Jumpserver - The Bastion Host for Multi-Cloud Environment

• 中文版

Security Notice
On 15th January 2021, JumpServer found a critical bug for remote execution vulnerability. Please fix it asap! For more detail Thanks for reactivity of Alibaba Hackerone bug bounty program report use the bug

---

Jumpserver is the world's first open-source Bastion Host and is licensed under the GNU GPL v2.0. It is a 4A-compliant professional operation and maintenance security audit system.

Jumpserver uses Python / Django for development, follows Web 2.0 specifications, and is equipped with an industry-leading Web Terminal solution that provides a beautiful user interface and great user experience

Jumpserver adopts a distributed architecture to support multi-branch deployment across multiple cross-regional areas. The central node provides APIs, and login nodes are deployed in each branch. It can be scaled horizontally without concurrency restrictions.

Change the world by taking every little step

---

Advantages

• Open Source: huge transparency and free to access with quick installation process.
• Distributed: support large-scale concurrent access with ease.
• No Plugin required: all you need is a browser, the ultimate Web Terminal experience.
• Multi-Cloud supported: a unified system to manage assets on different clouds at the same time
• Cloud storage: audit records are stored in the cloud. Data lost no more!
• Multi-Tenant system: multiple subsidiary companies or departments access the same system simultaneously.
• Many applications supported: link to databases, windows remote applications, and Kubernetes cluster, etc.

Features List

Authentication	Login	Unified way to access and authenticate resources
		LDAP/AD Authentication
		RADIUS Authentication
		OpenID Authentication（Single Sign-On）
		CAS Authentication （Single Sign-On）
	MFA (Multi-Factor Authentication)	Use Google Authenticator for MFA
		RADIUS (Remote Authentication Dial In User Service)
	Login Supervision	Any user’s login behavior is supervised and controlled by the administrator🔸
Accounting	Centralized Accounts Management	Admin Users management
		System Users management
	Unified Password Management	Asset password custody (a matrix storing all asset password with dense security)
		Auto-generated passwords
		Automatic password handling (auto login assets)
		Password expiration settings
	Password change Schedular	Support regular batch Linux/Windows assets password changing🔸
		Implement multiple password strategies🔸
	Multi-Cloud Management	Automatically manage private cloud and public cloud assets in a unified platform 🔸
	Users Acquisition	Create regular custom tasks to collect system users in selected assets to identify and track the privileges ownership🔸
	Password Vault	Unified operations to check, update, and test system user password to prevent stealing or unauthorised sharing of passwords🔸
Authorization	Multi-Dimensional	Granting users or user groups to access assets, asset nodes, or applications through system users. Providing precise access control to different roles of users
	Assets	Assets are arranged and displayed in a tree structure
		Assets and Nodes have immense flexibility for authorizing
		Assets in nodes inherit authorization automatically
		child nodes automatically inherit authorization from parent nodes
	Application	Provides granular access control for privileged users on application level to protect from unauthorized access and unintentional errors
		Database applications (MySQL, Oracle, PostgreSQL, MariaDB, etc.) and Remote App🔸
	Actions	Deeper restriction on the control of file upload, download and connection actions of authorized assets. Control the permission of clipboard copy/paste (from outer terminal to current asset)
	Time Bound	Sharply limited the available (accessible) time for account access to the authorized resources to reduce the risk and attack surface drastically
	Privileged Assignment	Assign the denied/allowed command lists to different system users as privilege elevation, with the latter taking the form of allowing particular commands to be run with a higher level of privileges. (Minimize insider threat)
	Command Filtering	Creating list of restriction commands that you would like to assign to different authorized system users for filtering purpose
	File Transfer and Management	Support SFTP file upload/download
	File Management	Provide a Web UI for SFTP file management
	Workflow Management	Manage user login confirmation requests and assets or applications authorization requests for Just-In-Time Privileges functionality🔸
	Group Management	Establishing a multi-tenant ecosystem that able authority isolation to keep malicious actors away from sensitive administrative backends🔸
Auditing	Operations	Auditing user operation behaviors for any access or usage of given privileged accounts
	Session	Support real-time session audit
		Full history of all previous session audits
	Video	Complete session audit and playback recordings on assets operation (Linux, Windows)
		Full recordings of RemoteApp, MySQL, and Kubernetes🔸
		Supports uploading recordings to public clouds
	Command	Command auditing on assets and applications operation. Send warning alerts when executing illegal commands
	File Transfer	Full recordings of file upload and download
Database	How to connect	Command line
		Built-in Web UI🔸
	Supported Database	MySQL
		Oracle 🔸
		MariaDB 🔸
		PostgreSQL 🔸
	Feature Highlights	Syntax highlights
		Prettier SQL formmating
		Support Shortcuts
		Support selected SQL statements
		SQL commands history query
		Support page creation: DB, TABLE
	Session Auditing	Full records of command
		Playback videos

Note: Rows with 🔸 at the end of the sentence means that it is X-PACK features exclusive (Apply for X-PACK Trial)

Start

Quick start Docker Install

Step by Step deployment. Docs

Full documentation Docs

Demo、Video 和 Snapshot

We provide online demo, demo video and screenshots to get you started quickly.

Demo Video Snapshot

SDK

We provide the SDK for your other systems to quickly interact with the Jumpserver API.

• Python Jumpserver other components use this SDK to complete the interaction.
• Java Thanks to 恺珺 for providing his Java SDK vesrion.

JumpServer Component Projects

• Lina JumpServer Web UI
• Luna JumpServer Web Terminal
• KoKo JumpServer Character protocaol Connector, replace original Python Version Coco
• Guacamole JumpServer Graphics protocol Connector，rely on Apache Guacamole

Contribution

If you have any good ideas or helping us to fix bugs, please submit a Pull Request and accept our thanks :)

Thanks to the following contributors for making JumpServer better everyday!

Thanks to

• Apache Guacamole Web page connection RDP, SSH, VNC protocol equipment. JumpServer graphical connection dependent.
• OmniDB Web page connection to databases. JumpServer Web database dependent.

JumpServer Enterprise Version

• Apply for it

Case Study

• JumpServer 堡垒机护航顺丰科技超大规模资产安全运维；
• JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧；
• 携程 JumpServer 堡垒机部署与运营实战；
• 小红书的JumpServer堡垒机大规模资产跨版本迁移之路；
• JumpServer堡垒机助力中手游提升多云环境下安全运维能力；
• 中通快递：JumpServer主机安全运维实践；
• 东方明珠：JumpServer高效管控异构化、分布式云端资产；
• 江苏农信：JumpServer堡垒机助力行业云安全运维。

For safety instructions

JumpServer is a security product. Please refer to Basic Security Recommendations for deployment and installation.

If you find a security problem, please contact us directly：

• ibuler@fit2cloud.com
• support@fit2cloud.com
• 400-052-0755

License & Copyright

Copyright (c) 2014-2019 Beijing Duizhan Tech, Inc., All rights reserved.

Licensed under The GNU General Public License version 2 (GPLv2) (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

https://www.gnu.org/licenses/gpl-2.0.html

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.