JumpServer — Open Source Bastion Host and PAM Platform

Introduction

JumpServer is an open-source privileged access management platform built with Python and Django. It acts as a bastion host that centralizes access to servers, databases, Kubernetes clusters, and remote desktops, providing session recording, command filtering, and multi-factor authentication out of the box.

What JumpServer Does

• Provides web-based SSH, RDP, VNC, and Telnet terminal access
• Records and replays user sessions for compliance and auditing
• Manages database access for MySQL, PostgreSQL, Oracle, and more
• Supports Kubernetes cluster access via a web terminal
• Enforces role-based access control and approval workflows

Architecture Overview

JumpServer uses a modular architecture with a Django-based core API server, a Go-based KoKo component for SSH/SFTP proxying, a Guacamole-based Lion component for RDP/VNC, and a Magnus component for database proxying. All components communicate through the core API. Session data and audit logs are stored in MySQL or PostgreSQL with Redis for caching.

Self-Hosting & Configuration

• Deploy via Docker Compose or the official quick-start script on Linux
• Requires MySQL/MariaDB or PostgreSQL and Redis as backend services
• Configure LDAP, OIDC, SAML, or RADIUS for authentication integration
• TLS termination can be handled by Nginx or an external load balancer
• Supports high-availability deployment with multiple core nodes behind a load balancer

Key Features

• Agentless architecture: no software required on managed assets
• Session recording with video playback for SSH and RDP sessions
• Command filtering and blocking to prevent dangerous operations
• Multi-factor authentication with TOTP, SMS, and hardware token support
• Asset discovery and automatic inventory management

Comparison with Similar Tools

• Teleport — focuses on zero-trust access; JumpServer provides a more traditional bastion model with richer audit UI
• Apache Guacamole — clientless remote desktop gateway; JumpServer adds asset management and RBAC on top
• Boundary (HashiCorp) — identity-based access without session recording; JumpServer includes built-in recording
• StrongDM — commercial PAM; JumpServer is fully open source with similar core features
• Bastillion — lightweight SSH bastion; JumpServer covers RDP, databases, and Kubernetes as well

FAQ

Q: Does JumpServer require agents on managed servers? A: No. JumpServer connects to assets via standard protocols (SSH, RDP, database clients) without installing any agent.

Q: What databases can JumpServer proxy access to? A: MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Redis are supported through the Magnus component.

Q: Can JumpServer integrate with existing identity providers? A: Yes. It supports LDAP, Active Directory, OIDC, SAML 2.0, and CAS for single sign-on.

Q: Is JumpServer suitable for production environments? A: Yes. It is used by organizations worldwide and supports high-availability deployments with clustering.

Sources

• https://github.com/jumpserver/jumpserver
• https://www.jumpserver.org