搭建jumpserver跳板机(测试环境)
1,跳板机功能介绍
官方网站:https://jumpserver.org/
1、管理局域网的服务器
2、资产管理(所有服务器的信息,IP、系统、磁盘、内存)
3、资产授权(运维、开发、测试)权限管理
4、限制危险命令,不能执行rm命令
5、日志审计、命令审计、视频审计,监控用户所有行为
6、登录限制,用户名,密码,多因子方式认证(动态密码验证方式)
2、安装部署jumpserver跳板机
1.操作系统 CentOS、Kylin、ubuntu
[root@j01 ~/jumpserver-ce-v4.9.0-x86_64]#cat /etc/os-release
NAME="Kylin Linux Advanced Server"
VERSION="V10 (Lance)"
ID="kylin"
VERSION_ID="V10"
PRETTY_NAME="Kylin Linux Advanced Server V10 (Lance)"
ANSI_COLOR="0;31"
2.准备jumpserver软件包
https://community.fit2cloud.com/#/products/jumpserver/downloads
3.已经下载成功的,上传jumpserver压缩包
[root@j01 ~]#ll
total 1202020
-rw-r--r-- 1 root root 1230865983 May 8 18:15 jumpserver-ce-v4.9.0-x86_64.tar.gz
4.安装jumpserver
[root@jumpserver /opt/jumpserver-ce-v4.9.0-x86_64]#./jmsctl.sh install5.安装完成后启动jumpserver
[root@j01 ~/jumpserver-ce-v4.9.0-x86_64]#./jmsctl.sh start
[+] Running 8/0
✔ Container jms_lion Running 0.0s
✔ Container jms_chen Running 0.0s
✔ Container jms_web Running 0.0s
✔ Container jms_redis Running 0.0s
✔ Container jms_postgresql Running 0.0s
✔ Container jms_core Running 0.0s
✔ Container jms_celery Running 0.0s
✔ Container jms_koko Running
6.查看端口号
[root@j01 ~/jumpserver-ce-v4.9.0-x86_64]#netstat -tnulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1649/docker-proxy
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1097/sshd: /usr/sbi
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 1730/docker-proxy
tcp6 0 0 :::80 :::* LISTEN 1655/docker-proxy
tcp6 0 0 :::22 :::* LISTEN 1097/sshd: /usr/sbi
tcp6 0 0 :::2222 :::* LISTEN 1756/docker-proxy
udp 0 0 127.0.0.1:323 0.0.0.0:* 764/chronyd
udp6 0 0 ::1:323 :::* 764/chronyd
7.浏览器访问,用户名密码默认admin/ChangeMe
3、Jumpserver的三类用户
1、特权账号:
1.资产管理(可以看到后端所有主机的信息,172.16.1.7 1核 1G 50G)
2.收集客户端配置
3.批量创建普通账号(linux系统账号)
4.批量执行命令
2、系统账号:
1.例如goudan(linux系统账号)
3、jumpserver登录用户(可以多因子认证,动态密码登录)
1.使用个人姓名登录jumoserver
#1、jumpserver底层调用的是Ansible,Ansible里面有个files模块,可以自动获取客户端的配置信息,所以jumpserve要用特权账号和后端做免密钥才能进行管理
#2、使用系统账号(goudan)登录后端服务器,比如goudan授权给运维、gousheng授权给开发
创建用户:
用户列表--创建--添加名称、用户名、邮箱、用户组、设置密码
4、添加资产
1、添加root特权账号
```bash
1.生成密钥对
[root@j01 ~]#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:8Qvm3l3/ltm4EeeThsSqOPxism6ifn23oMwTWtaJfng root@j01
The keys randomart image is:
+---[RSA 3072]----+
| |
| |
| . |
| o . |
| o S . o. .|
| = = . .o .+.|
| * +.. .. .o==|
| +oB.Eoo.. .o=+|
|.oo +*O.*+o . .o+|
+----[SHA256]-----+
2.和后端资产做免秘钥
[root@j01 ~]#ssh-copy-id 10.0.0.8
[root@j01 ~]#ssh-copy-id 10.0.0.9
[root@j01 ~]#ssh-copy-id 10.0.0.51
3.添加资产
先添加资产树
资产列表--创建资产--添加名称、IP主机、平台、节点--选择模板添加
模板添加--创建--添加名称、用户名、SSH密钥、私钥([root@j01 ~]#cat .ssh/id_rsa可以看到) 
2、添加linux后端资产的管理用户-运维
账号模板--创建--名称、用户名(系统用户名称)、SSH密钥跟随机生成(做了免密要,防止远程登录的时候需要密码)、自动推送
3、添加linux后端资产的管理用户-开发
5、资产授权
资产授权--创建--名称、用户组、节点、指定账号、根据模板选中no.1、授权weixiang用户登录后端所有资产
模板添加完后会在账号列表中显示相关的账号信息
登录weixiang用户可以看到已授权的资产
登陆测试,正常链接,已创建goudan普通用户登录
2、授权zhangjia用户只登录数据库资产
添加用户
6、管理后端资产服务器两种方法
一种是通过页面远程登录
一种是通过xshell远程登录
[C:\~]$ ssh weixiang@10.0.0.20 2222 #密码是jumpserver登录用户的密码,jump远程端口2222
Connecting to 10.0.0.20:2222...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Welcome to JumpServer SSH Server
WARNING! The remote SSH server rejected X11 forwarding request.
维祥, JumpServer
1) Enter part IP, Hostname, Comment to to search login if unique.
2) Enter / + IP, Hostname, Comment to to search, such as: /192.168.
3) Enter p to display the assets you have permission.
4) Enter g to display the node that you have permission.
5) Enter h to display the hosts that you have permission.
6) Enter d to display the databases that you have permission.
7) Enter k to display the kubernetes that you have permission.
8) Enter r to refresh your assets and nodes.
9) Enter s to language switch.
10) Enter ? to print help.
11) Enter q to exit.
Opt> p #p打印,查看自己可以看到的资产
ID | NAME | ADDRESS | PLATFORM | ORGANIZATION | COMMENT
-----+-------+-------------+-----------------------------------------------+---------------------------------------------------+-----------------------------------------------
1 | db01 | 172.16.1.51 | Linux | DEFAULT |
2 | web02 | 172.16.1.8 | Linux | DEFAULT |
3 | web03 | 172.16.1.9 | Linux | DEFAULT |
Page: 1, Count: 33, Total Page: 1, Total Count: 3
Enter ID number directly login, multiple search use // + field, such as: //16 Page up: b Page down: n
Search:
[Host]> 1 #输入1进入到db资源里面
Connecting to goudan(后端资产的系统运维用户)(goudan)@172.16.1.51 0.2
Authorized users only. All activities may be monitored and reported.
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Thu May 15 16:07:27 2025 from 172.16.1.20
[goudan@db01 ~]#exit
ID | NAME | ADDRESS | PLATFORM | ORGANIZATION | COMMENT
-----+-------+-------------+-----------------------------------------------+---------------------------------------------------+-----------------------------------------------
1 | db01 | 172.16.1.51 | Linux | DEFAULT |
2 | web02 | 172.16.1.8 | Linux | DEFAULT |
3 | web03 | 172.16.1.9 | Linux | DEFAULT |
Page: 1, Count: 33, Total Page: 1, Total Count: 3
Enter ID number directly login, multiple search use // + field, such as: //16 Page up: b Page down: n
Search:
[Host]> web02 #进入到web02资产
Connecting to goudan(后端资产的系统运维用户)(goudan)@172.16.1.8 0.2
Authorized users only. All activities may be monitored and reported.
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Thu May 15 16:50:27 2025 from 172.16.1.20
[goudan@web02 ~]#
设置db01的登陆脚本
连接:
名称:登录web01脚本
协议:SSH
主机:10.0.0.20
端口号:2222
用户身份验证:
用户名:weixiang
密码:654321
登录脚本:
Expect:Opt>
Send:p
Expect:[Host]
Send:db01
7、审计功能
切换审计台--会话记录--再现会话--监控,可对用户进行监控
1
会话命令里面可以看到用户相关操作所使用的命令
8、用户提权
一、goudan后端系统运维用户提权su
#1.查看用户权限
[root@db01 ~]#visudo
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
goudan ALL=(ALL) NOPASSWD: /bin/whoami
gousheng ALL=(ALL) NOPASSWD: /bin/whoami
#2.账号列表--选中要提权的账号--推送--添加信息
注意:这里要提前做好规划,账号模板--编辑--帐号推送参数--设置,提前修改为对应的权限
#3.可以看到goudan用户已经有了/bin/su权限
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
goudan ALL=(ALL) NOPASSWD: /bin/whoami,/bin/su #已经授权
gousheng ALL=(ALL) NOPASSWD: /bin/whoami
#4.切换用户,成功
[goudan@db01 ~]#sudo su -
Last login: Thu May 15 17:37:05 CST 2025 from 172.16.1.20 on pts/1
[root@db01 ~]#
二、gousheng后端系统开发用户提权ca
#查看权限
[root@db01 ~]#visudo
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
goudan ALL=(ALL) NOPASSWD: /bin/whoami,/bin/su
gousheng ALL=(ALL) NOPASSWD: /bin/whoami,/bin/cat #已经授权
#sudo查看文件内容
[gousheng@db01 ~]#sudo cat /var/log/messages 9、数据库授权
资产列表--创建--添加名称、地址、平台、节点--模板添加
从上面的模板添加--名称、用户名、指定密码(lzy123.com)、不用选择自动推送(库里有这个用户)
回到资产授权--授权给开发组--添加刚才创建的数据库应用模板、指定账号
登录zhangjia开发组用户,登录终端,直接登录数据库终端
10.禁止使用危险命令
命令过滤--命令组--创建--名称、内容
命令过滤--创建--名称、账号(所有账号)、命令组(限制)、动作(拒绝)
#测试,通过跳板机登录,被禁止使用,如果xshell直接连接51服务器rm可以正常执行命令
[root@db01 ~]#rm 1.log
Command rm is forbidden
[root@db01 ~]#reboot
Command `reboot` is forbidden
11、jumpserver的网域功能
jumpserver管理不同的局域网,需要用到网域
如果管理云服务器,需要用到公网ip,从10.0.0.81到阿里云11.22.33.44(公网ip做免密钥)再到阿里云后端继续做免密钥
JumpServer的网域功能主要用于解决混合云、跨网络隔离区域或无法直连的内网资产访问问题,通过网关服务器实现流量转发(JumpServer → 网域网关 → 目标资产)。
购买两个不同网段的ip,地域为呼和浩特
购买弹性公网IP并绑定,否则没法连接,弹性公网IP地域是呼和浩特
xshell连接
网域列表--创建--名称--提交,添加网域
创建网域列表--网关列表
# jumpserver与网关做免密钥
[root@j01 ~]#ssh-copy-id 39.104.22.137
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '39.104.22.137 (39.104.22.137)' can't be established.
ECDSA key fingerprint is SHA256:j8X8/NusNkgJIUadeBTEXWpmqfL2KhnDGqM5y5FRIjg.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
The authenticity of host '39.104.22.137 (39.104.22.137)' can't be established.
ECDSA key fingerprint is SHA256:j8X8/NusNkgJIUadeBTEXWpmqfL2KhnDGqM5y5FRIjg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@39.104.22.137s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '39.104.22.137'"
and check to make sure that only the key(s) you wanted were added.
#ssh测试,没问题,可以跳转
[root@j01 ~]#ssh 39.104.22.137
Last failed login: Thu May 15 20:48:44 CST 2025 from 221.218.208.164 on ssh:notty
There were 15 failed login attempts since the last successful login.
Last login: Thu May 15 20:07:44 2025 from 221.218.208.164
Welcome to Alibaba Cloud Elastic Compute Service !
[root@wy ~]#
#创建资产
#添加资产需要创建阿里云的特权账号
#网域需要生成密钥对和后端的资产做免秘钥
[root@wy ~]# ssh-keygen
#做免秘钥
[root@wy .ssh]# ssh 172.27.43.118
#网关分发到后端
[root@wy .ssh]# ssh-copy-id 172.27.43.118
把免密钥添加到私钥里面阿里云的
授权阿里云资产给运维组
创建新的账号模板
添加账号模板
#查询id
[root@ali01 ~]# id ali
uid=1000(ali) gid=1000(ali) groups=1000(ali)
#命令行测试
[C:\~]$ ssh weixiang@10.0.0.20 2222 #密码654321
Connecting to 10.0.0.20:2222...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Welcome to JumpServer SSH Server
WARNING! The remote SSH server rejected X11 forwarding request.
维祥, JumpServer
1) Enter part IP, Hostname, Comment to to search login if unique.
2) Enter / + IP, Hostname, Comment to to search, such as: /192.168.
3) Enter p to display the assets you have permission.
4) Enter g to display the node that you have permission.
5) Enter h to display the hosts that you have permission.
6) Enter d to display the databases that you have permission.
7) Enter k to display the kubernetes that you have permission.
8) Enter r to refresh your assets and nodes.
9) Enter s to language switch.
10) Enter ? to print help.
11) Enter q to exit.
Opt> p
ID | NAME | ADDRESS | PLATFORM | ORGANIZATION | COMMENT
-----+------------------+---------------+-------------------------------------------+----------------------------------------------+-------------------------------------------
1 | db01 | 172.16.1.51 | Linux | DEFAULT |
2 | db01-172.16.1.51 | 172.16.1.51 | MariaDB | DEFAULT |
3 | web02 | 172.16.1.8 | Linux | DEFAULT |
4 | web03 | 172.16.1.9 | Linux | DEFAULT |
5 | 阿里云-ali01 | 172.27.43.118 | Linux | DEFAULT |
6 | 阿里云-网关 | 39.104.22.137 | Gateway | DEFAULT |
Page: 1, Count: 33, Total Page: 1, Total Count: 6
Enter ID number directly login, multiple search use // + field, such as: //16 Page up: b Page down: n
Search:
[Host]> 5
Connecting to aili系统账号(ali)@172.27.43.118 0.5
Last login: Thu May 15 21:08:56 2025 from 172.27.43.119
Welcome to Alibaba Cloud Elastic Compute Service !
[ali@ali01 ~]$ id ali
uid=1000(ali) gid=1000(ali) groups=1000(ali)
[ali@ali01 ~]$
12、多因子认证
开启多因子认证
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 程序员小航
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果