Design and Implementation of a Jump Server Using Linux PAM for Secure Access

The document introduces a jump server (referred to as "jmp") that supports Linux, Windows, and other terminals such as MySQL, Redis, and network devices, emphasizing that no Linux account passwords or keys are stored, thereby eliminating credential leakage.

Background : It explains the Linux Pluggable Authentication Modules (PAM) framework, its APIs, and core capabilities, and lists common PAM modules (e.g., pam_unix.so, pam_cracklib.so, pam_loginuid.so) along with their functions.

System Architecture : The jump server is built as a set of five micro‑services plus one agent component: jmp-api (HTTP API, database access), jmp-ssh (SSH proxy), jmp-socket (WebSocket/Socket.io for web terminal), jmp-rdp (RDP proxy for Windows), jmp-sftp (file transfer via S3), and jmp-agent (deployed on each Linux host to provide a custom PAM module jmp.so ).

Core Design : The login process involves the SSH client connecting to jmp-ssh , which forwards credentials to jmp-api for verification. After authentication, jmp-agent on the target host intercepts SSH and sudo authentication via the PAM module, consulting jmp-api for permission checks. Command interaction includes dangerous‑command detection, with policies to alert, block, or allow commands. User switching (sudo, su) follows the same PAM‑based verification.

Web Interaction : Users authenticated via SSO can access jmp-socket , which obtains a temporary token from jmp-api and proxies SSH sessions, handling second‑factor authentication when needed.

Non‑Linux Support : Windows servers are accessed through jmp-rdp using Apache Guacamole to deliver RDP over WebSocket. MySQL and Redis terminals are proxied via Unix sockets on the host, and network devices are managed by retrieving connection info from jmp-api .

Permission Rules and Approval Workflow : The article details default permissions for service and project owners, the matrix of login and root rights for online/offline hosts, and the approval process for additional access, including organizational bulk approvals.

Advantages : The solution offers convenient multi‑protocol access, a micro‑service design for high availability, clear audit trails thanks to PAM‑based identity capture, and dangerous‑command interception to enhance operational safety.

Conclusion : By combining PAM, micro‑services, and a flexible permission model, the jump server provides a simple, reliable, and secure way to manage large numbers of servers, with extensibility for future needs.