[toc]
Introduction to JumpServer
JumpServer is the world’s first open source fortificator, using the GNU GPL V2.0 open source protocol, and is a 4A compliant operation and maintenance security audit system.
JumpServer is developed using Python/Django, follows the Web 2.0 specification, and is equipped with an industry-leading Web Terminal solution with a beautiful interface and a great user experience.
JumpServer adopts a distributed architecture that allows multiple rooms to be deployed across regions, supports horizontal scaling, and has no limits on the number of assets and concurrency.
** Official website: **www.jumpserver.org/
Documents: docs.jumpserver.org/zh/master/
GitHub:github.com/jumpserver/…
1.1 page display
1.2. Characteristics and Advantages
- Open source: zero threshold, quick access and installation online;
- Distributed: easily supports large-scale concurrent access;
- No plug-in: only the browser, the ultimate Experience of using Web Terminal;
- Multi-cloud support: a system that manages assets on different clouds simultaneously;
- Cloud storage: Audit video cloud storage, never lost;
- Multi-tenant: a system used by multiple subsidiaries and departments;
- Multi-application support: database, Windows remote application, Kubernetes.
1.3. Function List
| The identity authentication Authentication |
Login authentication | Unified resource login and authentication |
| The LDAP/AD authentication | ||
| The RADIUS authentication | ||
| OpenID authentication (single sign-on) | ||
| CAS authentication (single sign-on) | ||
| MFA certification | MFA Secondary Authentication (Google Authenticator) | |
| RADIUS Secondary Authentication | ||
| Log in to review | User login behaviors are monitored and controlled by the administrator :small_orange_diamond: | |
| Account management Account |
Centralized account | User management |
| System User Management | ||
| Unified password | Asset Password Custody | |
| Automatic password generation | ||
| Automatic password push | ||
| Password expiration Setting | ||
| Batch to close | Regular batch password change :small_orange_diamond: | |
| Multiple password policies :small_orange_diamond: | ||
| It’s cloudy nanotubes | Automatic unified management of private and public cloud assets :small_orange_diamond: | |
| Collect user | User-defined tasks periodically collect host users :small_orange_diamond: | |
| The password box | View, update, and test user passwords of asset hosts in a unified manner :small_orange_diamond: | |
| Authorization control Authorization |
Multidimensional authorization | Authorize users, user groups, assets, asset nodes, applications, and system users |
| Asset authorization | Assets are presented in a tree structure | |
| Both assets and nodes can be flexibly authorized | ||
| Assets on nodes automatically inherit authorization | ||
| The child node automatically inherits authorization from the parent node | ||
| Application of authorization | Implement more granular application-level authorization | |
| MySQL database application, RemoteApp remote application :small_orange_diamond: | ||
| Action authorization | You can control the file uploading, downloading, and connection of authorized assets | |
| Time authorization | This section describes how to restrict the use period of authorized resources | |
| Privileged instructions | Implement the use of privileged directives (support for blacklists and whitelists) | |
| Command filter | To control the commands executed by authorized system users | |
| The file transfer | SFTP file upload/download | |
| File management | Implement Web SFTP file management | |
| Work order management | Supports control of user login request behavior :small_orange_diamond: | |
| Organization and management | Multi-tenant management and permission isolation :small_orange_diamond: | |
| Security audit Audit |
Operation audit | Audit user operations |
| Session audit | Auditing online session contents | |
| Audit historical session content | ||
| Video audit | Supports playback audit of operations performed on Linux and Windows assets | |
| Playback audit is performed on videos of applications such as RemoteApp: Small_orange_Diamond: and MySQL | ||
| Instruction audit | Audit asset and application commands | |
| The file transfer | Audit the upload and download records of files | |
| Database Audit Database |
The connection method | Command mode |
| Using the Web UI :small_orange_diamond: | ||
| Supported databases | MySQL | |
| Oracle :small_orange_diamond: | ||
| MariaDB :small_orange_diamond: | ||
| PostgreSQL :small_orange_diamond: | ||
| Function highlights | Syntax highlighting | |
| SQL formatting | ||
| Support shortcut keys | ||
| Support selected Execution | ||
| SQL History Query | ||
| Supports page creation of DB and TABLE | ||
| Session audit | Order record | |
| Video playback |
1.4. Architecture Diagram
- First, the front end is the dynamic page provided by Nginx, which can be accessed through the browser.
- Jumpserver is the management background. Administrators can perform asset management, user management, and asset authorization through the Web page. Users can log in to assets and manage files through the Web page.
- Coco is an SSH server and a Web terminal server. Users can use their own accounts to access SSH and Telnet assets through SSH or Web Terminal.
- Luna is the front-end page of Web Terminal Server, and users can log in to components required by Web Terminal.
- Guacamole is an asset component of RDP and VNC. Users can use web terminal to connect to RDP and VNC assets.
1.5. Port Description
Ports involve the following ports:
- The default Jumpserver port is 8080/ TCP, the port the browser accesses
- The default SSH port for the Coco is 2222/ TCP, and the default Web Terminal port is 5000/ TCP, which is used for SSH connection
- Guacamole default port is 8081/ TCP
- The default Nginx port is 80/ TCP
- The default Redis port is 6379/ TCP
- The default Mysql/Mariadb port is 3306/ TCP
1.6. Product Components
-
Jumpserver is a Core component that uses Django Class Based View style and supports Restful apis.
-
Coco: Indicates the SSH Server and Web Terminal Server. Users can directly access authorized assets by logging in to SSH or Web Terminal using their own accounts. There is no need to know the account and password of the server, now Coco has been replaced by Koko.
-
Luna: Luna is the front-end page of the Web Terminal Server and a plug-in required for users to log in to the Web Terminal.
-
Guacamole: Guacamole is an open source project that provides a solution for the remote desktop. Jumpserver implements RDP and VNC functionality using its components, and Jumpserver does not modify its code but adds additional plug-ins to support Jumpserver calls.
2. Install JumpServer
- Fast installation: docs.jumpserver.org/zh/master/i…
- Full documentation: docs.jumpserver.org
- Demo video: www.bilibili.com/video/BV1ZV…
There are two installation modes: one-click automatic deployment and manual deployment. One-click automatic deployment is recommended.
2.1 one-click automatic deployment
Just two steps to quickly install JumpServer:
- Prepare a 2-core, 4G (minimum) 64-bit Linux host with Internet access.
- Run the following command as user root to install JumpServer.
-- One-click setup startup
curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v28.2./quick_start.sh | bash
-- Note: The installation process requires downloading the Docker environment, restarting the Docker, downloading many images, and finally taking up about 3g space. The installation takes about 30 minutes.
[root@docker36 jumpserver-installer-v28.2.]# docker images | grep jumpserver
jumpserver/core v28.2. f3dd5c1946ec 2 days ago 1.01GB
jumpserver/guacamole v28.2. 8869e8512eec 2 days ago 824MB
jumpserver/lina v28.2. 98abb9179db1 2 days ago 27.9MB
jumpserver/luna v28.2. d2e17fada2f6 2 days ago 27MB
jumpserver/koko v28.2. 40cdabc32153 2 days ago 426MB
jumpserver/mysql 5 697daaecf703 3 months ago 448MB
jumpserver/redis 6-alpine f731cd48185c 3 months ago 31.6MB
jumpserver/nginx alpine2 b47070d178ad 18 months ago 18.5MB
If you cannot download it, please add the following resolution:Echo "13.229.188.59 199.232.4.133 raw.githubusercontent.com github.com">> /etc/Hosts echo "nameserver 114.114.114.114 nameserver 8.8.8.8 nameserver 223.5.5.5"> /etc/resolv.conf
- start
cd /opt/jumpserver-installer-v28.2./
./jmsctl.sh start
-- Start 9 containers, create a network called jMS_net, subnet: "192.168.250.0/24"
Docker logs -f jMS_core --tail 200 docker logs -f jms_core --tail 200 docker logs -f jms_core --tail 200 See https://docs.jumpserver.org/zh/master/install/setup_by_fast/
- Web access
http://192.16866.36.:8080
https://192.16866.36.:8443The default user name and password are admin/The admin)Container and state after startup
[root@docker36 jumpserver-installer-v28.2.]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
26b95ecb8900 jumpserver/Nginx :alpine2 "sh -c 'crond-b-d..."57 seconds ago Up 51 seconds (healthy) 0.0. 0. 0:8080->80/tcp, 0.0. 0. 0:8443->443/tcp jms_nginx
9c25659c23c4 jumpserver/luna:v28.2."/ docker - entrypoint...." About aminute ago Up About a minute (healthy) 80/tcp jms_luna
c8d74738aaa2 jumpserver/lina:v28.2."/ docker - entrypoint...." About aminute ago Up About a minute (healthy) 80/tcp jms_lina
bc24581c6d0a jumpserver/koko:v28.2. "./entrypoint.sh" About a minute ago Up About a minute (healthy) 0.0. 0. 0:2222->2222/tcp, 5000/tcp jms_koko
cc17285dc6ec jumpserver/guacamole:v28.2. "/init" About a minute ago Up About a minute (healthy) 8080/tcp jms_guacamole
edac0a216aa3 jumpserver/core:v28.2.". / entrypoint. Sh sta..." About aminute ago Up About a minute (healthy) 8070/tcp, 8080/tcp jms_celery
2ca03ab4d62d jumpserver/core:v28.2.". / entrypoint. Sh sta..."11 minutes ago Up 11 minutes (healthy) 8070/tcp, 8080/tcp jms_core
69e9bdede65f jumpserver/redis:6-Alpine docker - entrypoint. "s..."13 minutes ago Up 13 minutes (healthy) 6379/tcp jms_redis
c73896dc22ad jumpserver/mysql:5"Docker - entrypoint. S..."13 minutes ago Up 13 minutes (healthy) 3306/tcp, 33060/tcp jms_mysql
[root@docker36 jumpserver-installer-v28.2.]#
[root@docker36 jumpserver-installer-v28.2.]# ./jmsctl.sh status
Name Command State Ports
-----------------------------------------------------------------------------------------------------------
jms_celery ./entrypoint.sh start task Up (healthy) 8070/tcp, 8080/tcp
jms_core ./entrypoint.sh start web Up (healthy) 8070/tcp, 8080/tcp
jms_guacamole /init Up (healthy) 8080/tcp
jms_koko ./entrypoint.sh Up (healthy) 0.0. 0. 0:2222->2222/tcp, 5000/tcp
jms_lina /docker-entrypoint.sh ngin ... Up (healthy) 80/tcp
jms_luna /docker-entrypoint.sh ngin ... Up (healthy) 80/tcp
jms_mysql docker-entrypoint.sh --cha ... Up (healthy) 3306/tcp, 33060/tcp
jms_nginx sh -c crond -b -d 8 && ngi ... Up (healthy) 0.0. 0. 0:8443->443/tcp, 0.0. 0. 0:8080->80/tcp
jms_redis docker-entrypoint.sh redis ... Up (healthy) 6379/tcp
Copy the codeExecution process:
[root@docker36 ~]# curl -sSL https://github.com/jumpserver/jumpserver/releases/download/v28.2./quick_start.sh | bash
download install script to /opt/jumpserver-Installe (start downloading the installation script to/opt/jumpserver-Installe) █ █ ╗ █ █ ╗ █ █ ╗ █ █ █ ╗ █ █ █ ╗ █ █ █ █ █ █ ╗ █ █ █ █ █ █ █ ╗ █ █ █ █ █ █ █ ╗ █ █ █ █ █ █ ╗ █ █ ╗ █ █ ╗ █ █ █ █ █ █ █ ╗ █ █ █ █ █ █ ╗ █ █ ║ █ █ ║ █ █ ║ █ █ █ █ ╗ █ █ █ █ ║ █ █ ╔ ═ ═ █ █ ╗ █ █ ╔ ═ ═ ═ ═ ╝ █ █ ╔ ═ ═ ═ ═ ╝ █ █ ╔ ═ ═ █ █ ╗ █ █ ║ █ █ ║ █ █ ╔ ═ ═ ═ ═ ╝ █ █ ╔ ═ ═ █ █ ╗ █ █ ║ █ █ ║ █ █ ║ █ █ ╔ █ █ █ █ ╔ █ █ ║ █ █ █ █ █ █ ╔ ╝ █ █ █ █ █ █ █ ╗ █ █ █ █ █ ╗ █ █ █ █ █ █ ╔ ╝ █ █ ║ █ █ ║ █ █ █ █ █ ╗ █ █ █ █ █ █ ╔ ╝ █ █ █ █ ║ █ █ ║ █ █ ║ █ █ ║ ╚ █ █ ╔ ╝ █ █ ║ █ █ ╔ ═ ═ ═ ╝ ╚ ═ ═ ═ ═ █ █ ║ █ █ ╔ ═ ═ ╝ █ █ ╔ ═ ═ █ █ ╗ ╚ █ █ ╗ █ █ ╔ ╝ █ █ ╔ ═ ═ ╝ █ █ ╔ ═ ═ █ █ ╗ ╚ █ █ █ █ █ ╔ ╝ ╚ █ █ █ █ █ █ ╔ ╝ █ █ ║ ╚ ═ ╝ █ █ ║ █ █ ║ █ █ █ █ █ █ █ ║ █ █ █ █ █ █ █ ╗ █ █ ║ █ █ ║ ╚ █ █ █ █ ╔ ╝ █ █ █ █ █ █ █ ╗ █ █ ║ █ █ ║ ╚ ═ ═ ═ ═ ╝ ╚ ═ ═ ═ ═ ═ ╝ ╚ ═ ╝ ╚ ═ ╝ ╚ ═ ╝ ╚ ═ ═ ═ ═ ═ ═ ╝ ╚ ═ ═ ═ ═ ═ ═ ╝ ╚ ═ ╝ ╚ ═ ╝ ╚ ═ ═ ═ ╝ ╚ ═ ═ ═ ═ ═ ═ ╝ ╚ ═ ╝ ╚ ═ ╝ Version: v28.2.languageLanguage (cn/en) (default cn):
>>> Install and Configure Docker
1. Install Docker
Starting to download Docker engine ...
complete
Starting to download Docker Compose binary. complete2.Configure Docker specifies whether a custom Docker data directory is required/var/lib/Docker directory? (y/n) (default n): complete
3. Start Docker
Docker version has changed or Docker configuration file has been changed, do you want to restart? (y/n) (default y): complete
>>> Loading Docker Image
[jumpserver/redis:6-alpine]
6-alpine: Pulling from jumpserver/redis
05e7bc50f07f: Pull complete
14c9d57a1c7f: Pull complete
ccd033d7ec06: Pull complete
6ff79b059f99: Pull complete
d91237314b77: Pull complete
c47d41ba6aa8: Pull complete
Digest: sha256:4920debee18fad71841ce101a7867743ff8fe7d47e6191b750c3edcfffc1cb18
Status: Downloaded newer image for swr.cn-south1.myhuaweicloud.com/jumpserver/redis:6-alpine
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/redis:6-alpine
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/redis@sha256:4920debee18fad71841ce101a7867743ff8fe7d47e6191b750c3edcfffc1cb18
[jumpserver/mysql:5]
5: Pulling from jumpserver/mysql
6ec7b7d162b2: Pull complete
fedd960d3481: Pull complete
7ab947313861: Pull complete
64f92f19e638: Pull complete
3e80b17bff96: Pull complete
014e976799f9: Pull complete
59ae84fee1b3: Pull complete
7d1da2a18e2e: Pull complete
301a28b700b9: Pull complete
979b389fc71f: Pull complete
403f729b1bad: Pull complete
Digest: sha256:b3b2703de646600b008cbb2de36b70b21e51e7e93a7fca450d2b08151658b2dd
Status: Downloaded newer image for swr.cn-south1.myhuaweicloud.com/jumpserver/mysql:5
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/mysql:5
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/mysql@sha256:b3b2703de646600b008cbb2de36b70b21e51e7e93a7fca450d2b08151658b2dd
[jumpserver/nginx:alpine2]
alpine2: Pulling from jumpserver/nginx
c87736221ed0: Pull complete
6ff0ab02fe54: Pull complete
e5b318df7728: Pull complete
b7a5a4fe8726: Pull complete
Digest: sha256:d25ed0a8c1b4957f918555c0dbda9d71695d7b336d24f7017a87b2081baf1112
Status: Downloaded newer image for swr.cn-south1.myhuaweicloud.com/jumpserver/nginx:alpine2
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/nginx:alpine2
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/nginx@sha256:d25ed0a8c1b4957f918555c0dbda9d71695d7b336d24f7017a87b2081baf1112
[jumpserver/luna:v28.2.]
v28.2.: Pulling from jumpserver/luna
801bfaa63ef2: Pull complete
b1242e25d284: Pull complete
7453d3e6b909: Pull complete
07ce7418c4f8: Pull complete
e295e0624aa3: Pull complete
4363a3b6ab61: Pull complete
7270d1c7bfd7: Pull complete
Digest: sha256:47f6bc784a2c8b0bfdfdfc465bb5b62012122dc1cd83257afa09edb7d027bdca
Status: Downloaded newer image for swr.cn-south1.myhuaweicloud.com/jumpserver/luna:v28.2.
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/luna:v28.2.
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/luna@sha256:47f6bc784a2c8b0bfdfdfc465bb5b62012122dc1cd83257afa09edb7d027bdca
[jumpserver/core:v28.2.]
v28.2.: Pulling from jumpserver/core
6ec7b7d162b2: Already exists
80ff6536d04b: Pull complete
2d04da85e485: Pull complete
998aa32a5c8a: Pull complete
7733ef26f344: Pull complete
d441f02b2497: Pull complete
64cad81ca92c: Pull complete
cf134c77199b: Pull complete
5c09bcf88bcf: Pull complete
fe2b4e1dc49b: Pull complete
328b09a36265: Pull complete
c5b2c15fd6d6: Pull complete
88d58a6b84f5: Pull complete
Digest: sha256:13a53d3ad8e67c7e25890e44aeaac0dfe9d0f23d75f420bd536181897a0a57a2
Status: Downloaded newer image for swr.cn-south1.myhuaweicloud.com/jumpserver/core:v28.2.
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/core:v28.2.
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/core@sha256:13a53d3ad8e67c7e25890e44aeaac0dfe9d0f23d75f420bd536181897a0a57a2
[jumpserver/koko:v28.2.]
v28.2.: Pulling from jumpserver/koko
6d28e14ab8c8: Pull complete
0df8b93ef734: Pull complete
64e864129ede: Pull complete
0a873335f747: Pull complete
72734be47e36: Pull complete
210e6f3fd739: Pull complete
68eb2bfabdf9: Pull complete
2b514aadeb8d: Pull complete
b06884356f2d: Pull complete
48b4106b3314: Pull complete
c06b5a09cb3a: Pull complete
52981c83908c: Pull complete
4a31deb17aed: Pull complete
8080af3428ec: Pull complete
d45214541239: Pull complete
Digest: sha256:0e6b2c718c2bbc046d22240d245014361c4f151d0668efab3a0bdc3d6025fd27
Status: Downloaded newer image for swr.cn-south1.myhuaweicloud.com/jumpserver/koko:v28.2.
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/koko:v28.2.
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/koko@sha256:0e6b2c718c2bbc046d22240d245014361c4f151d0668efab3a0bdc3d6025fd27
[jumpserver/guacamole:v28.2.]
v28.2.: Pulling from jumpserver/guacamole
6c33745f49b4: Pull complete
ef072fc32a84: Pull complete
c0afb8e68e0b: Pull complete
d599c07d28e6: Pull complete
e8a829023b97: Pull complete
2709df21cc5c: Pull complete
3bfb431a8cf5: Pull complete
bb9822eef866: Pull complete
5842bda2007b: Pull complete
453a23f25fcb: Pull complete
95325cfda054: Pull complete
d0bba8ca7733: Pull complete
77ed1f7e99c3: Pull complete
7c218a3bc8c8: Pull complete
b9b23e074906: Pull complete
6eb77dc135e9: Pull complete
5805059e25b4: Pull complete
8687f3be3de5: Pull complete
b3a371cb4926: Pull complete
0e0115337931: Pull complete
8871470a6d50: Pull complete
0983df4b79d8: Pull complete
97e3ae311d7b: Pull complete
033a9d7411c6: Pull complete
Digest: sha256:f6587bb65eb40dd101144ee89432a0310c46b245dcebc61965ae4de34fd82775
Status: Downloaded newer image for swr.cn-south1.myhuaweicloud.com/jumpserver/guacamole:v28.2.
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/guacamole:v28.2.
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/guacamole@sha256:f6587bb65eb40dd101144ee89432a0310c46b245dcebc61965ae4de34fd82775
[jumpserver/lina:v28.2.]
v28.2.: Pulling from jumpserver/lina
801bfaa63ef2: Already exists
b1242e25d284: Already exists
7453d3e6b909: Already exists
07ce7418c4f8: Already exists
e295e0624aa3: Already exists
f2cd4bacfc5e: Pull complete
16594fe0b0fc: Pull complete
Digest: sha256:f809b70fcdcbb9216dfa40c6ab1bd293ca85e3eaf2d2c4d77ae9a1e80e0c82e5
Status: Downloaded newer image for swr.cn-south1.myhuaweicloud.com/jumpserver/lina:v28.2.
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/lina:v28.2.
Untagged: swr.cn-south1.myhuaweicloud.com/jumpserver/lina@sha256:f809b70fcdcbb9216dfa40c6ab1bd293ca85e3eaf2d2c4d77ae9a1e80e0c82e5
>>> Install and Configure JumpServer
1. Check Configuration File
Path to Configuration file: /opt/jumpserver/config
/opt/jumpserver/config/The config. TXT [quality]/opt/jumpserver/config/nginx/Lb_http_server. Conf [quality]/opt/jumpserver/config/nginx/Lb_ssh_server. Conf [quality]/opt/jumpserver/config/core/The config. Yml [quality]/opt/jumpserver/config/koko/The config. Yml [quality]/opt/jumpserver/config/mysql/My. CNF [quality]/opt/jumpserver/config/redis/Redis. Conf [√] complete2. Configure Nginx
configuration file: /opt/jumpserver/config/nginx/cert
/opt/jumpserver/config/nginx/cert/Server. The CRT [quality]/opt/jumpserver/config/nginx/cert/Server. key [√] complete3. Backup Configuration File
Back up to /opt/jumpserver/config/backup/config.txt2021.- 0326 -_1026 -- 53
complete
4. Configure Network
Do you want to support IPv6? (y/n) (default n): complete
5. Configure Private Key
SECRETE_KEY: ICAgICAgICBUWCBlcnJvcnMgMCAgZHJvcHBlZCAwIG92ZXJyd
BOOTSTRAP_TOKEN: ICAgICAgICBUWCBl
complete
6. Configure Persistent Directory
Do you need custom persistent store, will use the default directory /opt/jumpserver? (y/n) (default n): complete
7. Configure MySQL
Do you want to use external MySQL? (y/n) (default n): complete
8. Configure Redis
Do you want to use external Redis? (y/n) (default n): complete
>>> The Installation is Complete
1. You can use the following command to start.and then visit
./jmsctl.sh start
2. Other management commands
./jmsctl.sh stop
./jmsctl.sh restart
./jmsctl.sh backup
./jmsctl.sh upgrade
For more commands, you can enter ./jmsctl.sh --help to understand
3. Web access
http://172.17. 03.:8080
https://172.17. 03.:8443
Default username: admin Default password: admin
4. SSH/SFTP access
ssh admin@ 17217.. 03. -p2222
sftp -P2222 admin@ 17217.. 03.
5. More information
Offical Website: https://www.jumpserver.org/
Documentation: https://docs.jumpserver.org/
[root@docker36 ~]# cd /opt/jumpserver-installer-v28.2./
[root@docker36 jumpserver-installer-v28.2.]# ll Total amount28
drwxrwxr-x 3 root root 4096 3month18 14:41 compose
-rw-rw-r-- 1 root root 3月 18 14:41 config-example.txt
drwxrwxr-x 7 root root 80 3month18 14:41 config_init
-rwxrwxr-x 1 root root 5503 3month18 14:41 jmsctl.sh
drwxrwxr-x 4 root root 27 3month18 14:41 locale
-rw-rw-r-- 1 root root 2603 3月 18 14:41 readme.md
drwxrwxr-x 2 root root 4096 3month18 14:41 scripts
-rw-rw-r-- 1 root root 46 3月 26 11:54 static
drwxrwxr-x 2 root root 39 3month18 14:41 utils
[root@docker36 jumpserver-installer-v28.2.]# ./jmsctl.sh start
Creating network "jms_net" with driver "bridge"
Creating jms_redis ... done
Creating jms_mysql ... done
Creating jms_core ... done
Creating jms_celery ... done
Creating jms_guacamole ... done
Creating jms_lina ... done
Creating jms_koko ... done
Creating jms_luna ... done
Creating jms_nginx ... done
Copy the codehttps://192.168.66.36:8443
http://192.168.66.36:8080/
Hint: The first time you log in, it asks you to reset your password;
Tip: After resetting your password and logging in again, jumpServer’s home page looks like the one below; Later we can manage Intranet server in this interface; At this point the JumpServer is set up;
2.2. Manual deployment
cd /opt
yum -y install wget
wget https://github.com/jumpserver/installer/releases/download/v28.2./jumpserver-installer-v28.2..tar.gz
tar -xf jumpserver-installer-v28.2..tar.gz
cd jumpserver-installer-v28.2.
cat config-If the following Settings are empty the system will automatically generate random strings fill in ## migrate please modify SECRET_KEY and BOOTSTRAP_TOKEN to the original Settings ## install and configure DOCKER_IMAGE_PREFIX=swr.cn-south1.myhuaweicloud.com
VOLUME_DIR=/opt/jumpserver
DOCKER_DIR=/var/lib/docker
SECRET_KEY=
BOOTSTRAP_TOKEN=
LOG_LEVEL=ERROR ## configure USE_EXTERNAL_MYSQL with external MySQL=0
DB_HOST=mysql
DB_PORT=3306
DB_USER=root
DB_PASSWORD=
DB_NAME=Jumpserver ## Configure USE_EXTERNAL_REDIS with external Redis=0
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=## Compose project sets COMPOSE_PROJECT_NAME=jms
COMPOSE_HTTP_TIMEOUT=3600
DOCKER_CLIENT_TIMEOUT=3600
DOCKER_SUBNET=192.168250.. 0/24
## IPV6
DOCKER_SUBNET_IPV6=2001:db8:10: :/64
USE_IPV6=0## Nginx configuration, this Nginx is used to distribute paths to different services HTTP_PORT=80
HTTPS_PORT=443
SSH_PORT=2222## LB configuration, this Nginx is HA when can start load balancing to different hosts USE_LB=0
LB_HTTP_PORT=80
LB_HTTPS_PORT=443
LB_SSH_PORT=2222## Task Configures USE_TASK=1
## XPack
USE_XPACK=0# MYSQL_ROOT_PASSWORD = MYSQL_ROOT_PASSWORD=
MYSQL_DATABASE=Jumpserver # Core configuration # SESSION_COOKIE_AGE=86400
SESSION_EXPIRE_AT_BROWSER_CLOSE=true### # AUTH_OPENID=true
### BASE_SITE_URL=https://jumpserver.company.com/
### AUTH_OPENID_SERVER_URL=https://keycloak.company.com/auth
### AUTH_OPENID_REALM_NAME=cmp
### AUTH_OPENID_CLIENT_ID=jumpserver
### AUTH_OPENID_CLIENT_SECRET=
### AUTH_OPENID_SHARE_SESSION=true
### AUTH_OPENID_IGNORE_SSL_VERIFICATION=trueKoko configure CORE_HOST=http://core:8080# Guacamole configure JUMPSERVER_SERVER=http://core:8080
JUMPSERVER_KEY_DIR=/config/guacamole/data/key/
JUMPSERVER_RECORD_PATH=/config/guacamole/data/record/
JUMPSERVER_DRIVE_PATH=/config/guacamole/data/drive/
JUMPSERVER_ENABLE_DRIVE=true
JUMPSERVER_CLEAR_DRIVE_SESSION=true
JUMPSERVER_CLEAR_DRIVE_SCHEDULE=24
Copy the codeJumpServer Instructions
- Video tutorial JumpServer from entry to master: www.bilibili.com/video/BV19D…
- Liverpoolfc.tv: jumpserver. Readthedocs. IO/useful/master/a…
3.1. System Settings
3.1.1. Basic Settings
| The name of the | The sample | note |
|---|---|---|
| Current site URL | demo.jumpserver.org | If this parameter is not specified, the email address ishttp://localhost |
| User Wizard URL | Users can see this when they log in for the first timehyperlinks, you do not need to set this parameter |
|
| Forget password URL | External authentication systems such as LDAP and OPENID are used and can be customized |
The basic setting is that the URL of the current JumpServer must be set.
3.1.2 Mail Settings
Must be set to use mail-related functions
You cannot select SSL and TLS at the same time
| The name of the | The sample | note |
|---|---|---|
| SMTP host | smtp.qq.com | SMTP server provided by the service provider |
| SMTP port | 25 | Is usually25 |
| SMTP account | [email protected] | Is usually[email protected] |
| SMTP password | * * * * * * * * * * * * * * * * | Every timeTest the connectionYou need to re-enter your password |
| Using SSL | [] | If the port is used465, must be selected |
| The use of TLS | [] | If the port is used587, must be selected |
| The sender | [email protected] | Test the connectionYou have to type in |
| Topic prefix | [JMS] | The subject line of the email. The email that came in was[JMS]At the beginning |
| Test recipients | [email protected] | Test connection Mandatory |
In system Settings –> Mail Settings, fill in the corresponding account information and mail server information, and then test the connection. If the mail can be received normally, it indicates that there is no problem with the mail server information and mail user name and password; Last point submission;
And email subject prefixes; The link in the user’s mail will point to the JumpServer URL;
Received mail:
3.1.3 Login user
There are three users involved in JumpServer:
- Login user, which is used to create a user for developers to log in to JumpServer;
- Manage the user, specify the user name and password, is to add the login account of the resource machine;
- System user who is used by jumpServer to jump to an asset;
Choose User Management > User List > Create; After filling in the user information, click submit at the bottom;
Tip: When a user is successfully created, a jumpServer email is sent to the user’s email address. The user can click the link in the email to set the password.
3.2 asset management
Prepare two test assets and a database to validate the functionality
| IP | Host name | Port | System | Admin User | Password |
|---|---|---|---|---|---|
| 172.16.80.11 | test_ssh01 | 22 | Centos 7 | root | Test2020.L |
| 172.16.80.21 | test_rdp01 | 3389 | Windows 10 | administrator | Test2020.W |
| 172.16.80.31 | test_mysql01 | 3306 | MySQL 5 | root | Test2020.M |
For Windows assets, set Windows SSH first
The MySQL application requires remote access permissions for core and KOKo
3.2.1. Edit the Asset tree
The root node Default cannot have the same name. Right-click nodes to add, delete, and rename nodes, and perform operations related to assets
Description: \ :
Click Asset Management – Asset List on the left of the page. Right-click the root node Default to create SSH Server and RDP Server
├─ SSH Server ├─ RDP ServerCopy the code3.2.2. Create a management user
Click Asset Management – New Admin User on the left of the page to create two Admin users. The content of the Admin User is Admin User and Password of the form above
You can select either the password or the key. Some assets cannot pass password authentication. You can use private key authentication instead
| The form | Example of SSH management users | RDP management user example |
|---|---|---|
| The name of the | 172.16.80.11 _root | 172.16.80.21 _administrator |
| The user name | root | administrator |
| password | Test2020.L | Test2020.W |
| SSH key | ||
| note | SSH asset management user | RDP asset management user |
Asset management —-> Manage User —-> Create, enter the administrator and password of the managed terminal, and click Submit. The admin user is the root user on the asset (the controlled server) or the user with NOPASSWD: ALL sudo permission that JumpServer uses to push system users, get asset hardware information, and so on.
3.2.3. Create an asset
Click Asset Management – Asset List – Create Asset on the left of the page to import both assets
The host name must be unique
| The form | SSH Asset Example | RDP asset example |
|---|---|---|
| The host name | test_ssh01 | test_rdp01 |
| IP (domain name) | 172.16.80.11 | 172.16.80.21 |
| The system platform | Linux | Windows |
| Public IP | ||
| domain | ||
| Protocol suite | ssh 22 | rdp 3389 / ssh 22 |
| Manage users | 172.16.80.11 _root | 172.16.80.21 _administrator |
| node | Default / SSH Server | Default / RDP Server |
Note To create Windows assets, select SSH and RDP for the protocol group. Otherwise, you cannot obtain the status and hardware information of Windows assets.
Tip: Asset Management –> Asset List –> New, fill in the corresponding managed host information and IP address information, and manage users, click submit at the bottom;
Tip: Once the commit is complete, we can see in the asset list that we just added to the host;
3.2.4. Create a database application
Click Application Management > Database Application > Create Database Application to create the mysql database
| The form | MySQL Asset example |
|---|---|
| The name of the | test_mysql01 |
| type | MySQL |
| The host | 172.16.80.31 |
| port | 3306 |
| The database | |
| note | MySQL assets |
The database option can be left blank and, for certain users, only the specified database can be accessed, specifying the database name
3.2.5. Create a system user
| IP | System | System User | Password | Group | Sudo | Sftp Root |
|---|---|---|---|---|---|---|
| 172.16.80.11 | Centos 7 | testssh01 | random pass | ALL | / | |
| 172.16.80.21 | Windows 10 | testrdp01 | random pass | Users | ||
| 172.16.80.23 | MySQL 5 | root | Test2020.M |
Click Asset Management > System User > Create system User to create a protocol system user
| The form | SSH System User |
|---|---|
| The name of the | Test_ssh01_ Test system user |
| Login mode | Automatic landing |
| The user name | testssh01 |
| agreement | ssh |
| Automatic push | Square root |
| Sudo | ALL |
| Shell | /bin/bash |
| The home directory | |
| User affiliate group | |
| Automatic key generation | Square root |
| SFTP root | / |
| The form | RDP system user |
|---|---|
| The name of the | Test_rdp01_ Tests the system user |
| Login mode | Automatic landing |
| The user name | testrdp01 |
| agreement | rdp |
| Automatic push | Square root |
| Automatic key generation | Square root |
| The form | MySQL system user |
|---|---|
| The name of the | Test_mysql01_ Test system user |
| Login mode | Automatic landing |
| The user name | root |
| agreement | mysql |
| password | Test2020.M |
Asset Management –> System User –> New, fill in user name, check automatic push and automatic generation key, click submit at the bottom; The user specified here will be used as the user to log in to the corresponding host on jumpServer. If the managed side does not have this user, JumpServer will create a system user from the admin user we just added.
3.3. Create an authorization rule
Permission management –> Asset authorization –> Create, fill in the name, to select users and groups and assets and system users, and then click the bottom submit; At this point a resource is authorized to the test user and members of the Test group; Here need to note that a node has a lot of server, if you want to authorize a single server to a user, the following node is left blank, if you want to be authorized to the user you can select a node, the assets can be left blank, if you want to authorize a single asset and a node to the user, the choice of the corresponding assets and node; If the default node is selected, all hosts under the default node are authorized to users. Default The default node contains all hosts.
3.3.1. Allocate assets to users
| IP | System | System User | User |
|---|---|---|---|
| 172.16.80.11 | Centos 7 | testssh01 | admin |
| 172.16.80.21 | Windows 10 | testrdp01 | admin |
| 172.16.80.31 | MySQL 5 | root | admin |
Click Authorization Management – Asset Authorization – Create Authorization Rule on the left side of the page to create two authorization rules
| The form | SSH Asset Authorization | RDP asset authorization |
|---|---|---|
| The name of the | Test_ssh01_ Test authorization | Test_rdp01_ Tests authorization |
| The user | Administrator(admin) | Administrator(admin) |
| User groups | ||
| assets | Test_ssh01 (172.16.80.11) | Test_rdp01 (172.16.80.21) |
| node | ||
| Users of the system | Test_ssh01_ Test system user (testssh01) | Test_rdp01_ Test system user (testrdp01) |
| permissions | Tick all | Tick all |
3.3.2. Assign database applications to users
Click Authorization Management – Database Application – Create Authorization Rule to create database authorization
| The form | MySQL Asset Authorization |
|---|---|
| The name of the | Test_mysql01_ Test authorization |
| The user | Administrator(admin) |
| User groups | |
| Database Application | test_mysql01 |
| Users of the system | Test_mysql01_ test system user (root) |
3.4 user login
- Login JumpServer
Click Session Management on the left of the page. – Web terminal users can view only the assets authorized by the administrator. If no asset exists after login, contact the administrator for confirmation
- Connect the assets
Click the link on the right of my Asset to quickly connect the asset. You can also click the Web terminal in the left column and click the asset name to connect the asset. If connection timeout is displayed, please refer to the FAQ document to deal with it
- Disconnect the assets
Clicking the Server button at the top of the page will bring up a selection option, the first one to disconnect the selected connections, the second one to disconnect all connections can also directly click the asset widget X, SSH session can also enter exit to exit directly close the page is also available, but not recommended
- File management
Click File Management. Select assets on the left. Currently, you can use SFTP to manage assets that only support automatic login over SSH
3.5. View playback of user operations
Click Session management —-> Session Management —-> Historical session —-> Find the playback of the corresponding session to view the operations performed by the corresponding user in the past session.
About Me
● This article was originally published on personal wechat public number (DB treasure) ● QQ group number: 223161599, 618766405, wechat group private chat ● personal QQ id (646634621), wechat account (db_bao), please note the reason