On June 19, 2023, the JumpServer open source bastion machine officially released version v3.4.0. In this version, JumpServer supports a variety of resource selection strategies, including user login, command filtering, asset login and connection methods; supports recording and auditing uploaded/downloaded file content, further improving system security. At the same time, it supports controlling the deletion of files through asset authorization rules, and supports adding all users to user groups with one click.
In terms of asset login, the new version supports the control of user login IP and login time, and a single user can open and connect multiple web assets at the same time. In terms of remote applications, when connecting to assets through Chrome remote applications, it supports hiding address bar information, and supports DBeaver remote applications to connect to database assets through gateways. In addition, the operation center supports the configuration of the command blacklist, which can effectively avoid the input of dangerous commands and wrong commands.
In terms of the X-Pack enhanced package, the new version of JumpServer supports the control of the way users connect to assets, supports custom SMS authentication services, and supports users to connect to their own SMS platforms.
new features
1. Support multiple resource selection strategies (user login, command filtering, asset login and connection methods)
In JumpServer v3.4.0, for some scenarios that need to be matched, such as user login, command filtering, asset login, connection mode, etc., we upgraded the monotonous input box plug-in and modified it to support multiple resource selection strategies. Composite selection Input box.
▲Figure 1 JumpServer supports multiple resource selection strategies
2. Support recording and auditing uploaded/downloaded file content
In JumpServer v3.4.0, the file audit function for file upload/download is newly added.
Auditors can view the specific uploaded/downloaded file content on the "File Transfer" page under the "Session Audit" menu. The system default backup file size threshold is 100MB. Auditors can modify the parameter FTP_FILE_MAX_STORE in the config.txt configuration file to change the threshold. The configuration unit is MB (megabytes). When the value of this configuration item is less than or equal to 0, no file backup will be performed.
▲Figure 2 Supports recording and auditing uploaded/downloaded file content
3. Support to control the deletion of files through asset authorization rules
In JumpServer v3.4.0, the action of the authorization rule adds the ability to control the "delete" action. In this way, administrators can more flexibly handle permission control for users. Note: This delete action is only supported for SFTP and Web SFTP, and the delete action on Windows is not currently supported.
▲Figure 3 Support to control the deletion of files through asset authorization rules
4. Support adding all users to user groups with one click
In JumpServer v3.4.0, administrators can add all users to specified user groups with one click, thereby further improving work efficiency.
▲Figure 4 supports adding all users to user groups with one click
5. In terms of asset login, it supports the control of user login IP and login time
In the JumpServer v3.4.0 version, for the control of asset login, we are consistent with the "user login" control strategy, adding a limited access control to a certain/group of IP and login time period, and strengthening the administrator's control over certain Security protection for specific assets.
▲Figure 5 supports the control of login IP and login time
6. Support single user to open and connect multiple web assets at the same time
In JumpServer v3.4.0, a single user can open and connect to multiple web assets at the same time, improving the efficiency of connecting assets.
7. When connecting assets through the Chrome remote application, it supports hiding the information in the address bar
In the JumpServer v3.4.0 version, the administrator can hide the address bar information displayed when the user connects to the Chrome remote application, preventing the user from jumping to other pages for operation through a single session.
The prerequisites are: enable the "Existing RDS license" option in the application publishing machine settings, disable the "RDS single-user single-session" option, and redeploy the publishing machine at the same time.
▲Figure 6 When connecting assets through the Chrome remote application, the address bar information is supported to be hidden
8. The operation center supports configuration command blacklist list
In JumpServer v3.4.0, a command blacklist is added to the function center. After the administrator configures certain commands into the blacklist, the commands in the blacklist will be filtered out when executing tasks, effectively avoiding entering dangerous commands, Occurrence of wrong commands, etc.
▲Figure 7 Operation center supports configuration command blacklist list
9. Support DBeaver remote application to connect to database assets through the gateway
In JumpServer v3.4.0, when connecting to assets through the DBeaver remote application, it supports using domains to connect to specified assets.
10. Supports controlling the way users connect to assets (inside the X-Pack enhancement package)
There are various ways for JumpServer to connect to assets, including connecting through command line, graphical interface, and client.
JumpServer v3.4.0 version supports the control of asset connection methods, and administrators can configure which connection components users can use for asset connection operations.
▲Figure 8 Supports controlling the way users connect to assets (inside the X-Pack enhancement package)
11. Support custom SMS authentication service (in X-Pack enhanced package)
In JumpServer v3.4.0, we support custom SMS authentication service, users can connect their own SMS platform in the configuration interface, and send SMS via http/https protocol.
▲Figure 9 supports custom SMS authentication service (in X-Pack enhanced package)
Function optimization
■ Optimized the PC terminal to successfully log in to JumpServer without scanning the QR code when logging in to the enterprise WeChat client (thanks to community developer X-Mars for its contribution);
■ Optimize the display problem of the Select2 resource selection component (more than 10 will display the number);
■ The option of connection parameters is added in the asset connection pop-up window of the Web Terminal page;
■ The "session sharing" link can only be used once by the same user;
■ Account push supports setting the Home directory;
■ Asset list search supports remark fuzzy search;
■ Optimize the prompt information when deleting all users;
■ The remote application publishing machine platform supports the WinRM protocol;
■ Optimize the help information of the Host field of the service endpoint, and prohibit modification of the Host field of the default service endpoint;
■ The LDAP test connectivity is called asynchronously. After clicking the "Test" button, the task will be executed in the background without affecting the operation of the foreground page;
■ Optimize the action field description in asset authorization rules;
■ Optimized the display of field names in system settings (including time units);
■ Optimize the connectivity of timing detection commands and video storage, and send message notifications;
■ When optimizing the deletion of remote applications, automatically delete the custom asset platform created synchronously;
■ Optimize the script filling function of Web assets, and increase the Sleep waiting command;
■ Asset platform details add asset list page (only assets under the current organization are displayed);
■ After the KoKo component opens VSCode mode, it supports using SCP to transfer files;
■ When the KoKo component is connected to the Ubuntu system, it supports switching with sudo;
■ LDAP synchronization setting supports synchronizing users to multiple organizations (in X-Pack enhanced package);
■ When a user with super work order permission applies for a work order, he can specify the applicant (in the X-Pack enhancement package);
■ In the SMS service configuration, the test mobile phone number supports the selection of area codes (inside the X-Pack enhancement package).
Bug fixes
■ Fix the problem of asset account import error reporting;
■ Fix the problem that the backend service reports an error when the terminal endpoint uses the asset tag matching mechanism;
■ Fixed the problem that the automatically created custom platform did not set the automation field when importing remote applications;
■ Fixed the problem that the specific error information was not recorded when the user entered an error using MFA login authentication;
■ Fixed the problem that the historically created switching accounts in the account switching function of the disabled platform can still switch normally;
■ Fix the problem that the password input box does not display the password rules;
■ Fix the problem that the front-end page does not display parameters in JSON format;
■ Fix the problem that after creating an asset and specifying the "template addition" option, there is no automatic association and switching from the account;
■ Fix the problem of occasional error reporting when performing tasks in the job center;
■ Fix the problem that system administrators cannot update each other;
■ Fix the problem that the Playbook file tree in the operation center cannot be right-clicked;
■ Fixed the problem that some assets had no nodes when upgrading from JumpServer v2 to v3;
■ Fix the problem that the account password change prompt failed, but actually succeeded (in the X-Pack enhancement package);
■ Fix the error reporting error when viewing account details under the global organization (in the X-Pack enhancement package);
■ Fix the problem that the authentication information cannot be added when creating a cloud account (in the X-Pack enhanced package);
■ Fix the problem that the IP address is 0.0.0.0 when synchronizing Alibaba Cloud assets (in the case of delayed binding of the elastic public IP) (inside the X-Pack enhancement package).