Skip to Content

setup and configure ssh jump server

2  admin January 20, 2023  Getting Started, Installation

What is an SSH Jump server?

SSH Jump server, sometimes called  SSH Jump host or  SSH Bastion host or SSH gateway is an intermediate server running the sshd daemon where all users would have to login via ssh first to access the remote server or target servers behind the gateway. The ssh jump server can be on a public-facing network while the target servers or the destination servers can be on a private network behind a firewall for better security.  

ssh-jump-server

  

How to install, setup & configure  Ezeelogin SSH Jump server on a Linux box? 

FREE 30 DAY TRIALCONTACT OUR SUPPORT TEAM FOR FREE 24/6 INSTALLATION & DEMO 

We can guide you or install & configure Ezeelogin SSH Jump server software for you and give you a demo on how to use it at no extra charge.  Contact our 24/6 Support Desk to schedule your free or guided installation. Also, schedule a free introductory session to get to know on how to use Ezeelogin Jump server solution effectively and ask your questions with our engineers.

                                                                                              ssh jump server

1. log in to your customer portal and issue the 30-day trial license for the ssh jump server  IP of the server where you intend to install Ezeelogin ssh jump host software.
 

     If you are unsure of what your jump server IP is, simply log in to your ssh jump server and run the command

wget -qO- https://ezeelogin.com/myip

If your ssh jump server is behind a NAT in a private LAN behind a firewall, you can still install Ezeelogin bastion host software. You just need to find your public ip by running the above command on your ssh gateway server and issue the license for the public-facing IP.

 

customer portal      

2. Install SSH jump server dependency packages  

Most Linux OS ( CentOS 7,8 / Ubuntu 16,18,20,22 / Debian 9,10  / RHEL 6,7,8 / SUSE Linux 15, AlmaLinux 8.4)are supported but supporting packages have to be installed manually. 

       Refer to the system requirement below

Hardware Requirements

 

  • Minimum 2048 MB Ram
  • Minimum 2 GHz processing power
  • Virtual Server or Dedicated server.
  • Minimum 75GB Disk space.

 

Software Requirements

 

  • OS Architecture (64 bit Linux[Centos/RHEL/Ubuntu/Debian/SUSE Linux/AlmaLinux]). Server Edition is recommended.
  • Web server (apache, lighttpd, nginx etc.)
  • MySQL server (from version 5.5 to 8.0)/MariaDB ( from version 5.1 to 10.4) (For AWS RDS MySQL 5.6,5.7 & MariaDB 10.2)
  • PHP (from version 5.6.x and above,  upto <= php 8.1)
  • Ioncube loader version 10 and above for PHP
  • MySQLi extension for PHP
  • JSON extension for PHP
  • LDAP extension for PHP (for LDAP webpanel authentication)
  • Nodejs version >=8.x.x
  • OpenSSL
  • Encryption & Hashing Algorithms
PHP SUPPORT

7.27.0 is the last version of Ezeelogin that supports PHP versions from 5.6 to 7.0. 

Ensure the following conditions are met on your ssh  jump server / Jump

    The firewall on the jump server should allow outbound connection to license.ezeelogin.com on port 443 to fetch the license and download the software from downloads.ezeelogin.com 

telnet license2.ezeelogin.com 443 

Connected to license2.ezeelogin.com.

Escape character is ’^]’.  

 

telnet license.ezeelogin.com 443 

Connected to license.ezeelogin.com.

Escape character is ’^]’.  

 

telnet downloads.ezeelogin.com 80  

Connected to downloads.ezeelogin.com.  

Escape character is ’^]’ .

   Ensure SELINUX is disabled on the jump server. The command #sestatus would show if it’s active or not. If it is not installed, then it's fine. Refer  Disable Selinux  to disable it

sestatus

SELinux status:                 disabled

   Ensure time on the jump server is accurate. Use the command #ntpdate pool.ntp.org to sync time.

ntpdate pool.ntp.org

26 Sep 16:32:03 ntpdate[15219]: adjust time server 133.243.238.244 offset -0.124881 sec

   Ensure that Root SSH login on the jump server is enabled and SSH key-based authentication is enabled in SSHD. The below example enables root access only from the ip 127.0.0.1 and it allows only key-based authorization which makes it secure. Add the following parameters to the END of /etc/ssh/sshd_config file.

  Edit the file using nano or vi command

nano /etc/ssh/sshd_config

 
IMPORTANT The following sshd server configuration is important.

     Add the following parameters to the in  "/etc/ssh/sshd_config"  file.

#SSHD Global Settings

AllowTcpForwarding  no

PubkeyAuthentication yes

 

#SSHD localhost settings.

Match Address 127.0.0.1

PermitRootLogin yes

PubkeyAuthentication yes

PasswordAuthentication yes

  Check SSHD  configuration  and restart the sshd daemon

[email protected]#~  sshd -T | grep -i 'AllowTcpForwarding\|PermitRootLogin\|PubkeyAuthentication\|PasswordAuthentication\|pubkeyacceptedalgorithms\|Port'

[email protected]#~ service sshd restart

Recommended settings for hardening the Ezeelogin ssh jump server

Recommended SSHD settings in /etc/ssh/sshd_config OpenSSH server config file.

 

How to install SSH Jump server in Ubuntu 22? 

Supported from Ezeelogin 7.29.5 version

  Enter the following command on your terminal to install Ezeelogin dependency package on Ubuntu 22

[email protected]:~# apt update ; apt-get install php mysql-server apache2 libapache2-mod-php8.1 php-mysql php-curl php-xml php-ldap nodejs npm git -y

Add the following to /etc/mysql/mysql.conf.d/mysqld.cnf configuration file under [mysqld] for MySQL 8.0 version

default_authentication_plugin=mysql_native_password

 Enable the RSA key type in pubkeyacceptedalgorithms.

Open /etc/ssh/sshd_config and append the below line to enable ssh-rsa.

[email protected] ~]# vim /etc/ssh/sshd_config

PubkeyAcceptedKeyTypes +ssh-rsa

[email protected] ~]# systemctl restart sshd

Common errors while using Ezeelogin.

1. Checking database connectivity... when installing Ezeelogin.

     For installing Ezeelogin, the MySQL root user should use the mysql_native_password plugin. Refer above step to add mysql_native_password in /etc/mysql/mysql.conf.d/mysqld.cnf

2. Error while adding user in Ezeelogin GUI "Error: User add failed. Failed to connect to database: Error: Plugin caching_sha2_password could not be loaded: Dynamic loading not supported. . An error occurred. Please contact administrator.. ]0;"

      Refer article to change plugin to mysql_native_password for the Ezeelogin user.

Refer below article to set the MySQL root password from MySQL.

 

How to install SSH Jump server in Ubuntu 20? 

Supported from Ezeelogin 7.22.0 version

  Enter the following command on your terminal to install Ezeelogin dependency package on Ubuntu 20

[email protected]:~# apt update ; apt-get install php mysql-server apache2 libapache2-mod-php7.4 php-mysql php-curl php-xml php-ldap nodejs npm git -y

Add the following to /etc/mysql/mysql.conf.d/mysqld.cnf configuration file under [mysqld] for MySQL 8.0 version

default_authentication_plugin=mysql_native_password

Common errors while using Ezeelogin.

1. Checking database connectivity... when installing Ezeelogin.

     For installing Ezeelogin, the MySQL root user should use the mysql_native_password plugin. Refer above step to add mysql_native_password in /etc/mysql/mysql.conf.d/mysqld.cnf

2. Error while adding user in Ezeelogin GUI "Error: User add failed. Failed to connect to database: Error: Plugin caching_sha2_password could not be loaded: Dynamic loading not supported. . An error occurred. Please contact administrator.. ]0;"

      Refer article to change the plugin to mysql_native_password for the Ezeelogin user.

Refer below article to set the MySQL root password from MySQL.

 

How to install SSH Jump server in Ubuntu 18?

  Enter the following command on your terminal to install ezeelogin dependency package on Ubuntu 18

[email protected]:~# apt update ; apt-get install php mysql-server apache2 libapache2-mod-php7.2 php-mysql php-curl php7.2-xml php7.2-ldap nodejs git

 

If you want to install php-mcrypt ( For older ezeelogin versions [ Below 7.20.0 version ] 

[email protected]:~#  apt install php-dev libmcrypt-dev php-pear ; apt-get -y install gcc make autoconf libc-dev pkg-config

[email protected]:~#  apt-get -y install php7.2-dev ; apt-get -y install libmcrypt-dev

[email protected]:~#  sudo pecl install mcrypt-1.0.3

[email protected]:~#  echo "extension=mcrypt.so" >> /etc/php/7.2/cli/php.ini

Set the root password with following command

[email protected]:~#  mysql_secure_installation

   

  How to install SSH Jump server in Ubuntu 16?

  Enter the following command on your terminal to install ezeelogin dependency package on Ubuntu 16

[email protected]:~# apt update ; apt-get install php mysql-server apache2 php-mcrypt libapache2-mod-php7.0 php-mysql php-curl php7.0-xml php-ldap nodejs git

 

  How to install SSH Jump server in Ubuntu 14?

 We do not recommend using Ubuntu 14 as it is no longer supported by the vendor (canonical) with security patches, vulnerabilities, or bug fixes. Therefore, continuing to use Ubuntu 14 could pose a significant security risk.

 

How to install SSH Jump server in AlmaLinux 8.4 / Rocky Linux?

Supported from Ezeelogin 7.25.0 version

  Enter the following command on your terminal to install Ezeelogin dependency package on Almalinux 8 / Rocky Linux

[email protected]:~#  yum -y install  httpd openssl php php-mysqlnd php-process php-common php-cli php-json mariadb-server bzip2 mariadb mod_ssl php-ldap nodejs npm git

[email protected]:~#   service mariadb start 

 

  Make sure that web server and SQL server startup on boot

[email protected]:~#  systemctl enable mariadb 

[email protected]:~#  systemctl enable httpd

 

  Set the root password with following command

[email protected]:~#    mysql_secure_installation

 

  How to install SSH Jump server in RHEL 8?

  Supported from Ezeelogin 7.27.0 version

  Enter the following command on your terminal to install ezeelogin dependency package on RHEL 8

[email protected]:~#  dnf -y install httpd openssl php php-mysqlnd php-process php-common php-cli php-json mariadb-server bzip2 mariadb mod_ssl php-ldap nodejs npm git

[email protected]:~# service mariadb start

  

  Make sure that web server and SQL server startup on boot

[email protected]:~#  systemctl enable mariadb 

[email protected]:~#  systemctl enable httpd

 

  Set the root password with following command

[email protected]:~#    mysql_secure_installation

 

 How to install SSH Jump server in  Debian 10?

 

Enter the following command on your terminal to install the Ezeelogin dependency package on Debian 10

[email protected]:~# apt update; apt install php mariadb-client mariadb-server apache2 libapache2-mod-php php-mysql php-curl php-ldap nodejs git

Set the root password with the following command

[email protected]:~#  mysql_secure_installation

 

How to install SSH Jump server in  Debian 9?

   Enter the following command on your terminal to install the Ezeelogin dependency package on Debian 9

[email protected]:~# apt update; apt install php mariadb-client mariadb-server apache2 php-mcrypt libapache2-mod-php7.0 php7.0-mysql php-curl php7.0-xml php7-ldap nodejs git

   Set the root password with following command 

[email protected]:~#  mysql_secure_installation

 

How to install SSH Jump server in Centos 7?

  Enter the following command on your terminal to install ezeelogin dependency package on centos 7

[email protected]:~#  yum -y install epel-release httpd openssl php php-mysql php-process php-common php-cli php-mcrypt mariadb-server bzip2 mariadb mod_ssl php-ldap nodejs git; yum -y install php-mcrypt

[email protected]:~#   service mariadb start 

 

  Make sure that the web server and SQL server startup on boot

[email protected]:~#  systemctl enable mariadb 

[email protected]:~#  systemctl enable httpd

 

  Set the root password with the following command

[email protected]:~#    mysql_secure_installation

 

How to install SSH Jump server in Centos 8.x?  

Supported from Ezeelogin 7.22.0 version

  Enter the following command on your terminal to install ezeelogin dependency package on centos 8

[email protected]:~#  yum -y install  httpd openssl php php-mysqlnd php-process php-common php-cli php-json mariadb-server bzip2 mariadb mod_ssl php-ldap nodejs npm git

[email protected]:~#  service mariadb start 

  Make sure that web server and SQL server startup on boot

[email protected]:~#  systemctl enable mariadb 

[email protected]:~#  systemctl enable httpd

  Set the root password with following command

[email protected]:~#   mysql_secure_installation

How to install  SSH Jump server in Centos 6?

 We do not recommend using Centos 6 as it is no longer supported by the Linux community with security patches, vulnerabilities, or bug fixes. Therefore, continuing to use CentOS 6 could pose a significant security risk.

 

 How to install SSH Jump server in  SUSE LINUX 15?

Supported from Ezeelogin 7.24.1 version

  Enter the following command on your terminal to install Ezeelogin dependency package on SUSE Linux 15

[email protected]:~#  zypper in apache2 openssl php php-mysql php-posix  apache2-mod_php7 php-cli php-json mariadb-server bzip2 mariadb php-ldap nodejs npm git

[email protected]:~#   service mariadb start 

 

  Make sure that web server and SQL server startup on boot

[email protected]:~#  systemctl enable mariadb 

[email protected]:~#  systemctl enable apache2

 

  Set the root password with following command

[email protected]:~#    mysql_secure_installation

 

 

3. Download & install Ioncube Loader

 

   Ezeelogin SSH jump server software is encrypted with ioncube loader.You need to download & install ioncube loader to decrypt before jump server installation.Refer the following article to download & install ioncube loader.

 

How do I install ioncube on server?

 

4. Download & Install Ezeelogin ssh jump server software.

 
If you are using a proxy server in a LAN for outbound connection, do check out  Will Ezeelogin jump server work behind a firewall or NAT or behind a Proxy?  

 

You may download the ezeelogin jump server package corresponding to your  PHP version installed on your server 

 Ezeelogin customerportal  

Execute the following command as the root user on your server.

 

[email protected]:~# wget https://downloads.ezeelogin.com/ezlogin_7.x.x.bin (Use correct download link from the customer portal)

  

        If you are planning to connect to remote MySQL/RDS servers, you should grant to access to database on the remote database server. This is not required if your MySQL server is running on localhost.(Replace root with user admin user)

           mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'PASSWORD' WITH GRANT OPTION; 

     mysql> flush privileges;

          (For AWS RDS MySQL 5.6,5.7 & MariaDB 10.2)

 

   You can install ezeelogin jump server by simply executing installation script

[email protected]:~# sh ezlogin_7.x.x.bin

   Follow the prompts and the installation would complete without issues.

   

Note: you need to accept the license agreement by manually typing " I AGREE "  or running the following command to auto accept the license.
sh ezlogin_7.x.x.bin -- -I_ACCEPT_EULA

Type "I AGREE" and press enter to accept the license:

 

you may be prompted to enter the missing settings. The default value will be given in bold. Simply pressing enter key will choose the default value.

 

Enter the path where web panel files should be installed.

This path should be accessible via a web browser.

The directory should not exist, but its parent directory should exist.

 

path to install web panel files ( /var/www/html/ezlogin ):

 

You need to specify the Document root here ,if it is different from default else you press enter to choose default.

 

Enter the path where web panel system files should be installed.

This should be preferably outside the DocumentRoot (should not be accessible via web browser) for security reasons.

If safe_mode restriction is enabled, this path should be allowed for include with safe_mode_include_dir

The directory should not exist, but its parent directory should exist.

 

path to install web panel system files ( /var/www/ezlogin ):

 

If you need to access the ezeelogin jump server webpanel as  www.yourdomain.com   choose   "   /  "  & change your document root to  {your existing document root}/ezlogin. For example ,If your document root is /var/ww/html change to /var/ww/html/ ezlogin , else press enter to choose default

  

For example, if the DocumentRoot of http://www.yourdomain.com/ is /usr/local/apache/htdocs/yourdomain and you specified /usr/local/apache/htdocs/yourdomain/ezlogin as path to install web panel, the web panel would be accessible as http://www.yourdomain.com/ezlogin/. In this case the REQUEST-URI would be ’/ezlogin/’.

If you specified DocumentRoot itself as the path to install web panel files, it would be ’/’

 

URI path to access the web panel ( /ezlogin/ ):

 

Using remote database server for Ezeelogin database

Enter the hostname/ip address of the remote database server or use localhost, if you are going to run the database server on the current server. 

How to configure Ezeelogin on AWS-RDS Remote Database?

If the MySQL server is running on this system itself, use ’localhost’

 

MySQL server ( localhost ):

     

port or path to unix socket used by the MySQL server.

 

MySQL port/socket ( 3306 ):

 

Grant connectivity to Ezeelogin server  hostname/ip on the remote database server. This is not required if your MySQL server is running on localhost.

mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'PASSWORD' WITH GRANT OPTION;

mysql> flush privileges;

 

Enter the username with super user (root) privileges for the database server.

This is usually ’root’, sometimes ’admin’ etc.

MySQL super user ( root ):

 

Please enter the password for the database super user.

MySQL super user password:

  

Do NOT enable this if you are not sure. You can always manually enable after installation as well. This is useful only if you will be setting up master/slave node for redundancy.

Enable this option to use MySQL SSL connectivity when using a cluster so that mysql communication between the primary and secondary gateways would be encrypted

Do you want to use secure MySQL connection (yes/no) ? ( no ):

 

      Refer the below articles to configure MySQL SSL configuration

If you are using  SSL for AWS RDS, you can specify  "mysql_ssl_ca   /var/lib/mysql/rds-combined-ca-bundle.pem" in /usr/local/etc/ezlogin/ez.conf

    
Configure ezeelogin to use MySQL SSL in Ubuntu
Configure ezeelogin to use MySQL SSL in Centos

 

Enter the ezlogin Administrator username (less than 21 chars).

This user should not exist on this system. It will be created.

admin user ( ezadm118 ): 

 

Enter the password for ezlogin Administrator.

admin password ( }AkJy.%R3TQaX(P ):

 

Enter the security code for ezlogin Administrator.

security code ( FIyW6x7Lbz ):

 

Whether web panel should force HTTPS (secure) protocol or not. [yes/no]

Force HTTPS for web panel? ( no ):

 

Refer the following article to configure secure web panel (https)

 
How to install free SSL with Let’s Encrypt?     

Install SSL certs in jump server to secure connection

Review settings:

Install web panel files in                                  : /var/www/html/ezlogin/

Install web panel system files in                           : /var/www/ezlogin/

URI path to access web panel                                : /ezlogin/

MySQL server                                                : localhost

MySQL port/socket                                           : 3306

MySQL database                                              : ezlogin_jzgzs

MySQL user                                                  : ezlogin_xnyqwd

MySQL password                                              : !T3}3w$czV$6VrWxG)kn{5&3t5

Force HTTPS for web panel?                                  : no

Secure MySQL connection?                                    : no

Admin user                                                  : admin

Admin password                                              : admin

Admin security code                                         : admin

Note these down for future reference. Certain values such as passwords cannot be retrieved after setup.

Accept the above settings? ( y /n/x) :

 

Creating and setting up database... done

Adding ezsh to shells... done

Creating group and users... done

Creating directories... done

Copying files... done

Setting access... done

Setting file modes... done

Setting file owners... done

Setting file groups... done

Setting up config... done

Setting up cron... done

Downloading GeoLiteCity database from www.maxmind.com... done

########################################################

Ezeelogin installed. (Log: /var/log/ezlogin_install.log )

########################################################

###################################################################

 Web panel installed at:

  /var/www/html/ezlogin/

  ( http://yourdomain.com/ezlogin/ ).

###################################################################

Note: Please check the log file to see if any error occurred.

 

TODO NOTES:

Enable web server, MySQL server and cron to startup at boot time.

 

For free assistance, please contact [email protected]

 

Thank you for choosing Ezeelogin.

www.ezeelogin.com

 To install in one step with the default settings and without being prompted.  Be ready with MySQL root password if not in /root/.my.cnf

 [[email protected]~]#  sh ezlogin_7.21.0._x_x.bin --  -skipgeolite    -auto -force   -ACCEPT_SETTINGS    -I_ACCEPT_EULA   

 

If  SSH Daemon on ssh jump host is running on a non standard port other than 22, do update Gateway SSH Port in the Webgui.

 
Access the web gui as follows.
 
jump server web interface
 
 
Access the SSH backend using ssh clients such as Putty on Windows, Terminal on Mac, or console in Linux.  
 
Note that password based authentication  has to be enabled or you need to add the public key of the user ssh’ing in /home/{username}/.ssh/authorized_keys manually or refer  article to add public key for the first time after which you can disable password based authentication in /etc/ssh/sshd_config file. Set the variable " PasswordAuthentication yes" sshd_config file to enable it and "PasswordAuthentication no" to disable in /etc/ssh/sshd_config
 
jump server shell
 

You can refer the article to install secondary node on Ezeelogin.

How to take a free trial from ezeelogin ?

How to add a remote Linux device into the ssh jump server?
How to record ssh sessions of ssh jump users?

How to setup WebSSH to login to a remote server using the browser?

FREE 24/6 INSTALLATION & DEMO  BY SUPPORT TEAM

We can guide you, install it for you and give you a demo on how to use it at no extra charge.  Contact our  24/6 Support Desk to schedule your free or guided installation. Also, schedule a free introductory session to get to know how to use the Ezeelogin Jump server solution effectively and ask your questions with our engineers.
Rating: 4.91 (11 Votes)