: if an attacker obtains credentials.xml together with secrets/master.key and the relevant files under $JENKINS_HOME/secrets, Jenkins' own APIs can decrypt stored credentials offline or inside a copied controller home.

04

User API Token

jenkins / user-api-token

Jenkins users can create API tokens and use them with HTTP Basic authentication for scripted clients. The token is supplied in place of the user's password for operations that require authorization.

user definedsecrettoken

Looks like

pattern
pattern

no stable vendor prefix; identify Jenkins API tokens by context, such as curl, wget, or library code using a Jenkins username with an API token as the Basic-auth password

[A-Za-z0-9]{20,}

Location

source code

scripts, Jenkins client configuration, curl/wget commands

environment
JENKINS_USER, JENKINS_TOKEN, JENKINS_API_TOKEN
config file

CI/CD tool configs and local credential helpers that call Jenkins

Notes

Jenkins documentation explicitly recommends API tokens over real user passwords for scripted clients. A leaked token has the permissions of the user that created it, so administrator-owned automation tokens are equivalent to administrative Jenkins access.

05

Inbound Agent Secret

jenkins / inbound-agent-secret

Jenkins inbound agents authenticate to the controller with a generated secret shown in the agent launch command. The secret is passed to agent.jar with the -secret argument together with the controller URL and agent name.

generated on installsecretsecret value

Looks like

pattern
pattern

agent.jar launch command argument; the exact secret is generated per agent and should be identified by the surrounding Jenkins agent command context

-secret\s+[A-Fa-f0-9]{32,}|-secret\s+[^\s]+

Location

public interface
/computer/<agent-name>/

agent page showing the inbound launch command to authorized users

config file

service wrappers, scheduled tasks, systemd units, and launch scripts on agents

source code

infrastructure-as-code or bootstrap scripts that start Jenkins agents

logs

process listings and command logs that capture the agent.jar invocation

Notes

A leaked inbound-agent secret lets an attacker connect a process as that Jenkins agent if the controller accepts inbound connections for the node. The blast radius is the jobs and workspaces scheduled onto that agent, including secrets exposed to builds running there.

06

SSH Private Key Credential

jenkins / ssh-private-key-credential

Jenkins credential stores commonly hold SSH private keys for Git, deployment, agent launch, and infrastructure automation. The private key can be stored directly in Jenkins credentials or loaded from a file on the controller or agent.

user definedsecretkey pair

Looks like

pattern
pattern

identified by the PEM/OpenSSH header line; a full private-key specimen would be multi-line and not useful as a compact example

-----BEGIN (OPENSSH|RSA|EC|DSA) PRIVATE KEY-----

Location

config file
$JENKINS_HOME/credentials.xml

encrypted private key material in the Jenkins credentials store

config file
~/.ssh/id_*

controller or agent filesystem keys referenced by jobs

secret store

Jenkins credential bindings and pipeline credentials

source code

Jenkinsfiles and shared libraries that bind SSH credentials

Notes

Scope is defined outside Jenkins by the systems that trust the key: Git hosting, SSH targets, deployment bastions, or agent launchers. The Jenkins credential record may look like an ordinary encrypted XML value, but the decrypted private key often grants access beyond the Jenkins controller itself.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.