官方地址: http://www.jumpserver.org/
身份验证Authentication
登录认证:资源统一登录和认证、LDAP 认证、支持 OpenID,实现单点登录
多因子认证:MFA( GoogleAuthenticator)
账号管理Account
集中账号管理:管理用户管理、系统用户管理
统一密码管理:资产密码托管、自动生成密码、密码自动推送、密码过期设置
批量密码变更(X-PACK):定期批量修改密码、生成随机密码
多云环境的资产纳管(XPACK):对私有云、公有云资产统一纳管
授权控制Authorization
资产授权管理:资产树、资产或资产组灵活授权、节点内资产自动继承授权
RemoteApp(X-PACK): 实现更细粒度的应用级授权
组织管理(X-PACK): 实现多租户管理,权限隔离
多维度授权: 可对用户、用户组或系统角色授权
指令限制: 限制特权指令使用,支持黑白名单
统一文件传输: SFTP 文件上传/下载
文件管理: Web SFTP 文件管理
安全审计 Audit
会话管理:在线会话管理、历史会话管理
录像管理:Linux 录像支持、Windows 录像支持
指令审计:指令记录
文件传输审计:上传/下载记录审计
官方环境要求:
硬件配置: 2 个 CPU 核心, 4G 内存, 50G 硬盘(最低)
操作系统: Linux 发行版 x86_64
Python = 3.6.x
Mysql Server ≥ 5.6
Mariadb Server ≥ 5.5.56
Redis
服务器准备:
192.168.99.101 jumpserver 2c-4G
192.168.99.102 数据库/Redis 2C-2G
192.168.99.103 web 服务器 A 1C-1G
192.168.99.104 web 服务器 B 1C-1G
外置数据库要求:
mysql 版本需要大于等于 5.6
mariadb 版本需要大于等于 5.5.6
数据库编码要求 uft8
导入 MySQL 镜像:
docker load -i mysql-5.6.44.tar.gz
mkdir -p /etc/mysql/mysql.conf.d
vim /etc/mysql/mysql.conf.d/mysqld.cnf
# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
## This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# The MySQL Server configuration file.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
[mysqld]
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
datadir = /var/lib/mysql
#log-error = /var/log/mysql/error.log
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
character-set-server=utf8
mkdir -p /etc/mysql/conf.d/
vim /etc/mysql/conf.d/mysql.cnf
[mysql]
default-character-set=utf8
mkdir /data/mysql -p
docker run -it -d -p 3306:3306 \
-v /etc/mysql/mysql.conf.d/mysqld.cnf:/etc/mysql/mysql.conf.d/mysqld.cnf \
-v /etc/mysql/conf.d/mysql.cnf:/etc/mysql/conf.d/mysql.cnf \
-v /data/mysql:/var/lib/mysql \
-e MYSQL_ROOT_PASSWORD="123" \
mysql:5.6.44
apt install mysql-client
mysql -uroot -p123 -h192.168.99.22
mysql> show variables like "%character%";
mysql> show variables like "%collation%";
mysql> create database jumpserver default charset 'utf8';
mysql> grant all on jumpserver.* to 'jumpserver'@'%' identified by 'abc123';
mysql -ujumpserver -pabc123 -h192.168.99.22
docker pull redis:4.0.14
docker run -it -d -p 6379:6379 redis:4.0.14
apt install redis
redis-cli -h 192.168.99.22
docker pull jumpserver/jms_all:1.4.8
#或已经下载镜像后导入
docker load -i jumpserver-jms_all_1.4.8.tar.gz
# if [ "$SECRET_KEY" = "" ]; then \
SECRET_KEY=`cat /dev/urandom | \
tr -dc A-Za-z0-9 | \
head -c 50`; \
echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc; \
echo $SECRET_KEY; \
else echo $SECRET_KEY; \
fi
cZPi5K3utSGiwpK786wbrdZl7UqP0KzfszPBF3NqoATelylqzJ
# if [ "$BOOTSTRAP_TOKEN" = "" ]; then \
BOOTSTRAP_TOKEN=`cat /dev/urandom | \
tr -dc A-Za-z0-9 | \
head -c 16`; \
echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc; \
echo $BOOTSTRAP_TOKEN; \
else echo $BOOTSTRAP_TOKEN; \
fi
yaOz6fQzY0R8vIta
docker run --name jms_all \
-v /opt/jumpserver:/opt/jumpserver/data/media \
-p 80:80 \
-p 2222:2222 \
-e SECRET_KEY=cZPi5K3utSGiwpK786wbrdZl7UqP0KzfszPBF3NqoATelylqzJ \
-e BOOTSTRAP_TOKEN=yaOz6fQzY0R8vIta \
-e DB_HOST=192.168.99.22 \
-e DB_PORT=3306 \
-e DB_USER='jumpserver' \
-e DB_PASSWORD="abc123" \
-e DB_NAME=jumpserver \
-e REDIS_HOST=192.168.99.22 \
-e REDIS_PORT=6379 \
-e REDIS_PASSWORD= \
jumpserver/jms_all:1.4.8
用户管理–用户列表界面,管理创建用户,用户相当于是公司的运维人员
会话管理-命令记录、历史会话里面可以看到用户操作过并且已经退出的录像记录。
使用 jumpserver 普通账户登录,并测试后端服务器的连接与使用
其他功能,可参如下考官方文档
https://jumpserver.readthedocs.io/zh/master/quick_start.html