1、Jumpserver简单介绍
Jumpserver 是全球首款完全开源的堡垒机,使用 GNU GPL v2.0 开源协议,是符合 4A 的专业运维审计系统。Jumpserver 使用 Python / Django 进行开发,遵循 Web 2.0 规范,配备了业界领先的 Web Terminal 解决方案,交互界面美观、用户体验好。Jumpserver 采纳分布式架构,支持多机房跨区域部署,中心节点提供 API,各机房部署登录节点,可横向扩展、无并发访问限制。
2、架构图如下
3、组件说明
Jumpserver现指 Jumpserver 管理后台,是核心组件(Core), 使用 Django Class Based View 风格开发,支持 Restful API。
Coco实现了 SSH Server 和 Web Terminal Server 的组件,提供 SSH 和 WebSocket 接口, 使用 Paramiko 和 Flask 开发。
Luna现在是 Web Terminal 前端,计划前端页面都由该项目提供,Jumpserver 只提供 API,不再负责后台渲染html等。
GuacamoleApache 跳板机项目,Jumpserver 使用其组件实现 RDP 功能,Jumpserver 并没有修改其代码而是添加了额外的插件,支持 Jumpserver 调用。
Jumpserver-Python-SDKJumpserver API Python SDK,Coco 目前使用该 SDK 与 Jumpserver API 交互。
参考文章:http://docs.jumpserver.org/zh/latest/admin_instruction.html
4、安装环境准备
系统环境说明
[root@test ~]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) [root@test ~]# uname -r3.10.0-693.el7.x86_64[root@test ~]# ip add|grep 192.168.22 inet 192.168.22.175/24 brd 192.168.22.255 scope global ens32关闭防火墙与selinux
[root@test ~]# systemctl stop firewalld[root@test ~]# systemctl disable firewalld[root@test ~]# sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config[root@master ~]# grep "SELINUX=" /etc/selinux/config # SELINUX= can take one of these three values:SELINUX=disabled[root@test ~]# reboot准备 Python3 和 Python 虚拟环境
安装依赖包
[root@test ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git编译安装python
[root@test ~]# wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz[root@test ~]# tar xf Python-3.6.1.tar.xz[root@test ~]# cd Python-3.6.1[root@test Python-3.6.1]# ./configure[root@test Python-3.6.1]# echo $?0[root@test Python-3.6.1]# make && make install-------------------过程部分省略fiCollecting setuptoolsCollecting pipInstalling collected packages: setuptools, pipSuccessfully installed pip-9.0.1 setuptools-28.8.0[root@test Python-3.6.1]# echo $?0建立 Python 虚拟环境
因为 CentOS 6/7 自带的是 Python2,而 Yum 等工具依赖原来的 Python,为了不扰乱原来的环境我们来使用 Python 虚拟环境
[root@test Python-3.6.1]# cd /opt/[root@test opt]# python3 -m venv py3[root@test opt]# source /opt/py3/bin/activate(py3) [root@test opt]## 看到上面的提示符代表成功,以后运行 Jumpserver 都要先运行以上 source 命令,以下所有命令均在该虚拟环境中运行(py3) [root@localhost py3]5、安装jumpserver
(py3) [root@test opt]# pwd/opt(py3) [root@test opt]# git clone --depth=1 https://github.com/jumpserver/jumpserver.gitCloning into 'jumpserver'...remote: Counting objects: 718, done.remote: Compressing objects: 100% (652/652), done.remote: Total 718 (delta 95), reused 380 (delta 22), pack-reused 0Receiving objects: 100% (718/718), 5.31 MiB | 440.00 KiB/s, done.Resolving deltas: 100% (95/95), done.(py3) [root@test opt]# cd jumpserver/(py3) [root@test jumpserver]# git checkout masterAlready on 'master'安装依赖 RPM 包
(py3) [root@test jumpserver]# cd /opt/jumpserver/requirements/(py3) [root@test requirements]# yum -y install $(cat rpm_requirements.txt)#无任何报错即可完成安装 Python 库依赖
(py3) [root@test requirements]# pip install -r requirements.txt这里官方比较坑,说不要指定源,不指定源根本装不了,可根据实际情况指定相关的新pip源进行安装,实在安装不了的,下载源码包手工安装。安装 Redis
Jumpserver 使用 Redis 做 cache 和 celery broke(py3) [root@master opt]# yum -y install redis(py3) [root@master opt]# service redis startRedirecting to /bin/systemctl start redis.service(py3) [root@master opt]# lsof -i :6379COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEredis-ser 22530 redis 4u IPv4 71615 0t0 TCP localhost:6379 (LISTEN)安装 MySQL
这里直接使用二进制安装包安装,具体可参考之前的文章
(py3) [root@master opt]# /etc/init.d/mysqld startStarting MySQL SUCCESS!(py3) [root@master opt]# lsof -i :3306COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEmysqld 23081 mysql 17u IPv6 73467 0t0 TCP *:mysql (LISTEN)创建数据库 Jumpserver 并授权
(py3) [root@master opt]# mysql -uroot -pEnter password: Welcome to the MariaDB monitor. Commands end with ; or \g.Your MySQL connection id is 4Server version: 5.7.17 MySQL Community Server (GPL)Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MySQL [(none)]> create database jumpserver default charset 'utf8';Query OK, 1 row affected (0.00 sec)MySQL [(none)]> grant all on jumpserver.* to 'jumpserver'@'localhost' identified by '123456';Query OK, 0 rows affected, 1 warning (0.00 sec)MySQL [(none)]> flush privileges;Query OK, 0 rows affected (0.00 sec)修改 Jumpserver 配置文件
(py3) [root@master opt]# cd /opt/jumpserver/(py3) [root@master jumpserver]# cp config_example.py config.py(py3) [root@master jumpserver]# vim config.py--------------------# Default using Config settings, you can write if/else for different envclass DevelopmentConfig(Config): DEBUG = True DB_ENGINE = 'mysql' DB_HOST = '127.0.0.1' DB_PORT = 3306 DB_USER = 'jumpserver' DB_PASSWORD = '123456' DB_NAME = 'jumpserver'config = DevelopmentConfig()#增加上面的内容生成数据库表结构和初始化数据
(py3) [root@master jumpserver]# cd /opt/jumpserver/utils/(py3) [root@master utils]# bash make_migrations.sh2018-05-09 13:51:48 [signals_handler DEBUG] Receive django ready signal2018-05-09 13:51:48 [signals_handler DEBUG] - fresh all settingsMigrations for 'assets': /opt/jumpserver/apps/assets/migrations/0002_auto_20180509_1351.py--------------------中间省略Running migrations: Applying assets.0001_initial... OK Applying assets.0002_auto_20180509_1351... OK Applying audits.0001_initial... OK Applying contenttypes.0001_initial... OK Applying contenttypes.0002_remove_content_type_name... OK Applying auth.0001_initial... OK Applying auth.0002_alter_permission_name_max_length... OK Applying auth.0003_alter_user_email_max_length... OK Applying auth.0004_alter_user_username_opts... OK Applying auth.0005_alter_user_last_login_null... OK Applying auth.0006_require_contenttypes_0002... OK Applying auth.0007_alter_validators_add_error_messages... OK Applying auth.0008_alter_user_username_max_length... OK Applying captcha.0001_initial... OK Applying common.0001_initial... OK Applying django_celery_beat.0001_initial... OK Applying django_celery_beat.0002_auto_20161118_0346... OK Applying django_celery_beat.0003_auto_20161209_0049... OK Applying django_celery_beat.0004_auto_20170221_0000... OK Applying django_celery_beat.0005_add_solarschedule_events_choices... OK Applying django_celery_beat.0006_auto_20180210_1226... OK Applying ops.0001_initial... OK Applying ops.0002_celerytask... OK Applying users.0001_initial... OK Applying users.0002_auto_20171225_1157... OK Applying users.0003_auto_20180509_1351... OK Applying perms.0001_initial... OK Applying perms.0002_auto_20180509_1351... OK Applying sessions.0001_initial... OK Applying terminal.0001_initial... OK Applying terminal.0002_auto_20180509_1351... OK运行jumpserver
(py3) [root@master utils]# cd /opt/jumpserver/(py3) [root@master jumpserver]# python run_server.py allWed May 9 13:53:15 2018Jumpserver version 1.3.0, more see https://www.jumpserver.org- Start Gunicorn WSGI HTTP ServerCheck database structure change ...2018-05-09 13:53:17 [signals_handler DEBUG] Receive django ready signal2018-05-09 13:53:17 [signals_handler DEBUG] - fresh all settings---------------Task terminal.tasks.clean_orphan_session[eb960461-07a0-4b42-a5bb-96fdd94fabcd] succeeded in 0.11468194000190124s: None运行之后没有报错信息,就可以使用浏览器访问了http://server_ip:8080
默认用户名/密码:admin/admin此时运行的只是jumpserver的WEB端,如果需要访问访问 Web Terminal 会报错如下
安装 SSH Server 和 WebSocket Server: Coco
新打开一个 SSH终端连接去安装
下载项目文件
[root@master ~]# source /opt/py3/bin/activate(py3) [root@master ~]# cd /opt/(py3) [root@master opt]# git clone https://github.com/jumpserver/coco.gitCloning into 'coco'...remote: Counting objects: 1276, done.remote: Total 1276 (delta 0), reused 0 (delta 0), pack-reused 1276Receiving objects: 100% (1276/1276), 272.18 KiB | 39.00 KiB/s, done.Resolving deltas: 100% (901/901), done.(py3) [root@master opt]# cd coco && git checkout masterAlready on 'master'安装依赖
(py3) [root@master coco]# cd /opt/coco/requirements/(py3) [root@master requirements]# yum -y install $(cat rpm_requirements.txt)(py3) [root@master requirements]# pip install -r requirements.txt(py3) [root@master requirements]# echo $?0(py3) [root@master requirements]# cd /opt/coco/(py3) [root@master coco]# cp conf_example.py conf.py(py3) [root@master coco]# python run_server.pyStart coco process2018-05-09 14:19:44 [service DEBUG] Initial app service2018-05-09 14:19:44 [service DEBUG] Load access key2018-05-09 14:19:44 [service INFO] No access key found, register it2018-05-09 14:19:44 [service INFO] "Terminal was not accepted yet"2018-05-09 14:19:48 [service INFO] "Terminal was not accepted yet"#此时需要去WEB管理后台确认注册信息点击确认之后会出现下面的提示
2018-05-09 14:21:23 [service DEBUG] Set app service auth: 9f13a90b-80e4-47ae-b0ad-d825cff70ff02018-05-09 14:21:23 [service DEBUG] Service http auth: <jms.auth.AccessKeyAuth object at 0x7f5d1b18de10>2018-05-09 14:21:23 [app DEBUG] Loading config from server: {"COMMAND_STORAGE": {"TYPE": "server"}, "REPLAY_STORAGE": {"TYPE": "server"}}Wed May 9 14:21:23 2018Coco version 1.3.0, more see https://www.jumpserver.orgQuit the server with CONTROL-C.Starting ssh server at 0.0.0.0:2222WebSocket transport not available. Install eventlet or gevent and gevent-websocket for improved performance. * Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)#出现上面的提示表示成功测试连接
[root@testLinux1 ~]# ssh -p2222 admin@192.168.3.82The authenticity of host '[192.168.3.82]:2222 ([192.168.3.82]:2222)' can't be established.RSA key fingerprint is SHA256:Dw9BcxNFFZtgc1EpavxUeamzKT1VoX6UAPNIyzaEhpw.RSA key fingerprint is MD5:16:d8:05:5e:12:9d:e5:54:ee:96:97:21:ab:33:2c:7e.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '[192.168.3.82]:2222' (RSA) to the list of known hosts.admin@192.168.3.82's password: Administrator, 欢迎使用Jumpserver开源跳板机系统 1) 输入 ID 直接登录 或 输入部分 IP,主机名,备注 进行搜索登录(如果唯一). 2) 输入 / + IP, 主机名 or 备注 搜索. 如: /ip 3) 输入 P/p 显示您有权限的主机. 4) 输入 G/g 显示您有权限的主机组. 5) 输入 G/g + 组ID 显示该组下主机. 如: g1 6) 输入 H/h 帮助. 0) 输入 Q/q 退出.Opt>#能成功登录的表示安装部署成功安装 Web Terminal 前端: Luna
Luna 已改为纯前端,需要 Nginx 来运行访问,访问(https://github.com/jumpserver/luna/releases)下载对应版本的 release 包,直接解压,不需要编译。
(py3) [root@master opt]# docker run --name jms_guacamole -d \-p 8081:8080 -v /opt/guacamole/key:/config/guacamole/key \-e JUMPSERVER_KEY_DIR=/config/guacamole/key \-e JUMPSERVER_SERVER=http://192.168.3.82:8080 \registry.jumpserver.org/public/guacamole:1.0.0Unable to find image 'registry.jumpserver.org/public/guacamole:1.0.0' locallyTrying to pull repository registry.jumpserver.org/public/guacamole ... 1.0.0: Pulling from registry.jumpserver.org/public/guacamole723254a2c089: Pull complete abe15a44e12f: Pull complete 409a28e3cc3d: Pull complete a9511c68044a: Pull complete 9d1b16e30bc8: Pull complete 0fc5a09c9242: Pull complete d34976006493: Pull complete 3b70003f0c10: Pull complete bc7887582e2e: Pull complete d2ab4f165865: Pull complete 3882b23577d6: Pull complete 9f8b758ebfa6: Pull complete ef5d2d838878: Pull complete 310fa32446d6: Pull complete a23204f32cd2: Pull complete f3cba08c8ef8: Pull complete 59073672f2e3: Pull complete 86d50039bf5c: Pull complete 7041bb4312f0: Pull complete ca5c931789c9: Pull complete cef49dddf00f: Pull complete 3535ea408862: Pull complete 2dd70d9a46ce: Pull complete Digest: sha256:ea862bb2e83b648701655c27900bca14b0ab7ab9d4572e716c25a816dc55307bStatus: Downloaded newer image for registry.jumpserver.org/public/guacamole:1.0.038910abc050cea50fa03acc913e4916f17726820de9d6a1274f6e37a9131ba31#然后去后台接受注册信息需要注意的是修改默认IP如下图
配置 Nginx 整合各组件
(py3) [root@master opt]# yum install nginx -y(py3) [root@master opt]# cd /etc/nginx/(py3) [root@master nginx]# cp nginx.conf nginx.conf.bak(py3) [root@master nginx]# vim nginx.confserver { listen 80; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location /luna/ { try_files $uri / /index.html; alias /opt/luna/; } location /media/ { add_header Content-Encoding gzip; root /opt/jumpserver/data/; } location /static/ { root /opt/jumpserver/data/; } location /socket.io/ { proxy_pass http://localhost:5000/socket.io/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /guacamole/ { proxy_pass http://localhost:8081/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; access_log off; } location / { proxy_pass http://localhost:8080; }}}(py3) [root@master nginx]# nginx -tnginx: the configuration file /etc/nginx/nginx.conf syntax is oknginx: configuration file /etc/nginx/nginx.conf test is successful(py3) [root@master nginx]# nginx(py3) [root@master nginx]# lsof -i :80COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEnginx 24269 root 6u IPv4 100705 0t0 TCP *:http (LISTEN)nginx 24270 nginx 6u IPv4 100705 0t0 TCP *:http (LISTEN)最后通过nginx直接访问如下
简单使用配置
系统几个用户的区别
用户:是指你在web上创建的用户,会在跳板机上创建这个用户,作用就是用于登录跳板机,另外用户分为普通用户和超级管理员,后者可以审计查看用户登陆记录、命令历史等
管理用户:是指客户端上的如root等高权限账号(或普通用户拥有NOPASSWD: ALL sudo权限), 作用用于推送系统用户,注意是已经在客户端用户上存在的用户。
系统用户:是指要在客户端上创建这个系统用户,通过推送来实现,作用就是登录客户端。
管理用户和系统用户的关系:
两者都是客户端上的用户,后者涉及到一个推送动作
比如推送test系统用户,也就是在客户端上创建test用户,那么创建用户需要有权限
有没有权限创建就要看你是用客户端的root用户还是普通用户做为管理用户
如果后者做为管理用户就需要添加sudo权限又是NOPASSWD: ALL
添加用户组
添加用户这个用户是用于登录jumpsesrver的用户, 与后面的管理用户、系统用户没有关联
添加完成
创建管理用户这个用户必须具备客户端管理权限, 否则后面会有问题,这里我以管理用户为例创建
添加系统用户系统用户是Jumpserver跳转登录资产时使用的用户, 可以理解为登录资产用户,如 web, sa, dba(ssh web@some-host), 而不是使用某个用户的用户名跳转登录服务器(ssh xiaoming@some-host); 简单来说是 用户使用自己的用户名登录Jumpserver, Jumpserver使用系统用户登录资产。 系统用户创建时,如果选择了自动推送 Jumpserver会使用ansible自动推送系统用户到资产中,如果资产(交换机、windows)不支持ansible,
请手动填写账号密码。 目前还不支持Windows的自动推送.注:这个系统在创建时,是可以配置sudo权限的
创建资产
创建完成后,可以在下面的界面测试连接性 点击更新硬件信息
点击测试可连接性
表示正常连接,返回资产列表如下图
测试登录效果
[root@test ~]# ssh -p2222 jumpserver@192.168.3.82jumpserver@192.168.3.82's password: 登录到jumpserver, 欢迎使用Jumpserver开源跳板机系统 1) 输入 ID 直接登录 或 输入部分 IP,主机名,备注 进行搜索登录(如果唯一). 2) 输入 / + IP, 主机名 or 备注 搜索. 如: /ip 3) 输入 P/p 显示您有权限的主机. 4) 输入 G/g 显示您有权限的主机组. 5) 输入 G/g + 组ID 显示该组下主机. 如: g1 6) 输入 H/h 帮助. 0) 输入 Q/q 退出.Opt> p ID Hostname IP LoginAs Comment 1 3.26 192.168.3.26 [3.16用户] 2 linux 192.168.3.16 [3.16用户] 总共: 2 匹配: 2Opt> 1Connecting to testsysuser@3.26 0.6[testsysuser@linux1 ~]$ pwd/home/testsysuser[testsysuser@linux1 ~]$ ip add |grep 192.168.1.inet 192.168.3.26/24 brd 192.168.3.255 scope global ens160#可以正常用系统用户来登录客户端主机了WEB端也可以看到在线的会话
历史会话
还可以看到具体回放功能,点击回放可查看登录用户的操作过程
命令记录
整体仪表盘
