Skip to Content

setup and configure ssh jump server

What is an SSH Jump Server?


SSH Jump server, sometimes called  SSH Jump host or  SSH Bastion host, or SSH gateway is an intermediate server running the sshd daemon where all users would have to login via SSH first to access the remote server or target servers behind the gateway. The ssh jump server can be on a public-facing network while the target servers or the destination servers can be on a private network behind a firewall for better security.   


ssh-jump-server


How to install, setup & configure the Ezeelogin SSH Jump server on a Linux box? 

We can guide you or install & configure Ezeelogin SSH Jump server software for you and give you a demo on how to use it at no extra charge.  Contact our 24/6 Support Desk to schedule your free or guided installation. Also, schedule a free introductory session to get to know on how to use the Ezeelogin Jump server solution effectively and ask your questions with our engineers.


Step 1: Log in to the portal and issue a free license for 30 days.

  • Log in to your customer portal and issue the 30-day trial license for the SSH jump server  IP of the server where you intend to install Ezeelogin SSH jump host software.
  • If you are unsure of what your jump server IP is, simply login to your SSH jump server and run the command:

:~# wget -qO- https://ezeelogin.com/myip

or

:~# curl ifconfig.me

Note: If your ssh jump server is behind a NAT in a private LAN behind a firewall, you can still install Ezeelogin Bastion host software. You just need to find your public IP by running the above command on your SSH gateway server and issuing the license for the public-facing IP.

For PHP version 8.2 and above: https://downloads.ezeelogin.com/ezlogin_7.38.0_php82.bin
For PHP version 8.1.x: https://downloads.ezeelogin.com/ezlogin_7.38.0_php81.bin
For PHP version 7.x (end of life): https://downloads.ezeelogin.com/ezlogin_7.36.0_php71.bin
For PHP version 5.6 to 7.0 (end of life): https://downloads.ezeelogin.com/ezlogin_7.27.6_php56-70.bin
For PHP version 5.3 to 5.5 (end of life): https://downloads.ezeelogin.com/ezlogin_7.10.0_php53-55.bin
NOTE: 7.36.0 is the last version that supports PHP versions 7.x, 7.27.6 is the last version that supports PHP versions from 5.6 to 7.0, and 7.10.0 is the last version that supports PHP versions from 5.3 to 5.5

   

Step 2: Install SSH jump server dependency packages. 

Most Linux OS ( Ubuntu 20,22 / Debian 10,11,12 / RHEL 7,8,9 / SUSE Linux 15 / AlmaLinux 8,9, Rocky Linux 8,9 ) are supported but supporting packages have to be installed manually. 

  •    Refer to the system requirement below:

Hardware Requirements

  • Minimum 2048 MB Ram.
  • Minimum 2 GHz processing power.
  • Virtual Server or Dedicated Server.
  • Minimum 75GB Disk space.

Software Requirements

  • OS Architecture (Ubuntu - 24, 22, 20, 18; Debian - 12, 11, 10; RockyLinux - 9, 8; AlmaLinux - 9, 8; RHEL - 9, 8; SUSE - 15, 14) , [x86_64 and aarch64]
  • Web server (apache, lighttpd, nginx etc.)
  • MySQL server (from version 5.5 to 8.0)/MariaDB ( from version 5.1 to 10.4) (For AWS RDS MySQL 5.6,5.7 & MariaDB 10.2)
  • PHP (from version 5.6.x and above,  upto <= php 8.2)
  • Ioncube loader version 10 and above for PHP
  • MySQLi extension for PHP
  • JSON extension for PHP
  • Curl extension for PHP
  • Posix extension for PHP
  • LDAP extension for PHP (for LDAP web panel authentication)
  • Nodejs version >=14.x.x
  • OpenSSL
  • Encryption & Hashing Algorithms.
NOTE: PHP SUPPORT  --->  7.36.0 is the last version that supports PHP versions 7.1 to 7.4
  • Ensure the following conditions are met on your ssh jump server.

1. The firewall on the jump server should allow outbound connection to license.ezeelogin.com on port 443 to fetch the license and download the software from downloads.ezeelogin.com 

:~# telnet license2.ezeelogin.com 443 

Connected to license2.ezeelogin.com.

Escape character is ’^]’.


:~# telnet license.ezeelogin.com 443 

Connected to license.ezeelogin.com.

Escape character is ’^]’.


:~# telnet downloads.ezeelogin.com 80

Connected to downloads.ezeelogin.com.

Escape character is ’^]’.

2. Ensure SELinux is disabled on the jump server. The command #sestatus will show if it’s active or not. If it is not installed, then it's fine. Refer to Disable Selinux to disable it.

:~# sestatus

SELinux status: disabled

3. Ensure time on the jump server is accurate. Use the command #ntpdate pool.ntp.org to sync time.

:~# ntpdate pool.ntp.org

26 Sep 16:32:03 ntpdate[15219]: adjust time server 133.243.238.244 offset -0.124881 sec

4. Ensure that Root SSH login on the jump server is enabled and SSH key-based authentication is enabled in SSHD. The below example enables root access only from the ip 127.0.0.1 and it allows only key-based authorization which makes it secure. Add the following parameters to the END of /etc/ssh/sshd_config file.

Edit the file using the nano or vi command:

:~# nano /etc/ssh/sshd_config

IMPORTANT: The following sshd server configuration is important.

5. Add the following parameters to the "/etc/ssh/sshd_config"  file.

#SSHD Global Settings

AllowTcpForwarding  no

PubkeyAuthentication yes

 

#SSHD localhost settings.

Match Address 127.0.0.1

PermitRootLogin yes

PubkeyAuthentication yes

PasswordAuthentication yes

If you are planning to install the cluster (master-slave), add the below lines in /etc/ssh/sshd_config.

  • Append the below lines in the master node.

Match Address slave_node_ip

PermitRootLogin yes

  • Append the below lines in the slave node.

Match Address master_node_ip

PermitRootLogin yes

6. Check the SSHD configuration and restart the sshd daemon.

:~# sshd -T | grep -i 'AllowTcpForwarding\|PermitRootLogin\|PubkeyAuthentication\|PasswordAuthentication\|pubkeyacceptedalgorithms\|Port'

:~# service sshd restart


Step 2 (A): How to install SSH Jump server in Ubuntu 22? 

NoteSupported from Ezeelogin 7.29.5 version.

  • Enter the following command on your terminal to install the Ezeelogin dependency package on Ubuntu 22

root@jumpserver:~# apt-get install software-properties-common ; sudo add-apt-repository ppa:ondrej/php ; apt update ; apt-get install php8.2 mysql-server apache2 libapache2-mod-php8.2 php8.2-mysql php8.2-curl php8.2-xml php8.2-ldap nodejs npm git -y

  • Add the following to /etc/mysql/mysql.conf.d/mysqld.cnf configuration file under [mysqld] for MySQL 8.0 version and restart MySQL Server

default_authentication_plugin=mysql_native_password

:~# systemctl restart mysql

  • Refer below article to set the MySQL root password from MySQL.

Enable the RSA key type in pubkeyacceptedalgorithms. Open /etc/ssh/sshd_config and append the below line to enable ssh-rsa.

root@gateway ~]# vim /etc/ssh/sshd_config

PubkeyAcceptedKeyTypes +ssh-rsa

root@gateway ~]# systemctl restart sshd

Common errors while using Ezeelogin.

1. Checking database connectivity... when installing Ezeelogin.

For installing Ezeelogin, the MySQL root user should use the mysql_native_password plugin.

Refer above step from 2(A) to add mysql_native_password in /etc/mysql/mysql.conf.d/mysqld.cnf

2. Error while adding a user in Ezeelogin GUI "Error: User add failed. Failed to connect to database: Error: Plugin caching_sha2_password could not be loaded: Dynamic loading not supported. An error occurred. Please contact administrator.. ]0;"

Refer article to change the plugin to mysql_native_password for the Ezeelogin user.

Refer article to Increase script execution time for PHP: Increase script execution time in Ubuntu and CentOS

Step 2 (B): How to install SSH jump server in Ubuntu 20?

Note: Supported from Ezeelogin 7.22.0 version.

  • Enter the following command on your terminal to install the Ezeelogin dependency package on Ubuntu 20

root@jumpserver:~# apt update ; apt-get install php mysql-server apache2 libapache2-mod-php7.4 php-mysql php-curl php-xml php-ldap nodejs npm git -y

  • Add the following to /etc/mysql/mysql.conf.d/mysqld.cnf configuration file under [mysqld] for MySQL 8.0 version and restart MySQL Server

default_authentication_plugin=mysql_native_password

:~# service mysql restart

  • Refer below article to set the MySQL root password from MySQL.
  • Enable the RSA key type in pubkeyacceptedalgorithms. Open /etc/ssh/sshd_config and append the below line to enable ssh-rsa.

root@gateway ~]# vim /etc/ssh/sshd_config

PubkeyAcceptedKeyTypes +ssh-rsa

root@gateway ~]# systemctl restart sshd

Common errors while using Ezeelogin.

1. Checking database connectivity... when installing Ezeelogin.

     For installing Ezeelogin, the MySQL root user should use the mysql_native_password plugin. Refer above step to add mysql_native_password in /etc/mysql/mysql.conf.d/mysqld.cnf

2. Error while adding a user in Ezeelogin GUI "Error: User add failed. Failed to connect to database: Error: Plugin caching_sha2_password could not be loaded: Dynamic loading not supported. . An error occurred. Please contact administrator.. ]0;"

Refer article to change the plugin to mysql_native_password for the Ezeelogin user.

Refer article to Increase script execution time for PHP: Increase script execution time in Ubuntu and CentOS

Step 2 (C): How to install SSH jump server in Ubuntu 18?

We do not recommend using Ubuntu 18 as it is no longer supported by the vendor (canonical) with security patches, vulnerabilities, or bug fixes. Therefore, continuing to use Ubuntu 18 could pose a significant security risk.

Step 2 (D): How to install SSH Jump server in Ubuntu 16?

We do not recommend using Ubuntu 16 as it is no longer supported by the vendor (canonical) with security patches, vulnerabilities, or bug fixes. Therefore, continuing to use Ubuntu 16 could pose a significant security risk.

Step 2 (E): How to install SSH Jump server in Ubuntu 14?

We do not recommend using Ubuntu 14 as it is no longer supported by the vendor (canonical) with security patches, vulnerabilities, or bug fixes. Therefore, continuing to use Ubuntu 14 could pose a significant security risk.

Step 2 (F)How to install SSH Jump server in AlmaLinux 9.x / Rocky Linux 9.x / Rhel 9.x?

Note: Supported from Ezeelogin 7.27.0 version. 

  • Enter the following command on your terminal to install the Ezeelogin dependency package on AlmaLinux 9.x / Rocky Linux 9.x / Rhel 9.x

root@jumpserver:~# dnf install epel-release -y ; dnf install http://rpms.remirepo.net/enterprise/remi-release-9.rpm -y ; dnf install dnf-utils -y ; dnf module reset php ; dnf module install php:remi-8.2 -y

root@jumpserver:~# dnf -y install httpd openssl php-mysqlnd php-process php-common php-cli php-json mariadb-server bzip2 mariadb mod_ssl php-ldap nodejs npm git

root@jumpserver:~# service mariadb start

  • Make sure that the web server and SQL server startup on boot.

root@jumpserver:~#  systemctl enable mariadb 

root@jumpserver:~#  systemctl enable httpd

  • Set the root password with the following command.

root@jumpserver:~# mysql_secure_installation

Refer article to Increase script execution time for PHPIncrease script execution time in Ubuntu and CentOS

Step 2 (G): How to install SSH Jump server in AlmaLinux 8.x / Rocky Linux 8.x / Rhel 8.x?

Note: Supported from Ezeelogin 7.27.0 version. 

  • Enter the following command on your terminal to install the Ezeelogin dependency package on AlmaLinux 8.x / Rocky Linux 8.x / Rhel 8.x

root@jumpserver:~# dnf install epel-release -y ; dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm -y ; dnf install dnf-utils -y ; dnf module reset php ; dnf module install php:remi-8.2 -y

root@jumpserver:~# yum -y install httpd openssl php-mysqlnd php-process php-common php-cli php-json mariadb-server bzip2 mariadb mod_ssl php-ldap nodejs npm git
root@jumpserver:~# service mariadb start 

  • Make sure that web server and SQL server startup on boot

root@jumpserver:~#  systemctl enable mariadb 

root@jumpserver:~#  systemctl enable httpd

  • Set the root password with following command

root@jumpserver:~#    mysql_secure_installation

Refer article to increase script execution time for PHP

Increase script execution time in Ubuntu and CentOS

 Step 2 (H): How to install SSH Jump server in Debian 12/11?

  • Enter the following command on your terminal to install the Ezeelogin dependency package on Debian 12/11

root@jumpserver:~#  apt update ; apt upgrade -y ; apt install curl -y ; curl -sSL https://packages.sury.org/php/README.txt | sudo bash -x;apt install php8.1 libapache2-mod-php8.1 mariadb-client mariadb-server apache2 php8.1-mcrypt php8.1-mysql php8.1-curl php8.1-xml php8.1-ldap nodejs npm git -y

  • Set the root password with the following command

root@jumpserver:~#  mysql_secure_installation

Refer article to Increase script execution time for PHP: Increase script execution time in Ubuntu and CentOS

Step 2 (I): How to install SSH Jump server in Debian 10?

  • Enter the following command on your terminal to install the Ezeelogin dependency package on Debian 10

root@jumpserver:~#  apt update; apt install php mariadb-client mariadb-server apache2 libapache2-mod-php php-mysql php-curl php-ldap nodejs git

  • Set the root password with the following command

root@jumpserver:~#  mysql_secure_installation

Refer article to increase script execution time for PHP: Increase script execution time in Ubuntu and CentOS

Step 2 (J): How to install SSH Jump server in Debian 9?

Enter the following command on your terminal to install the Ezeelogin dependency package on Debian 9

root@jumpserver:~#  apt update; apt install php mariadb-client mariadb-server apache2 php-mcrypt libapache2-mod-php7.0 php7.0-mysql php-curl php7.0-xml php7-ldap nodejs git

Set the root password with following command 

root@jumpserver:~#  mysql_secure_installation

Refer article to increase script execution time for PHP: Increase script execution time in Ubuntu and CentOS

Step 2 (K): How to configure SSH Jump server in SUSE Linux 15?

NoteSupported from Ezeelogin 7.24.1 version.

  • Enter the following command on your terminal to install the Ezeelogin dependency package on SUSE Linux 15

root@jumpserver:~#  zypper in apache2 openssl php php-mysql php-posix apache2-mod_php7 php-cli php-json php7-sodium mariadb-server bzip2 mariadb php-ldap nodejs npm git php-posix php7-curl

root@jumpserver:~#   service mariadb start 

Make sure that web server and SQL server startup on boot

root@jumpserver:~#  systemctl enable mariadb 

root@jumpserver:~#  systemctl enable apache2

Set the root password with the following command

root@jumpserver:~#   mysql_secure_installation

 

Step 2 (L): How to install SSH Jump server in Centos 7?

We do not recommend using Centos 7 as it is no longer supported by the Linux community with security patches, vulnerabilities, or bug fixes. Therefore, continuing to use CentOS 7 could pose a significant security risk.

Step 2 (M): How to install SSH Jump server in Centos 8? 

We do not recommend using Centos 8 as it is no longer supported by the Linux community with security patches, vulnerabilities, or bug fixes. Therefore, continuing to use CentOS 8 could pose a significant security risk.

Step 2 (N): How to install and configure the SSH Jump server in Centos 6?

We do not recommend using Centos 6 as it is no longer supported by the Linux community with security patches, vulnerabilities, or bug fixes. Therefore, continuing to use CentOS 6 could pose a significant security risk.

Step 3: Download & install Ioncube Loader.

  • Ezeelogin SSH jump server software is encrypted with ioncube loader. You need to download & install ioncube loader to decrypt before jump server installation. Refer to the following article to download & install ioncube loader.

Step 4: Download & Install Ezeelogin SSH jump server software.

If you are using a proxy server in a LAN for an outbound connection, check out  Will Ezeelogin jump server works behind a firewall or NAT or behind a Proxy?

You may download the Ezeelogin jump server package corresponding to the PHP version installed on your server.

Make sure to download the binary package to /root

  • Execute the following command with the latest version available as the root user on your server.

:~# wget https://downloads.ezeelogin.com/ezlogin_7.x.x.bin (Use the correct download link from the customer portal)

        If you are planning to connect to remote MySQL/RDS servers, you should grant to access to the database on the remote database server. This is not required if your MySQL server is running on localhost. (Replace root with user admin user)

        mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'PASSWORD' WITH GRANT OPTION; 

        mysql> flush privileges;

        (For AWS RDS MySQL 5.6,5.7 & MariaDB 10.2)

  • You can install and configure the SSH jump server by simply executing the following installation script.

:~# sh ezlogin_7.x.x.bin

  • Follow the prompts and the installation will be complete without issues.

You need to accept the license agreement by manually typing " I AGREE "  or running the following command to auto-accept the license.
sh ezlogin_7.x.x.bin -- -I_ACCEPT_EULA

Type "I AGREE" and press enter to accept the license:

You may be prompted to enter the missing settings. The default value will be given in bold. Simply pressing the enter key will choose the default value. 

Enter the path where web panel files should be installed.

This path should be accessible via a web browser.

The directory should not exist, but its parent directory should exist.

path to install web panel files ( /var/www/html/ezlogin ):

You need to specify the Document root here, if it is different from default else you press enter to choose default.

Enter the path where web panel system files should be installed.

This should be preferably outside the DocumentRoot (should not be accessible via web browser) for security reasons.

If safe_mode restriction is enabled, this path should be allowed for include with safe_mode_include_dir

The directory should not exist, but its parent directory should exist.

path to install web panel system files ( /var/www/ezlogin ):

If you need to access the Ezeelogin jump server webpanel as  www.yourdomain.com  choose   "   /  "  & change your document root to  {your existing document root}/ezlogin. For example, If your document root is /var/www/html change to /var/www/html/ ezlogin, else press enter to choose default.

For example, if the DocumentRoot of http://www.yourdomain.com/ is /usr/local/apache/htdocs/yourdomain and you specified /usr/local/apache/htdocs/yourdomain/ezlogin as path to install web panel, the web panel would be accessible as http://www.yourdomain.com/ezlogin/. In this case the REQUEST-URI would be ’/ezlogin/’.

If you specified DocumentRoot itself as the path to install web panel files, it would be ’/’

URI path to access the web panel ( /ezlogin/ ):

Using a remote database server for the Ezeelogin database

Enter the hostname/ip address of the remote database server or use localhost, if you are going to run the database server on the current server. 

If the MySQL server is running on this system itself, use ’localhost’

MySQL server ( localhost ):

port or path to unix socket used by the MySQL server.

MySQL port/socket ( 3306 ):

Grant connectivity to Ezeelogin server  hostname/ip on the remote database server. This is not required if your MySQL server is running on localhost.

mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'PASSWORD' WITH GRANT OPTION;

mysql> flush privileges;

Enter the username with super user (root) privileges for the database server.

This is usually ’root’, sometimes ’admin’ etc.

MySQL super user ( root ):

Please enter the password for the database super user.

MySQL super user password:

Do NOT enable this if you are not sure. You can always manually enable it after installation as well. This is useful only if you will be setting up a master/slave node for redundancy.

Enable this option to use MySQL SSL connectivity when using a cluster so that mysql communication between the primary and secondary gateways would be encrypted

Do you want to use secure MySQL connection (yes/no) ? ( no ):

Refer the below articles to configure MySQL SSL configuration.

If you are using  SSL for AWS RDS, you can specify  "mysql_ssl_ca   /var/lib/mysql/rds-combined-ca-bundle.pem" in /usr/local/etc/ezlogin/ez.conf

Enter the ezlogin Administrator username (less than 21 chars).

This user should not exist on this system. It will be created.

admin user ( ezadm118 ): 

Enter the password for ezlogin Administrator.

admin password ( }AkJy.%R3TQaX(P ):

Enter the security code for ezlogin Administrator.

security code ( FIyW6x7Lbz ):

Whether web panel should force HTTPS (secure) protocol or not. [yes/no]

Force HTTPS for web panel? ( no ):

Review settings:

Install web panel files in                                  : /var/www/html/ezlogin/

Install web panel system files in                           : /var/www/ezlogin/

URI path to access web panel                                : /ezlogin/

MySQL server                                                : localhost

MySQL port/socket                                           : 3306

MySQL database                                              : ezlogin_jzgzs

MySQL user                                                  : ezlogin_xnyqwd

MySQL password                                              : !T3}3w$czV$6VrWxG)kn{5&3t5

Force HTTPS for web panel?                                  : no

Secure MySQL connection?                                    : no

Admin user                                                  : admin

Admin password                                              : admin

Admin security code                                         : admin

Note these down for future reference. Certain values such as passwords cannot be retrieved after setup.

Accept the above settings? (y/n/x) :

Creating and setting up database... done

Adding ezsh to shells... done

Creating group and users... done

Creating directories... done

Copying files... done

Setting access... done

Setting file modes... done

Setting file owners... done

Setting file groups... done

Setting up config... done

Setting up cron... done

Downloading GeoLiteCity database from www.maxmind.com... done

########################################################

Ezeelogin installed. (Log: /var/log/ezlogin_install.log )

########################################################

###################################################################

 Web panel installed at:

/var/www/html/ezlogin/

( http://yourdomain.com/ezlogin/ ).

###################################################################

Note: Please check the log file to see if any error occurred.

 

TODO NOTES:

Enable web server, MySQL server and cron to startup at boot time.

 

For free assistance, please contact [email protected]

 

Thank you for choosing Ezeelogin.

www.ezeelogin.com

Refer to the following article to configure a secure web panel (https)

 To install in one step with the default settings and without being prompted.  Be ready with MySQL root password if not in /root/.my.cnf  [

root@gateway~]#  sh ezlogin_7.21.0._x_x.bin --  -skipgeolite    -auto -force   -ACCEPT_SETTINGS    -I_ACCEPT_EULA 

If  SSH Daemon on the SSH jump host is running on a non-standard port other than 22, do update the Gateway SSH Port in the Webgui.

  • Access the web GUI as follows:

  • Access the SSH backend (ezsh shell) using SSH clients such as Putty on Windows, Terminal on Mac, or console in Linux.  
Note that password-based authentication has to be enabled or you need to add the public key of the user ssh’ing in /home/{username}/.ssh/authorized_keys manually or refer the article to add a public key for the first time after which you can disable password-based authentication in /etc/ssh/sshd_config file. Set the variable " PasswordAuthentication yes" sshd_config file to enable it and "PasswordAuthentication no" to disable in /etc/ssh/sshd_config
 

You can refer to the article to install a secondary node on Ezeelogin.

FREE 24/6 INSTALLATION & DEMO  BY SUPPORT TEAM

We can guide you, install it for you, and give you a demo on how to use it at no extra charge.  Contact our  24/6 Support Desk to schedule your free or guided installation. Also, schedule a free introductory session to get to know how to use the Ezeelogin Jump server solution effectively and ask your questions with our engineers.