KBEC-00368 - Passwordless credentials

Article ID:360032825952
2 minute readKnowledge base


This document describes how to configure impersonation using passwordless credentials to allow an agent user (for example, ecbuild) on Ubuntu to su to another user without a password.


The following procedures show how to configure passwordless credentials. In this example, the CloudBees CD (CloudBees Flow) agent runs under a user named ecbuild, and the following procedures show how to allow this user to su - testuser without a password.

Configuring the Agent Machine

Perform the following steps on each agent machine:

  1. (Optional) If you do not want to use an existing group, create a group by entering

    `sudo addgroup `

  2. (Optional) If you do not want to use an existing user, create a user by entering

    `sudo adduser `

  3. Make the password empty by entering

    `sudo passwd -d `

  4. Allow the ecbuild user to su - ` by adding the following two lines to the `/etc/pam.d/su file just below the pam_rootok.so line:

        auth       [success=ignore default=1] pam_succeed_if.so user = testuser
        auth       sufficient   pam_succeed_if.so use_uid user = ecbuild

    The first line ensures that the target user is testuser. If it is, the next line takes
    control and authorizes the su if the calling user is ecbuild.

    You can also restrict su to a group. In the following example, the group
    allowedpeople can su without a password:

    auth sufficient pam_succeed_if.so use_uid user ingroup allowedpeople

    Now you can run a procedure with credentials other than the ecbuild user without
    specifying a password for this user.

Adding a New Credential to a Project

  1. Open a project in the Automation Platform and click the Credentials tab.

    For example:

  2. On the right side of the tab, click the Create Credential button.

    The New Credential dialog box appears:

  3. Fill in the fields. For example:


    Note that you do not need to enter a password in this dialog box. The
    credential name (the Name field) can be different than the user name.

  4. Click OK.

Adding a New Credential to a Procedure

For every procedure that you want to run with the new credential:

  1. Click the Use specific credential radio button.

  2. Specify the Credential Name that you specified in the Name field above.

  3. Click OK.

Running the Procedure to Test the Configuration

  1. Click the Run button on the procedure to execute the procedure.

  2. Check the Job Step Details >General tab for the job step that you just ran to ensure that the job was executed with the specified credential.

    For example: