How to Install and Configure JumpServer 3.0 for Secure SSH Access

What is JumpServer?

JumpServer is an open‑source bastion (jump) host written in Python that manages servers over SSH without requiring any client‑side agents.

Key features : GPL‑licensed, easy to extend, authentication/authorization/auditing, Ansible integration, batch commands, WebTerminal UI, hardware info collection, session recording, command search, real‑time monitoring, bulk upload/download.

JumpServer 3.0 Installation

Version 3.0 replaces LDAP auth with SSH push, offers a refined UI and more complete functionality, making installation simpler than 2.0.

Environment: CentOS 6.5 x86_64, disable iptables and SELinux on the JumpServer host (192.168.1.200); client host is 192.168.1.210.

1. Install dependency packages

yum -y install epel-release && yum clean all && yum makecache

yum -y update

yum -y install git python-pip MySQL-devel gcc automake autoconf python-devel vim sshpass lrzsz readline-devel

2. Download JumpServer

cd /opt git clone https://github.com/jumpserver/jumpserver.git If the clone fails, download the zip package from GitHub and unzip it.

3. Run the quick‑install script

cd /opt/jumpserver/install pip install -r requirement.txt Check installed packages: pip freeze Run the installer: python install.py Enter the JumpServer address (default 192.168.1.200) and confirm MySQL installation (choose "y").

During MySQL setup you will be prompted for mail server credentials; use an authorized password for 163.com mail (not the login password).

If you encounter a pycrypto error, reinstall the module:

pip uninstall pycrypto

easy_install pycrypto

After the initial installation, run the installer again to set the web admin username and password.

4. Configure periodic tasks

cd /opt/jumpserver

python manage.py crontab add

5. Web login

Open http://192.168.1.200 in a browser and log in with the admin credentials created above.

Note: To push system users to client servers, the client must have Python and sudo installed; if SELinux is enabled, install libselinux-python.

6. Update code

cd /opt/jumpserver

git pull

User Management

1. Add a user: User Management → View Users → Add User. Fill in username, name, role, email, and save.

2. Add a user group: User Management → View User Groups → Add Group (e.g., "Operations Group").

Asset Management

1. Add an asset group: Asset Management → View Asset Groups → Add Host Group. Provide a name and description.

2. Add an asset: Asset Management → View Assets → Add Asset. Enter hostname, IP, admin username (must exist on the host, e.g., root), port, and associate with an asset group.

3. Add a data center (room): Asset Management → View Rooms → Add Room, then save.

Permission Management

1. Sudo alias: Permission Management → Sudo → Add Alias. Provide alias, command, and remarks.

2. System user: Authorization Management → System Users → Add System User. Fill in username, password, sudo rights, and remarks, then save.

3. Push system user to assets: select the system user and asset group, then save to push credentials.

4. Authorization rule: Authorization Management → Authorization Rules → Add Rule. Specify rule name, user/group, asset/group, system user, and remarks.

Login and Access

Web login shows user ID, name, role, key, last login, groups, authorized hosts, and host details. Click "View Host" → "Connect" to open a session.

SSH login: download the key from the email, import it via the "User Key Manager" tool, then connect to JumpServer (192.168.1.200) with the key password. After successful login, you can jump to the target server (192.168.1.210).

Optional Nginx Reverse Proxy

log_format jumpserver '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$request_time" $request_body "$http_referer" "$http_user_agent" "$http_x_forwarded_for" $scheme $http_host'; server { listen 8080 ssl; listen 80; deny all; server_name jumpserver.example.com; index index.html index.htm index.php; ssl_certificate ssl/example.com.crt; ssl_certificate_key ssl/example.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; if ($scheme = http) { rewrite ^(.*)$ https://$host:8090$request_uri? permanent; } location / { proxy_set_header Connection ""; proxy_http_version 1.1; proxy_pass http://10.43.12.31:8090; } location ^~ /ws/ { proxy_pass http://10.43.12.31:8090/ws/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } access_log /data0/logs/jumpserver.log jumpserver; error_log /data0/logs/jumpserver_error.log debug; }

After completing the above steps, JumpServer is ready for secure, centralized SSH access and management.