Overview
PAM-TRI is an Open Source Implementation of Privilege Access Management (PAM) base on JumpServer with network integration from Netbird.
It enhances features that jumpserver don’t include in it’s open source such as peer-to-peer connection with CGNAT endpoint, site-to-site connection to other vpc or router, and integration with single-sign-on from identity provider (OIDC, OAuth 2.0, SAML 2.0, Google, Github, Azure, and Apple).
It added features with Zero Trust from Zitadel for the peer-to-peer connection to the users. This solution specifically addresses the challenges of securing servers behind NAT that cannot be exposed publicly without port forwarding and expose the private resource using reverse proxy and eliminate the compromise of security when expose to the internet.
Regular Users only got access to the terminal, nothing else.
Project Background
All of this personal project is to create an environment where NAT resources can still be managed outside without compromising it’s security. This idea come back when i work as Site Reliability Engineer.
In the future, i may add feature for this project with fully open source without SaaS. Also, this is still concept that i create that you can implement. It still base mostly on Jumpserver and Netbird stack.
How-to-deploy
There are two methods for this deployment. Choose that are suitable for you.
- Quick deployment
Quick deployment will install all the stack that are require to run the PAM and peer-to-peer integration with Netbird. It can be use for dev or staging environment.
- Production deployment
Production deployment will be the next step of integrating our stack with Cloudflare. It gives our jumpserver secure access without the need of exposing it’s public IP address with just the help of Cloudflare Access.
Prerequisites
- Latest Docker Engine
- Recommended Linux-based Operating System
- Recommended using two servers (Using one server might need to configure docker config manually)
- Valid public domain with DNS pointed to it’s server public IP for Netbird setup
Quick Deployment
The will install Jumpserver + Zitadel stack with this script.
IMPORTANTMake sure all prerequisites are already fulfilled before start following the deployment guide.
Clone this repo
git clone https://github.com/rafifdna/pam-tri.gitInstall stack
# Go to the file directory cd pam-tri # Execute bash command sudo bash start.sh sudo bash integration.sh
And that’s it, quick deployment will install stack include JumpServer, Netbird, and Zitadel. How about more?
Yes, we can do more!
Now all we need to do is make sure all the traffic encrypted from server to the end users and so on.
Don’t forget we also need to configure Zero Trust so the server able to communicate to each other.
Production Deployment (Recommended)
Here the overview for the production deployment. The different will be the Cloudflare Tunnel (cloudflared) that will be installed to Jumpserver, so the Cloudflare Access will be able to working properly.
IMPORTANTMake sure all prerequisites are already fulfilled before start following the deployment guide.
- Go to Cloudflare Zero Trust.
- Go to Cloudflare Tunnels and choose cloudflared as it’s tunnels client.
- Name the tunnel client.
- Install the tunnel client.
- Add public hostnames and point the service with it’s private IP address and port.
- Go to Settings > Authentication.
- Then in Authentication, add new login method.
- In here, you can choose any login method you want. In this guide, i add new google login method.
- To get the login method, follow the guide from the Cloudflare. Then, after that enter done.
- Go to Cloudflare Access > Applications.
- Set the public hostname.
- Set the policies.
Make sure to add the policies, you can use the example of the policies below :
example-block-policy
a. include :: everyone
b. exclude :: emails :: me@example.com
example-allow-policy
a. include :: me@example.com
b. require :: login method :: google
- Set the the login methods and save.
All set and done!
About Project
This stack is need to be run by 2 servers, one for the Jumpserver and the other for the Netbird stack.
Also, i added the lab for the peer testing connection of the Netbird.
Concern
Why not making it into 1 servers?
Technically, you can do it into 1 server by separating the port from the Caddy inside Netbird stack with different port from the Jumpserver.
Jumpserver have core service for the web that has Nginx as it’s web server. It technically work the same like Caddy. You can choose to use Caddy and configure into one. However, in this project i just keep it default.
Future project
In the next project, i plan to update the project into one unified docker container so PAM-TRI will be able to be hosted only in one server and it will open source without the need of third party SaaS or tools.
Special Thanks
Thank you for my mom and to you guys for supporting my project! You guys are amazing!