With the growing firewall constraints accessing a server over ssh is not always a pleasant journey ; I’ve read a korben post on GateOne html5 server side ssh client and I just got an opportunity to deploy it for a test. This post will detail how to install it and secure it a little bit.
This is a CentOs 6 based procedure.
Some pre-requisite
- install git tool, gcc, python-devel, httpd
yum install git yum install gcc yum install python-devel yum install httpd
- install nginx
echo "[nginx]" > /etc/yum.repos.d/nginx.repo
echo "name=nginx repo" >> /etc/yum.repos.d/nginx.repo
echo "baseurl=http://nginx.org/packages/centos/$releasever/$basearch/" \
>> /etc/yum.repos.d/nginx.repo
echo "gpgcheck=0" >> /etc/yum.repos.d/nginx.repo
echo "enabled=1" >> /etc/yum.repos.d/nginx.repo
yum install nginx
- configure nginx
chkconfig --levels 235 nginx on service nginx start
- install python pip
wget --no-check-certificate https://bootstrap.pypa.io/get-pip.py python get-pip.py
- install tornado
pip install tornado
Get and install GateOne
- Download
git clone https://github.com/liftoff/GateOne.git
- install
GateOne #> python ./setup.py install GateOne #> gateone
Once you have run gateone, just kill it with CTRL+C ; the objective is to generate the configuration tree
- configure
By default, the gateone server is listening any connection on port 443 and is accepting anonymous connections. As you can reach any server from this ssh client it is a high risk for you to become a source of criminal action, so you really have to limit the access to this tool.
I have spent a lot of time to configure the auth method with pam getting no success. The documentation is obsolete as much as I have seen
The /etc/gateone/conf.d/10server.conf is modified on the following line (other unchanged) ; this will limit the access from nginx and not from the web.
"address": "127.0.0.1", "origins": ["localhost", "127.0.0.1"], "disable_ssl": true, "https_redirect": false, "port": 8888, "url_prefix": "/gateone/",
- configure nginx
Create a ssl key pair – during the second call to openssl, you have to indicated the Common Name with the domain name you want to have the certicate for.
mkdir /etc/nginx/ssl cd /etc/nginx/ssl openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Create the nginx listner and proxy by creating a /etc/nginx/conf.d/gateone.conf file containing
# HTTPS server
server {
listen [::]:443;
listen 443;
server_name mysslhost;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /gateone/ {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://localhost:8888;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Create a password file and type a password for root user (or any other user name)
htpasswd -c /etc/nginx/.htpasswd root
Fire nginx
service nginx restart
Fire gateon
gateone
Now you can access gateone
https://your.server.name/gateone/
you will be prompted for a user (root) and a password (the one you choose) then you will access GateOne tool
The line
pyhton ./setup.py installis incorrect.Please correct to
python ./setup.py installThanks for sharing! Works very well!
thank you for the feedback
Are you sure Apache is a pre-req for this?