Prerequisites
- hardware condition
- Conditions of Service
(1) coco service
① In view of the delay in mentality detection, you can also directly execute the following command on the Jumpserver host to check whether Coco is alive. The Coco service uses port 2222 by default:
[root@centos7-1 ~]# ss -nutlp |grep 2222
The effect is as follows:
② If coco is not online or the service is abnormal, you can try to restart coco
$ cd /opt/coco
$ ./cocod restart # Make sure jumpserver is running normally.
(2) guacamole service
If guacamole is not online or the service is not normal, you can try restarting the docker container
① $ docker ps # Query the running container, record the container's <CONTAINER ID>, you can add the -a parameter to query all containers
② $ docker restart 6b15fcf0e5f3 # 6b15fcf0e5f3 is queried through docker ps, please do not copy it directly.
# docker 用法: docker start|stop|restart|rm|rmi <CONTAINER ID>
1. System settings
1.1 Basic Settings
You can set the user guide url. If not set, the links generated by jumpserver default to www.localhost.com
1.2 Configure the outgoing mail server
Click "Mail Settings" on the top of the page to enter the mail settings page:
Note:
① To configure the SMTP service of QQ mailbox, please refer to ( http://blog.csdn.net/Aaron133/article/details/78363844 ), you only need to read the second part to use it.
② SMTP password is the password sent to you by Tencent when you open the SMTP of your qq mailbox.
③ After configuring the mail service, click the "Test Connection" button on the page. If the configuration is correct, Jumpserver will send a test mail to your SMTP account mailbox:
2. Create a user
2.1 Create Jumpserver user
① Click "User List" under the "User List" menu on the left side of the page to enter the user list page.
② Click the "Create User" button in the upper left corner of the page to enter the create user page, fill in the account, role security, personal and other information.
Among them, the user name is the Jumpserver login account. User groups are used for asset authorization. When an asset is authorized to a user group, all users under the user group can use the asset. Roles are used to distinguish whether a user is an administrator or a regular user.
③ After successfully submitting the user information, Jumpserver will send an email with "user password" set to the user email you filled in.
④ Click the set password link in the email. After setting the password, you can log in to Jumpserver with the username and password.
2.2 Login Jumpserver user
(1) Web page login
① When the user logs in to Jumpserver for the first time, he will be required to complete the user information.
② Generate ssh public key
For Linux/Unix generation of SSH keys, please refer to ( https://www.cnblogs.com/horanly/p/6604104.html )
Windows can generate SSH keys for reference ( https://www.cnblogs.com/horanly/p/6604104.html )
View public key information
[root@centos7-1 ~]# cat .ssh/id_rsa.pub$ cat ~/.ssh/id_rsa.pub
③ Copy the SSH public key and add it to Jumpserver.
(2) In addition to using a browser to log in to Jumpserver, you can also use the command line to log in:
① Make sure the Coco service is normal
② Log in to Jumpserver from the command line and use the following command:
$ ssh -p 2222 username@Jumpserver IP address
After successful login, the interface is as follows:
3. Create assets
3.1 Creating Linux Assets
(1) Edit the asset tree
Nodes cannot have the same name. Right-click a node to add, delete, and rename nodes, as well as perform asset-related operations.
(2) Create an administrative user
The administrative user is the root of the server, or a user with NOPASSWD: ALL sudo privileges , which Jumpserver uses to push system users, get asset hardware information, and more.
Note: All information in asset management is related to assets, including all users created; the root user password of jumpserver is only used by the jumpserver administrator to log in to the server where jumpserver is installed. Other than that, don't be anywhere; don't confuse it (I just confuse it)
If you use ssh private key, you need to set it on the asset first. Here is an example for reference (this example uses root to log in to the asset as an example)
① Generate the public key and private key of the root account on the asset
[root@centos7-1 ~]# ssh-keygen -t rsa # By default, the public and private key files will be input to the ~/.ssh directory
② Output the public key to the authorized_keys file and modify the permissions
[root@centos7-1 ~]# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
[root@centos7-1 ~]# chmod 400 ~/.ssh/authorized_keys
③ Open RSA authentication related settings
[root@centos7-1 ~]# vim /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
④ Restart the ssh service
[root@centos7-1 ~]# systemctl restart sshd
⑤ Upload the id_rsa private key in the ~/.ssh directory to the management user of jumpserver
(3) In this way, the ssh private key can be used to manage the server.
The name can be named by the asset tree. Username root. Password and SSH private key are required.
(4) Create system users
① The system user is the user used by Jumpserver to jump to the login asset, which can be understood as the login asset user , such as web, sa, dba (ssh web@some-host), instead of using a user's username to jump to the login server ( ssh xiaoming@some-host); In simple terms, users log in to Jumpserver with their own usernames, and Jumpserver uses system users to log in to assets.
② In the sudo column of the system user, fill in the program path that allows the current system user to execute without sudo password, such as the default /sbin/ifconfig, which means that the current system user can directly execute the ifconfig command or sudo ifconfig without entering the password of the current system user. Executing other commands still requires a password to achieve the purpose of permission control.
③ Here are a few simple examples:
Sudo /bin/ su # The current system user can execute the sudo su command without the sudo password (that is, it can directly switch to root, which is not recommended in the production environment) sudo /usr/bin/git,/usr/bin/php,/bin/cat,/bin/more,/bin/less,/usr/bin/head,/usr/bin/ tail # The current system user can avoid sudo password execute git php cat more less head tail # The permissions here should be customized according to the needs of users, and in principle, the least permissions can be given.
④ When the system user is created, if the automatic push Jumpserver is selected, Ansible will be used to automatically push the system user to the asset. If the asset (switch, Windows) does not support Ansible, please fill in the account password manually.
The Linux system protocol item must select ssh. If the user already exists in the system, please remove the automatic key generation and automatic push check boxes.
(5) Create assets
① Click the "Asset List" button under the "Asset Management" menu on the left side of the page to view all current asset lists.
Click the "Create Asset" button in the upper left corner of the page to enter the asset creation page and fill in the asset information.
Make sure that the IP address and administrative user are correct, and that the username and password of the selected administrative user can "reliably" log on to the specified IP host. The system platform of the asset must also be filled in correctly. The public IP information is only used for display and can be left blank. Jumpserver uses IP information to connect assets.
② After filling in the asset creation information and saving it, you can test whether the asset can be connected correctly:
③ The test is successful; if the asset cannot be connected normally, please check whether the user name and key of the management user are correct and whether the management user can log in correctly to the asset host from the Jumpserver host using SSH.
(6) Domain list (if necessary)
The domain function is a newly added function to solve the problem that some environments cannot be directly connected. The principle is to log in through the gateway server.
Click the "Domain List" button on the left side of the page to see a list of all domains.
① Click the "Create Domain" button in the upper left corner of the page to enter the domain creation page, and select the gateway server used as the domain in the asset.
② Click the domain name to enter the domain details list.
Click the "Gateway" button on the page, select the "Create Gateway" button in the gateway list, enter the gateway creation page, and fill in the gateway information.
The IP information generally fills in the IP of the domain asset by default (for example, the asset used as a domain has multiple network cards and IP addresses, and any IP that can communicate with the jumpserer can be selected), and the username and password can be created on the asset. You can also use the push function of jumpserver (you need to enter the password manually) to confirm that the user has permission to execute the ssh command.
③ After saving the information, click Test Connection. After confirming that the settings are correct, add the assets that need to be logged in with the gateway to the asset list.
3.1 Create Windows assets (it's easy to make mistakes, pay more attention)
(1) Create a Windows system management user
Like the management user of the Linux system, the name can be named according to the asset tree, the user name is the administrator's username, and the password is the administrator's password.
(2) Create a Windows system system user
Currently, Windows does not support automatic push. Users must exist in the system and have permission to use remote connections. Please remove the automatic key generation and automatic push check boxes; please confirm that the rdp firewall of Windows assets has been opened.
Windows Asset Protocol must select rdp.
(3) Create Windows assets
Same as creating a Linux asset.
Create Windows assets, please select the correct Windows for the system platform, the port number is 3389, please select the correct IP and management user, and ensure that the management user can log in to the specified IP host correctly.
4. Asset Node Management
4.1 Assign assets to asset tree nodes
On the asset list page, select the node to which you want to add an asset, right-click, and select Add Asset to Node.
Select the assets to be added and click "Confirm".
4.2 Delete node assets
Select the node to be deleted, select "Delete from Node", and click "Submit".
5. Create authorization rules
① Nodes, corresponding to assets, represent all assets under the node.
② User group, corresponding to the user, represents all users under the user group.
③ System users and users under the selected user group can use the assets under the selected node through this system user.
④ Nodes, user groups, and system users have a one-to-one relationship, so when you have different types of Linux and Windows assets, you should create authorization rules for Linux assets and Windows assets respectively.
The created authorization rule node must be the same as the node where the asset is located.
6. User use of assets
6.1 Log in to Jumpserver
When creating an authorization rule, a user group is selected, so users under the selected user group need to be logged in to see the corresponding assets.
The page after the user logs in correctly:
6.2 Using Assets
(1) Connecting assets
① Click the web terminal on the left side of the page:
② Open the node where the asset is located:
③ Double-click the asset name to connect the asset:
If it says connection timed out, check that the system user username and key assigned to the asset are correct, the Windows OS is correctly selected, the protocol rdp, port 3389, the Linux OS is correctly selected, the protocol ssh, port 22, and the asset's firewall Whether the policy is configured correctly, etc. Next, you can operate on the asset.
④ Test
create a test
On the server, there is indeed a test file
(2) Connect to Windows resources
6.2.2 Disconnecting assets
Clicking the Server button at the top of the page will bring up an option, the first to disconnect the selected connection, the second to disconnect all connections.
The above is a simple introduction to Jumpserver. If you encounter any problems during use, you can discuss with me.