After Jenkins installs, I want to set it up to use PAM for authentication. Of course there is a pam-auth plugin - not available in available plugins, because it appears to have been installed by default! Good news. And it is even enabled!
Now, how does one configure Jenkins to use it? Under Manage Jenkins -> Security, in the Security Realm there is no PAM option. Clicking through other items under Manage Jenkins, I can find no other place that appears relevant in specifying to use the pam-auth plugin.
I have not found any documentation on how to configure the pam-auth plugin for use once it is installed and enabled.
Jenkins is 2.426.1. Pam Authentication plugin is 1.10.
EDIT TO ADD:
OS: AlmaLinux release 9.3
There is a "Unix user/group database" security realm option in Jenkins. It is not clear that it results in using pam-auth. On the "Securing Jenkins/Managing Security" page, it says:
Unix user/group database
Delegates the authentication to the underlying Unix OS-level user database on the Jenkins controller. This mode will also allow re-use of Unix groups for authorization. For example, Jenkins can be configured such that "Everyone in the developers group has administrator access." To support this feature, Jenkins relies on PAM which may need to be configured external to the Jenkins environment.
When selecting it and then clicking the Test button, it results in Either Jenkins needs to run as root or User ‘jenkins’ needs to belong to group root and ‘chmod g+r /etc/shadow’ needs to be done to enable Jenkins to read /etc/shadow
The IT administrator says "Ewww", but does it anyways. And it works. However, it seems problematic giving permission to the shadow file if it will end up being bypassed anyway.
Looking at the code in github around line 178, there is an explicit check for "/etc/shadow" which may be causing this. But it is unclear why this plugin even needs to check for "/etc/shadow", since that file should be bypassed when using PAM. Is this a bug, or is there some other configuration that can bypass?