Install GateOne – an HTML5 ssh client

gateone_loginWith the growing firewall constraints accessing a server over ssh is not always a pleasant journey ; I’ve read a korben post on GateOne html5 server side ssh client and I just got an opportunity to deploy it for a test. This post will detail how to install it and secure it a little bit.

 

This is a CentOs 6 based procedure.

Some pre-requisite

  • install git tool, gcc, python-devel, httpd
yum install git
yum install gcc
yum install python-devel
yum install httpd
  • install nginx
echo "[nginx]" > /etc/yum.repos.d/nginx.repo
echo "name=nginx repo" >> /etc/yum.repos.d/nginx.repo
echo "baseurl=http://nginx.org/packages/centos/$releasever/$basearch/" \ 
    >> /etc/yum.repos.d/nginx.repo
echo "gpgcheck=0" >> /etc/yum.repos.d/nginx.repo
echo "enabled=1" >> /etc/yum.repos.d/nginx.repo

yum install nginx
  • configure nginx
chkconfig --levels 235 nginx on
service nginx start
  • install python pip
wget  --no-check-certificate https://bootstrap.pypa.io/get-pip.py
python get-pip.py
  • install tornado
pip install tornado

Get and install GateOne

  • Download
git clone https://github.com/liftoff/GateOne.git
  • install
GateOne #> python ./setup.py install 
GateOne #> gateone

Once you have run gateone, just kill it with CTRL+C ; the objective is to generate the configuration tree

  • configure

By default, the gateone server is listening any connection on port 443 and is accepting anonymous connections. As you can reach any server from this ssh client it is a high risk for you to become a source of criminal action, so you really have to limit the access to this tool.

I have spent a lot of time to configure the auth method with pam getting no success. The documentation is obsolete as much as I have seen

The /etc/gateone/conf.d/10server.conf is modified on the following line (other unchanged) ; this will limit the access from nginx and not from the web.

"address": "127.0.0.1",
"origins": ["localhost", "127.0.0.1"],
"disable_ssl": true,
"https_redirect": false,
"port": 8888,
"url_prefix": "/gateone/",
  • configure nginx

Create a ssl key pair – during the second call to openssl, you have to indicated the Common Name with the domain name you want to have the certicate for.

mkdir /etc/nginx/ssl
cd /etc/nginx/ssl

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Create the nginx listner and proxy by creating a /etc/nginx/conf.d/gateone.conf file containing

# HTTPS server
server {
 listen [::]:443;
 listen 443;
 server_name mysslhost;
 ssl on;
 ssl_certificate /etc/nginx/ssl/server.crt;
 ssl_certificate_key /etc/nginx/ssl/server.key;
 ssl_session_timeout 5m;
 ssl_protocols SSLv2 SSLv3 TLSv1;
 ssl_ciphers HIGH:!aNULL:!MD5;
 ssl_prefer_server_ciphers on;
location /gateone/ {
 auth_basic "Restricted"; 
 auth_basic_user_file /etc/nginx/.htpasswd;
 proxy_pass_header Server;
 proxy_set_header Host $http_host;
 proxy_redirect off;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Scheme $scheme;
 proxy_pass http://localhost:8888;
 proxy_http_version 1.1;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "upgrade";
 }
}

Create a password file and type a password for root user (or any other user name)

htpasswd -c /etc/nginx/.htpasswd root

Fire nginx

service nginx restart

Fire gateon

gateone

Now you can access gateone

https://your.server.name/gateone/

you will be prompted for a user (root) and a password (the one you choose) then you will access GateOne tool

 

This entry was posted in Systems and tagged , , , . Bookmark the permalink.

3 Responses to Install GateOne – an HTML5 ssh client

  1. Sami says:

    The line pyhton ./setup.py install is incorrect.
    Please correct to python ./setup.py install

    Thanks for sharing! Works very well!

  2. Lex says:

    Are you sure Apache is a pre-req for this?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.