Jumpserver (Fortress machine) open source version graphic explanation

1. Basic overview of jumpserver

1. What is a springboard machine

The springboard machine is a server with public network and intranet. When our developers or operation and maintenance personnel want to maintain the internal cluster service, they need to log in to the server of the springboard machine uniformly, and then log in to the target cluster server through the intranet of the springboard machine

2. Defects of springboard machine

Failure to control and audit the operation behavior of operation and maintenance personnel, misoperation will still occur in the process of using the springboard machine, and illegal i operation will lead to failure. Once an operation accident occurs, it is difficult to quickly locate the cause and responsible person; At this time, the fortress machine was born.

3. What is a fortress machine

In fact, the fortress machine is based on the springboard machine, which can achieve a more secure operation target cluster server for operation and maintenance and provide security guarantee.

  • 1. Centralized asset management (unified management)
  • 2 audit, record and video playback operation record
  • 3 restrict the execution of dangerous commands such as rm and dd
  • 4. Restrict the identity permission of logging in to the target server

4. Why use fortress machine

Firstly, fortress machine provides 4A specification for operation and maintenance safety audit:
Authentication: identity authentication to prevent identity misuse and reuse
Authorization: authorization control to prevent internal misoperation and authority abuse
Accounting: account management, personnel and asset management
Auditing: basis for safety audit, tracing and analyzing accidents
Secondly, the construction goal of Fortress machine can be summarized as 5W, mainly to reduce the operation and maintenance risk.
What audit: what did you do?
which authorization: what can you do?
Where account: where are you going?
Who certified who are you?
when source: access time?
The fortress function makes the operation and maintenance safer and more convenient to log in to the target asset service
Fortress machine can also help enterprises quickly build "identity authentication, access control and security audit", and help enterprises meet new and equal protection requirements. What is waiting insurance?

All enterprises need to use fortress machines. Because fortress machine is an important component for enterprises to carry out "asset management, operation and maintenance, safety audit".

5. What is Jumpserver

JumpServer is the world's first fully open source fortress machine, using GNU GPL v2 0 open source agreement, which is a professional operation and maintenance audit system in line with 4A.
JumpServer is developed using Python / Django, follows the Web 2.0 specification, and is equipped with an industry-leading Web Terminal solution with beautiful interactive interface and good user experience.
JumpServer adopts a distributed architecture and supports multi machine room cross regional deployment. The central node provides API, and each machine room deploys login nodes, which can be expanded horizontally without concurrent access restrictions.
JumpServer now supports the management of SSH, Telnet, RDP and VNC protocol assets.

Jumpserver main components

Jumpserver: provides a management background. Administrators can conduct asset management, user management, asset authorization and other operations through web pages.
koko: provide SSH server and Web terminal server to log in assets
Lina Luna: provide a web front-end page, which will be integrated into Lina in the future
Guacamole: RDP function is provided. Users can log in to windows assets in this way. (temporarily accessible only through web Terminal)

Jumpserver features and advantages

  • Open source: zero threshold, fast online acquisition and installation;
  • Distributed: easily support large-scale concurrent access;
  • No plug-ins: only a browser is needed, with the ultimate Web Terminal experience;
  • Multi cloud support: a system that manages assets on different clouds at the same time;
  • Cloud storage: audit videos are stored in the cloud and will never be lost;
  • Multi tenancy: a system used by multiple subsidiaries and departments at the same time.

Jumpserver infrastructure diagram

Jumpserver function
1. The product is highly decoupled, which is convenient for later distributed deployment and horizontal expansion
2 centralized and unified management of servers all over the country

2.JumpServer installation configuration Official installation and deployment documents

2.1 deployment of core components jumpserver

① Install Python 3 6 MySQL Redis

[root@jumpserver ~]# yum install python3 python3-devel mariadb-server mariadb redis -y
[root@jumpserver ~]# systemctl enable mariadb redis
[root@jumpserver ~]# systemctl start mariadb redis

② Set the database password, and then create the corresponding jumpserver library

[root@jumpserver ~]# mysqladmin password boy123.com
[root@jumpserver ~]# mysql -uroot -pboy123.com
MariaDB [(none)]> create database jumpserver default charset 'utf8' collate 'utf8_bin';
MariaDB [(none)]>

③ Create a Python virtual environment and load the Python virtual environment

[root@jumpserver ~]# python3.6 -m venv /opt/py3
[root@jumpserver ~]# source /opt/py3/bin/activate
(py3) [root@jumpserver ~]# 

④ Install jumpserver core package

I upload the software package locally

(py3) [root@jumpserver ~]# cd /opt
(py3) [root@jumpserver opt]# tar xf jumpserver-v2.2.2.tar.gz 
(py3) [root@jumpserver opt]# mv jumpserver-v2.2.2 jumpserver

⑤ Install jumpser compilation environment dependency

cd /opt/jumpserver/requirements
yum install -y $(cat rpm_requirements.txt)
pip install wheel -i https://mirrors.aliyun.com/pypi/simple/
pip install --upgrade pip setuptools -i https://mirrors.aliyun.com/pypi/simple/
pip install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/

⑥ Modify profile

cd /opt/jumpserver && \            
cp config_example.yml config.yml && \
vi config.yml

⑦ In the configuration file, you need to fill in the random encryption key (SECRET_KEY: and BOOTSTRAP_TOKEN:), which we generate with the command

if [ ! "$SECRET_KEY" ]; then
  SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50`;
  echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc;
  echo $SECRET_KEY;
  echo $SECRET_KEY;
if [ ! "$BOOTSTRAP_TOKEN" ]; then
  BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16`;

View the generated random encryption key

cat ~/.bashrc

Refer to the official template (remember to modify the header of each line of the configuration file)

# SECURITY WARNING: keep the secret key used in production secret!
# In the production environment of encryption secret key, please modify it to a random string. Do not disclose it. It can be generated by command
# cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
SECRET_KEY: sa1SzAAij0xGm6q35bWpiG5dwV966cryK2Ui2oeuHGQiYfJQkF

# SECURITY WARNING: keep the bootstrap token used in production secret!
# The pre shared Token coco and guacamole are used to register the service account, instead of using the original registration acceptance mechanism

# Development env open this, when error occur display the full process track, Production disable it
# When DEBUG mode is enabled, you can see more logs when you encounter errors
DEBUG: false

# DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
# log level

# Session expiration setting, Default 24 hour, Also set expired on on browser close
# The expiration time of browser Session is 24 hours by default. You can also set it to expire when the browser is closed

# Database setting, Support sqlite3, mysql, postgres ....
# Database settings
# See https://docs.djangoproject.com/en/1.10/ref/settings/#databases

# SQLite setting:
# Using single file sqlite database
# DB_ENGINE: sqlite3

# MySQL or postgres setting like:
# Use Mysql as the database
DB_ENGINE: mysql
DB_PORT: 3306
DB_USER: root                          #The database user used here is the default root user of the database
DB_PASSWORD: boy123.com             #The password we set for the root user
DB_NAME: jumpserver

# When Django start it will bind this host and port
# ./manage.py runserver
# Runtime binding port

# Use Redis as broker for celery and web socket
# Redis configuration

# Use OpenID authorization
# Use OpenID for authentication settings
# BASE_SITE_URL: http://localhost:8080
# AUTH_OPENID: false  # True or False
# AUTH_OPENID_SERVER_URL: https://openid-auth-server.com/

# Use Radius authorization
# Use Radius to authenticate
# AUTH_RADIUS: false
# RADIUS_SERVER: localhost

# CAS configuration
# AUTH_CAS': False,
# CAS_SERVER_URL': "http://host/cas/",
# CAS_ROOT_PROXIED_AS': 'http://jumpserver-host:port',  

# LDAP/AD settings
# Number of LDAP search pages
# Timing synchronization user
# Enable / disable
# Synchronization interval (unit: hour) (priority)
# Crontab expression
# When an LDAP user logs in, only users in the user list are allowed to perform LDAP Server authentication
# During LDAP authentication, if the following information appears in the log, set the parameter to 0 (for details, see: https://www.python-ldap.org/en/latest/faq.html)
# In order to perform this operation a successful bind must be completed on the connection

# OTP settings
# OTP/MFA configuration
# OTP_ISSUER_NAME: Jumpserver

# Perm show single asset to ungrouped node
# Whether to put unauthorized node assets into ungrouped nodes
# Enable scheduled tasks
# Enable secondary composite authentication configuration
# Windows login skip manual password entry

Several places we need to modify are framed in red

⑧ Start jumpserver core components

First, make sure that the p3 virtual environment is loaded

source /opt/py3/bin/activate

Secondly, the front desk runs to check whether there is an error

cd /opt/jumpserver
./jms start

Finally, there is no error, running in the background

./jms start -d

2.2 core component deployment koko

I upload the software package locally

① Upload koko compressed package to initialize koko components

(py3) [root@jumpserver opt]# tar -xf koko-v2.4.3-linux-amd64.tar.gz #Decompression of compressed package
(py3) [root@jumpserver opt]# mv koko-v2.4.3-linux-amd64 koko        #Change name
(py3) [root@jumpserver opt]# chown -R root:root koko                #Authorization for koko directory
(py3) [root@jumpserver opt]# cd koko                                #Switch to koko directory
(py3) [root@jumpserver koko]# cp config_example.yml config.yml		#Copy the real column configuration file for renaming

② Modify the configuration file of koko component

(py3) [root@jumpserver koko]#  vi config.yml

Refer to the official template (remember to modify the header of each line of the configuration file)

# The project name will be used to register with Jumpserver. It is just identification and cannot be repeated
# NAME: {{ Hostname }}

# The URL of the Jumpserver project, which will be used for API request registration

# Bootstrap Token, a pre shared secret key, is used to register the service account and terminal used by coco
# Please keep consistent with the jumpserver configuration file. It can be deleted after registration

# The ip address bound at startup. The default is

# The SSH port number to listen to. The default is 2222
# SSHD_PORT: 2222

# Default listening port: HTTP/WS 5000
# HTTPD_PORT: 5000

# The ACCESS KEY used by the project will be registered by default and saved to access_ KEY_ In store,
# If necessary, it can be written to the configuration file in the form of access_key_id:access_key_secret
# ACCESS_KEY: null

# The address saved by ACCESS KEY will be saved to this file after registration by default
# ACCESS_KEY_FILE: data/keys/.access_key


# SSH connection timeout (default 15 seconds)

# Language [en,zh]
# LANG: zh

# Root directory of SFTP, optional / tmp, Home and other user-defined directories
# SFTP_ROOT: /tmp

# Does SFTP show hidden files

# Whether to reuse the established connection with the user's back-end assets (the user will not reuse the connection of other users)

# The asset loading strategy can be adjusted according to the asset scale The default is to load assets asynchronously and search pages asynchronously; If it is all, all assets will be loaded and local search will be paged

# Maximum amount of zip compression (unit: M)

# zip compressed temporary directory / tmp
# ZIP_TMP_PATH: /tmp

# The time interval (in seconds) between sending heartbeat to SSH Client connection. The default value is 30. 0 means no sending

# The number of retries to send heartbeat packets to assets. The default value is 3

# The type of session sharing is [local, redis]. The default is local

# Redis configuration

Several places we need to modify are framed in red

Start core component koko

Start up first and check whether there is any error


Secondly, put koko components into the background to run

./koko -d 

Finally, check whether the port is started. There will be one 5000 and 2222 ports

netstat -lntp

2.3 front end component deployment lina, luna

I upload the software package locally

① Download Lina components (/ opt)

(py3) [root@jumpserver opt]# tar xf lina-v2.2.2.tar.gz 
(py3) [root@jumpserver opt]# mv lina-v2.2.2 lina
(py3) [root@jumpserver opt]# chown -R nginx.nginx lina

② Download Luna components (/ opt)

(py3) [root@jumpserver opt]# tar xf luna-v2.2.2.tar.gz 
(py3) [root@jumpserver opt]# mv luna-v2.2.2 luna
(py3) [root@jumpserver opt]# chown -R nginx.nginx luna

③ Configure Nginx to integrate various components

(py3) [root@jumpserver opt]# yum install nginx -y (before uploading luna lina components, because their two directories require nginx user authorization)

Refer to the official template (I added server_name jumpserver.etian.org; domain name resolution)

(py3) [root@jumpserver opt]# vim /etc/nginx/conf.d/jumpserver.etiantian.org.conf
server {
    listen 80;
    client_max_body_size 100m;  # Video and file upload size limit
    server_name jumpserver.etiantian.org;

    location /ui/ {
        try_files $uri / /index.html;
        alias /opt/lina/;

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;  # luna path. If the installation directory is modified, it needs to be modified here

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;  # Video recording location. If the installation directory is modified, it needs to be modified here

    location /static/ {
        root /opt/jumpserver/data/;  # Static resources. If you modify the installation directory, you need to modify it here

    location /koko/ {
        proxy_pass       http://localhost:5000;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;

    location /guacamole/ {
        proxy_pass       http://localhost:8081/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        access_log off;

    location /ws/ {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8070;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    location /api/ {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location /core/ {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location / {
        rewrite ^/(.*)$ /ui/$1 last;

(py3) [root@jumpserver opt]# systemctl start nginx
(py3) [root@jumpserver opt]# systemctl enable nginx

2.4 configure local dns hijacking and log in to JumpServer for management

The default user password is admin

The password is too simple. You need to modify the login admin user password again

Finally, log in to the management interface

3.JumpServer user management

Ordinary users: users who log in to the web page of Jumpserver, operation and maintenance development
System user: the user used when JumpServer jumps to log in assets [ansible automatic push, switch not supported]
Management user: the management user is the root on the controlled server. JumpServer uses this user to push system users and obtain asset hardware information [no secret first]

3.1 creating ordinary users

① Add user group

Create a development group and operation and maintenance group

② Add user

Create an oldboy and an oldgirl ordinary user

③ Normal user usage test created

Ordinary users are the login users who log in to the web page jumpserver, so we re login and find that there is a difference between using the administrator login interface.
Let's log in with the created ordinary user oldboy

It is found that there are differences in the item column on the left. You need to fill in your personal information for the first login, and then select I agree to use it.

There are two pages for ordinary users to manage assets
1.web page

2. Terminal page

ssh oldboy@ 2222

3.2 create management user

① Jumpserver ---- -- > the controlled end host performs secret free login to realize the function of springboard machine


A pair of key pairs, a public key (id_rsa.pub) and a private key (id_rsa) will be generated

Push the public key to the controlled end to realize secret free login

ssh-copy-id -i ~/.ssh/id_rsa.pub root@
ssh-copy-id -i ~/.ssh/id_rsa.pub root@
ssh-copy-id -i ~/.ssh/id_rsa.pub root@

② Create administrative user

Download private key:[ root@jumpserver ~]# sz ~/.ssh/id_rsa - > upload root user's private key to the page

3.3 creating system users

Raise rights for system users

4.JumpServer asset management

4.1 planning asset tree

Divide according to the needs of the company
We can divide according to region, region and department
We divide the computer room into Shanghai computer room and Beijing computer room according to the region
We divide the Beijing computer room into Changping computer room and Haidian computer room according to the region
We can also divide the operation and maintenance, development and other departments according to the Department's computer room in Haidian

4.2 Adding Assets

Add asset web01

Add asset web02

Add asset db01

4.3 authorized assets

We authorize the asset of the user group
Our operation and maintenance team is authorized to manage the assets of Beijing computer room and Shanghai computer room ( / 8 / 51)
Our development team is authorized to manage the assets of Shanghai computer room (

Our operation and maintenance team is authorized to manage the assets of Beijing computer room and Shanghai computer room ( / 8 / 51)

Our development team is authorized to manage the assets of Shanghai computer room (

4.4 verification phase

We use the ordinary user oldgirl to log in to the jumpserver page. Oldgrid belongs to the operation and maintenance group, so we can manage the assets authorized by the operation and maintenance group (3 nodes)

We can choose a web terminal to manage each node (password free login)

We use the ordinary user oldboy to log in to the jumpserver page. oldboy belongs to the development group, so we can manage the assets authorized by the development group (1 node)

4.5 create a new system user with higher authority than cry

① In fact, it is to create another system user kenneth

② Asset authorization for newly created kenneth system users

③ Manually push the system user information to the asset (the bottom layer uses ansible push)

④ When I log in to the asset again, I will choose which system user to log in with

4.6 adding database assets

① Let's first create a dba group and a dba group to which ordinary users belong

Password 123456

② Create database application

③ Create a system user who logs in to the database (using mysql protocol)

④ Asset authorization for database

⑤ Log in to the database assets (through the dba ordinary users we created)

⑥ Any operation we make on the assets will be recorded, which can be replayed, suspended and monitored online

5.Jumpserver command filter (restrict the execution of dangerous commands)

Let's now assume that we don't want to use the rm command. How do we operate?

5.1 create a command filter name

5.2 add operations not allowed by command filter

5.3 bind system users to restrict operations

Test whether the user can use the rm command after logging in to the asset through the cry system

6. File management for ordinary users (upload and download)

6.1 operation process of uploading files

① I use the system user cry to log in to the asset and select the default to upload files

② It is found that the uploaded file is under / tmp, and the owner and group of this file are our uploader cry

6.2 operation process of downloading files

① I created a file named 2.0 under / tmp Txt file

② We can download files on the web page terminal

6.3 why is the default directory for uploading and downloading / tmp?

This is because it is specified in the configuration file of our koko component, as shown in the figure below

7.jumpserverd multi factor authentication (strengthen login security)

In the way of user name and password login, conduct another authentication to improve the login security

There are two ways to enable multi factor authentication

I When creating ordinary users, select multi factor authentication to force start

① Create ordinary users, that is, users who log in to the Jumpserver page

② Login test

We enter the login interface and log in to the scry ordinary user we just created. The password here is the password set by the creator 123456

Next, because we enable multi factor authentication, we start to enable multi factor authentication for initialization. Enter our login password 123456 for ordinary users

Then a jump will occur, which will let you use an authentication app on the third-party mobile terminal to generate a dynamic password

I use my mobile phone to download software

We use the mobile phone software to scan the following QR code and generate a dynamic verification code

After completing the initialization settings, we can log in by entering the dynamic authentication code and user password on the mobile phone

II Global start multi factor authentication

8. The concept of JumpServer domain function is introduced into the hybrid cloud production environment

8.1 what is a hybrid cloud?

Hybrid cloud integrates public cloud and private cloud, which is the main mode and development direction of cloud computing in recent years. We already know that private cloud is mainly for enterprise users. For security reasons, enterprises prefer to store data in private cloud, but at the same time hope to obtain the computing resources of public cloud. In this case, hybrid cloud is more and more adopted. It mixes and matches public cloud and private cloud to obtain the best effect. This personalized solution achieves the purpose of saving money and security.

8.2 functional schematic diagram of JumpServer domain deployed in hybrid cloud production environment

8.3 implementation idea of deploying JumpServer domain function in hybrid cloud production environment

1.jumpserver and domain network management server are password free
2. The domain gateway server and the virtual machine are password free
3. Fill in a domain and add a network management server
3.1 fill in the public IP address.
3.2 log in to the domain server using the management user root who manages the virtual machine. You need to use the private key of jumpserver for authentication.
4. Add a new management user to manage the virtual machine configuration, which is the private key authentication of the domain server
5. Allocate and integrate virtual machine assets

8.4 practical operation steps of deploying JumpServer domain function in hybrid cloud production environment

① Buy three Alibaba cloud hosts without public network

② Purchase a public network elastic ip

③ Public ip is bound to a virtual machine (ecs) as our domain server

All three virtual machines are in the same network segment. We bind one virtual machine with the public ip as the domain server, and use the virtual machine with the public ip as the domain server to connect the other two virtual machines

④ Establish a secret free connection between jumpserver and domain server

Push the public key of jumpserver to the domain server

ssh-copy-id -i ~/.ssh/id_rsa.pub root@ network ip)

⑤ Log in to the domain server and establish a secret free relationship with the two virtual machines

1> Production key pair


2> Push domain server public key to two virtual machines

ssh-copy-id -i ~/.ssh/id_rsa.pub root@ machine Intranet IP)
ssh-copy-id -i ~/.ssh/id_rsa.pub root@ machine Intranet IP)

3> Test whether the domain service can log in to two virtual machines without secret

⑥ Create a domain list and configure the gateway (the connection between jumpserver and domain server is configured)

1> Create domain list alicloud Zhangjiakou node

2> Configure the gateway

We need to conduct secret free communication between jumpserver and domain server
We pushed the public key of a pair of key pairs produced in jumpserver to the domain server
Therefore, the private key of jumpserver is used to connect to the domain server for asymmetric authentication.

⑦ Add a management user root that manages virtual machine assets

Our management user root manages the virtual machine assets and connects to the virtual machine in the public cloud through the domain server
We conduct secret free communication between the domain server and the virtual machine
We push the public key of a pair of key pairs produced by the domain server to the domain server
Therefore, the key filled in here is the private key produced by the domain server for asymmetric authentication.

1> Get the private key of the domain server and download it to the local

yum -y install lrzsz 
sz ~/.ssh/id_rsa

2> Add the management user root of the configuration management virtual machine

⑧ Add virtual machine assets

1> Create an asset tree of Alibaba cloud nodes

2> Add two virtual machine node assets under alicloud



⑨ Authorize virtual machine assets to user group (operation and maintenance group)

⑩ Testing

1> We use oldgirl, which belongs to the operation and maintenance group, to log in to the jumpserver page

2> The Web terminal accesses Alibaba cloud host successfully

9.Jumpserver security improvement

9.1 security upgrade

Operating system: try to upgrade to a new version that meets the requirements.
Jumpserver: please keep using the latest version of jumpserver dependent software: it is recommended to upgrade
Software version that Jumpserver depends on

9.2 use of safety components

Use system Firewall: port forwarding
Suggestions for closing password login: user - > VPN - > Intranet

9.3 optimizing system architecture

Traditional architecture: users – > jumpserver – > target assets
New architecture: user – > firewall (rule restriction) – > jumpserver – > target assets

9.4 configure HTTPS mode

Tags: Linux Operation & Maintenance

Posted by rxbanditboy1112 on Sat, 07 May 2022 12:24:46 +0300