README FOR jumpsh 3.1 --------------------- jumpsh is intended for use as a login shell on an SSH "jump box". The idea is that you provide SSH service on an external system, probably on a DMZ. On that system, you set up accounts for people permitted SSH access to your network, using jumpsh as their login shell. That system, the jump box, has SSH access to hosts on your internal network. When users login to the jump box, they're presented with a prompt to enter one of the internal hostnames; when they enter the name of an approved host, an SSH connection is immediately opened to the host. INSTALLATION ------------ In the Makefile, set INST_ROOT to wherever you want the software installed. You may also need to change the INSTALL command, depending on the location and version of "install" on your system. Then run "make install". You may need to add the jumpsh pathname to /etc/shells. USE --- There are no arguments; just set each user's login shell (in /etc/passwd, or wherever user data is kept) to the jumpsh pathname. Then, create jumpsh.list, a flat text file containing a list of approved SSH servers, one hostname per line. A user must enter one of these names or be denied access (after 3 wrong tries by default, although you can change this in the Perl script). The default location for the file is /usr/local/etc/jumpsh.list, but this can also be changed in the script. Instead of just a plain hostname, a line in jumpsh.list can contain a "codename:hostname" pair. In this case, the user must enter the codename to open an SSH connection to "hostname". It's an additional level of security that acts as a sort of password. If the hostname is "localhost", a shell is executed instead of an SSH session. The shell is /bin/sh, but this can be modified in the script. Version 3 of jumpsh adds support for scp connections. There's no prompt involved, and it doesn't forward the scp anywhere. It simply bypasses the check described above to allow copying of files to the jump box (assuming SSH auth is successful). Be forewarned; since it does bypass the usual check, it might be possible to run other commands by means of some trickery I haven't anticipated (again, subject to normal SSH auth). To enable this functionality, set SCP_SUPPORT to 1 in the script. PLATFORMS --------- jumpsh has been written for portability to most UNIX systems. It's been tested on the following platforms: - Darwin/Mac OS X - versions 6.x/10.2.x - Linux - Red Hat Enterprise Linux 4.4 - Cobalt Linux CHANGES ------- You're not required by the license to submit changes back to the source, but I'd appreciate portability improvements or enhancements of general applicability. You can email new versions or contextual diffs ("diff -c old_file new_file") to . Some things to keep in mind if you do this: - Formatting - I use tabs for indentation, and sometimes to align code segments for readability. Please do the same. - Please don't use NotePad or some other Windows editor to make changes. Or if you do, get rid of the DOS linefeeds before submitting changes. - Please try to follow the formatting conventions established in the existing code. - Readability - Usually, I will trade off efficiency (of running time or of development time) in favor of readability. - Insert meaningful comments where appropriate. - Portability - All shell scripts are Bourne-compatible. I won't use shell- specific constructs from bash, ksh, etc. - Don't use OS-specific features, pathnames, etc., unless they're guarded by code checking the OS version, or they're in user-settable variables toward the top of the script. CONTRIBUTORS ------------ Leon Towns-von Stauber Enjoy! Copyright (c) 2000-2008. All rights reserved. See the LICENSE file distributed with this code for restrictions on its use and further distribution. Original distribution available at .