FluxArk Jump Server


Usage

Connecting

The standart way to connecto to an SSH server is ssh remote-user@remove-server, by using FluxArk Jump Server this changes to ssh remote-user@remote-server@your-user@fluxark-server.
Or when using a graphical terminal just set remote-user@remote-server@your-user as the user.
After you connect using the new format you need to provide your credentials.

Here are the key parts

  • remote-user is the target server's user
  • remote-server the target IP address or name ( from the web panel ) of the server
  • your-user the FluxArk user you've created
  • fluxark-server IP address or hostname of the FluxArk installation

Authentication

In order to be able to use the Jump Server you must do the following steps:

  1. Create a user - represents your-user
  2. Create a server - represents remote-server
  3. Create a server user - represents remote-user
  4. Allow the user to connect to the remote server-user pair. See the Access list documentation for more information

Depending on the user configuration, you can have different authentication methods or combined. Note that the authentication depends on the user's configuration and you can use one or more of the methods below.

Here are the supported methods:

  • password the standart password. Note that you must change the user password only from FluxArk.
  • SSH Key the standart ssh key without any modifications. Can be both with or without password. It can be combined with a password. First you will be prompted for your ssh key and afterwards for your password.
  • 2FA TOTP token with optional PIN code, for example with the token 123456 and pin 0000 you must enter 0000123456 as the password. If you select the password type to include a password, then the format is password0000123456
  • LDAP a query will be performed to your LDAP server and bind with the user provided. It can be combined with 2FA and an SSH KEY

After authentication

  • on Failure The attempt will be recorded in the logs and after 5 ( configurable ) attempts your account will be locked and only an administrator can unlock the account.
  • on Success A connection to remote-user@remote-server will be established which will be recorded in FluxArk for auditing purposes. No more actions are required, just do your job as usual.



Setup

After the installation it's a good practice to setup one administrative account, which is usefull when connecting to the installation server directly, as every SSH account is controlled by the FluxArk software and you won't be able to login using root for example. Every user is a local linux user, so don't change any password or create linux users manually!

To be able to use the jump server you must create a user and setup some access lists.

Creating a user

  1. Log in into the web panel using your administator account - a default one is generated when installing
  2. Go to the Users -> Users menu, there you can view all existing accounts
  3. Click on the green button Create to create a new user.
  4. 2FA authentication can be setup after user creation.
  5. Setup the user to your likes. A local linux will be created

User fields

  • Active if unchecked you won't be able to use the accounnt.
  • Server administrating account Allows direct SSH log in to the installation server and the user won't be usable as a Jump user!. Usefull if you want to SSH to the installation server, even without FluxArk working.
  • Username* Required field. Creates a local Linux user, so it must follow the Unix standart of user naming. Later this name will be used as the your-user part when connecting.
  • Full name* Required field. Used as a reference in the logs.
  • Email address* Required field. Used as a reference in logs, access lists etc.
  • SSH public key The standart SSH key used when connecting
  • Password* Required field on user creation. You must set a password, even if you will use only SSH key as a login method. The password strength is controlled from Settings -> Users page
  • Password expiry date Read only field which indicates when the password will expire if the password rotation is setup. To activate the rotation go to Settings -> Users page.
  • Password type When you have a password as Authentication type, then the password can be one of the following:
    1. Password : Use the password as-is
    2. Password + Token : You need to have a 2FA TOTP token setup and when connecting you must enter the token after the password concatenated .
    3. Password + Token PIN + TOKEN : Same as above, but you must append the PIN code before the token.
    4. Token PIN + Token : No password is required, just PIN and the token concatenated.
    5. Token : No password, just the token.
  • Authentication type here you can enable SSH key only login, password only and mixed
    1. Password : Only uses the password, even if you have a SSH public key setup
    2. Password + SSH KEY : Requests the SSH key first, before entering the password. See the Password type field above for different types of password
    3. SSH KEY : Uses only the SSH key as authentication method when connecting. It will ignore all password types.
  • Comment Just a personal reference for the administrators.
  • IP Allow list The user can connect from any IP addres when empty! List of IP addresses/networks from which the user can connect to the FluxArk Jump server. Connecting from any other IP address will be blocked, even with the correct credentials. The format is as follows:
    1. 192.168.0.1 Allow connection only from this IP
    2. 192.168.0.1, 192.168.0.2 Multiple IP addresses
    3. 192.168.0.1/24 A network with 24 bit mask, so the user will be able to connect from the network 192.168.0.1 - 192.168.0.255
    4. 192.168.0.1/24, 192.168.1.1/24 Multiple networks
  • Groups User group for ACL's. These groups are used in access lists, which controls the access to the remote servers. You can create a user grop from the web panel Users -> Groups menu and asign to the user later.

Creating a server

  1. Go to the Servers menu and click on Create.
  2. The name of the server can be used later as remote-server when connecting.
  3. From here you must pick one or more options as the type of the server, namely Jump, Cron and API.
  4. Later you must create one or more remote users for this server with their respective credentials.

Server fields

  • Active When inactive you won't be able to use the server for any action
  • Jump server The server will act as a destination for the Jump server
  • Cron server You can execute cron commands on this server
  • API server You can execute API commmands on this server
  • Name* It can be used when connecting as the remote-server, instead of an IP address or a hostname
  • IP/Hostname* The address of the remote server. Accepts both IP address or a domain name. When connecting you must enter the provided address as-is, as the system won't do any DNS resolving.
  • Port SSH port, default 22
  • Groups The group will be automatically created when entering a new one and adding it. By having a group, the server can be a part of a Cron, API or Jump ACL, as the Cron and API uses only server groups as their destination.

Creating a remote SSH user

Any server needs remote users in order to be able to connect to it. They will be used later when creating any user access list, because you can allow a user to access only one remote account for example.
Also they are required when operating a Cron or API by having a default account ( optional ) or when enforcing a remote user from the API or Cron menus. Later you can modify any already created user.
Here are the steps to create a remote user:

  1. Go to the Servers menu and choose List
  2. Click on the USERS link for the choosen server
  3. Click on the green button Create
  4. After creating a remote user, you can use it in any ACL
  5. By clicking on the 'Check online' button from the previous menu, you can test SSH connecting with the credentials

Remote SSH user fields

  • Active By deactivating the user any services ( like jump etc. ) won't work anymore
  • Default user Any Cron or API task will use the 'Default' user on task execution for this server except when the user is defined in the task manually
  • Username* The remote username
  • Password It can be used for password authentication or as the SSH Key password. Leave empty when using a key without a password.
  • SSH Port You can change the SSH port when connecting using this user, usefull for dual SSH Server setups.
  • SSH Private Key Paste here the SSH key if any. It won't be used if the auth method is set to password

  • Auth method

    1. password: use it when the authentication requires only a password
    2. ssh-key: SSH key without a password
    3. ssh-key with password: SSH key with a password
    4. no password: for now it's disallowed, as it's not a good idea to have accounts without a password



Access lists

Provides granular control over who can access specific SSH hosts and users.

  • Ensures that only authorized users can connect to critical systems.
  • Single remote user restriction
  • Optional all remote users
  • Allow connection to a specific SSH hosts group
  • Allow multiple types of access lists to operate at the same time
  • The aggregated remote server access is shown in the Users listing menu

There are 3 types of ACL's for the Jump server:

  1. user - remote server : The user can access only one remote user from a picked server
  2. user - server group : Gives access to group of servers
  3. user group - server group : Gives access of a group of users to a group of servers

User to remote server ACL

For every ACL record you can allow access only to one remote user. This way the user can connect only to the specified remote user - remote host
Here is how to achieve this:

  1. Go to the Users -> Users menu
  2. Click on the ACL link for the respective user
  3. Click on the Create button
  4. There you pick first the desired Server ( remote host )
  5. Pick any of the already created remote users - if leaved empty, the user will be able to use only his username as the remote user. Use asterisk * to allow access to all the server's users.
  6. Expire time in days - after the given amount of days, starting now, the ACL will expire and the user won't be able to connect to this remote user anymore

User to server group ACL

Gives access to a group of remote servers.
Here is how to achieve this:

  1. Go to the Users -> Users menu
  2. Click on the ACL link for the respective user
  3. Click on the Create for server group button
  4. Pick a server group
  5. User can have the following options
    • single remote user - enforces only 1 user as the target remote user for all servers in the group
    • multiple users - comma separated list
    • empty - the user's username will be allowed only to connect to the servers
    • asterisk (*) - allow access to all users from this group
  6. Expire time in days - the ACL won't be valid after X days has passed, starting from today

User group to server group ACL

This controls the access to remote server groups of a group of users. Note that the user group must be created beforehand and associated with the desired users. LDAP imporeted groups are also valid targets.

  1. Create a user group if you don't have one or when not imported through LDAP
  2. Go to the Users -> Groups menu
  3. Click on the Create button to create one if required
  4. Click on the Modify ACL button of the desired group
  5. There you can create/modify the ACL's of the user group
  6. When creating an ACL you will see the following fields:
    • Server Group - The target server group
    • User - same like creating a user to server group ACL:
      • single remote user - enforces only 1 user as the target remote user for all servers in the group
      • multiple users - comma separated list
      • empty - the user's username will be allowed only to connect to the servers
      • asterisk (*) - allow access to all users from this group
    • Expire time in days - the ACL won't be valid after X days has passed, starting from toda

After creating any access lists, you can view them aggregated in the Users list menu, so you can display all the user-servers that the user has access to.

And then the SSH user is ready to access any of the selected servers only by using his credentials without the need to do anything different, than connecting the standart SSH way.

Session recording

Records all SSH sessions for auditing and compliance purposes. Provides a way to review actions taken during sessions, enhancing accountability. Optional encryption.

LDAP integration

Integrates with LDAP for centralized user management. Simplifies the administration of user access and credentials.

Management API

Provides APIs for seamless integration and management of hosts and users.