SSH bastion/jump host/jumpserver
Aker is a security tool that helps you configure your own Linux ssh jump/bastion host. Named after an Egyptian mythology deity who guarded the borders, Aker would act as choke point through which all your sysadmins and support staff access Linux production servers. Aker SSH gateway includes a lot of security features that would help you manage and administer thousands of Linux servers at ease. For a detailed look check our Wiki
I couldn't find an open source tool similar to CryptoAuditor and fudo, such tools are beneficial if you're seeking becoming PCI-DSS or HIPAA compliant for example, regardless of security standards compliance access to the server should be controlled and organized in a way convenient to both traditional and cloud workloads.
Phase 0
Phase 1
Phase 2
Software:
Python Modules:
Automated :
Manually:
Aker can be setup on a FreeIPA client or indepentantly using json config file.
Common Steps (FreeIPA or Json):
it clone https://github.com/aker-gateway/Aker.git /usr/bin/aker/
Install dependencies (adapt for Ubuntu)
um -y install epel-release
um -y install python2-paramiko python-configparser python-redis python-urwid python2-wcwidth redis
Set files executable perms
chmod 755 /usr/bin/aker/aker.py
chmod 755 /usr/bin/aker/akerctl.py
Setup logdir and perms
mkdir /var/log/aker
chmod 777 /var/log/aker
touch /var/log/aker/aker.log
chmod 777 /var/log/aker/aker.log
Enforce aker on all users but root, edit sshd_config
Match Group *,!root
ForceCommand /usr/bin/aker/aker.py
Restart ssh
Restart redis
Choosing FreeIPA:
Assumptions:
Create /etc/aker and copy /usr/bin/aker/aker.ini in it and edit it like below :
```
[General]
log_level = INFO
ssh_port = 22
# Identity Provider to determine the list of available hosts
# options shipped are IPA, Json. Default is IPA
idp = IPA
hosts_file = /etc/aker/hosts.json
# FreeIPA hostgroup name contatining Aker gateways
# to be excluded from hosts presented to user
gateway_group = gateways
```
Choosing Json:
Create /etc/aker and copy /usr/bin/aker/aker.ini in it and edit it like below :
```
[General]
log_level = INFO
ssh_port = 22
# Identity Provider to determine the list of available hosts
# options shipped are IPA, Json. Default is IPA
idp = Json
hosts_file = /etc/aker/hosts.json
# FreeIPA hostgroup name contatining Aker gateways
# to be excluded from hosts presented to user
gateway_group = gateways
```
hosts.json
file is provided .Currently I work on the code in my free time, any assistance is highly appreciated. Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests.