3/12/2015

Gate One - Command line applications from any HTML5 browser

Gate One

Gate One is a service that can be run on system to be able to provide secure access to any on the command line applications of the server and a SSH client.  No plugins are required for access, only an HTML5 compliant web browser.  There are both commercial and open source versions of this product available at http://liftoffsoftware.com/Products/GateOne.

Installation - Git it!

To install the Gate One you can use a git client to download it, and then execute the python setup.py install command.

  • First change to an appropriate directory as the root user
cd /usr/local

  • Clone the git repository
git clone https://github.com/liftoff/GateOne


  • Install it with setup.py in the GateOne directory
cd GateOne
python setup.py install




  • Start gateone to create a default configuration
gateone &
Once it runs, break out of the service

CTRL-c

Configuration

Configure the service with JSON files 10server.conf, 20authentication.conf, and 50terminal.conf.  The files are named with two important distinctions.  One, they are processed in alphabetical order. Two, they are only processed if they have .conf suffix.

The port to use is in 10server.conf, as I already had 443 in use.  The configuration files are found in the /etc/gateone/conf.d directory.  

cd /etc/gateone/conf.d
Edit to your liking.  Here is my  modified 10server.conf:

// This is Gate One's main settings file.
{
    // "gateone" server-wide settings fall under "*"
    "*": {
        "gateone": { // These settings apply to all of Gate One
            "address": "",
            "ca_certs": null,
            "cache_dir": "/tmp/gateone_cache",
            "certificate": "/etc/gateone/ssl/certificate.pem",
            "cookie_secret": "NGNiMjBhYjQ0M2FiNDgxYmFjOGE0ZmNkMWI1MGI0MzlhN",
            "debug": false,
            "disable_ssl": false,
            "embedded": false,
            "enable_unix_socket": false,
            "gid": "0",
            "https_redirect": false,
            "js_init": "",
            "keyfile": "/etc/gateone/ssl/keyfile.pem",
            "locale": "en_US",
            "log_file_max_size": 100000000,
            "log_file_num_backups": 10,
            "log_file_prefix": "/var/log/gateone/gateone.log",
            "log_to_stderr": null,
            "logging": "info",
            "multiprocessing_workers": null,
            "origins": ["localhost", "127.0.0.1", "localhost.localdomain", "localhost4", "localhost4.localdomain4", "localhost6", "localhost6.localdomain6"],
            "pid_file": "/var/run/gateone.pid",
            "port": 10443,
            "session_dir": "/tmp/gateone",
            "session_timeout": "5d",
            "syslog_facility": "daemon",
            "uid": "0",
            "unix_socket_path": "/tmp/gateone.sock",
            "url_prefix": "/",
            "user_dir": "/var/lib/gateone/users",
            "user_logs_max_age": "30d"
        }
    }
}

Here is my 50terminal.conf.  I added Perl, Python and Ruby applications by adding other objects in the commands for the terminal.

// This is Gate One's Terminal application settings file.
{
    // "*" means "apply to all users" or "default"
    "*": {
        "terminal": { // These settings apply to the "terminal" application
            "commands": {"SSH": {"command": "/usr/lib/python2.7/site-packages/gateone-1.2.0-py2.7.egg/gateone/applications/terminal/plugins/ssh/scripts/ssh_connect.py -S '%SESSION_DIR%/%SESSION%/%SHORT_SOCKET%' --sshfp -a '-oUserKnownHostsFile=\\\"%USERDIR%/%USER%/.ssh/known_hosts\\\"'", "description": "Connect to hosts via SSH."}, 
            "PYTHON": {"command": "/bin/python", "description": "Start Python Shell"},
            "PERL": {"command": "/bin/perl -d -e42", "description": "Start Perl Debugger Interactively"},
            "RUBY": {"command": "/bin/irb", "description": "Start Interactive Ruby Shell"}},
            "default_command": "SSH",
            "dtach": true,
            "enabled_filetypes": "all",
            "environment_vars": {"TERM": "xterm-256color"},
            "session_logging": true,
            "syslog_session_logging": false
        }
    }
}


Here is what I added to the 50terminal.conf:

,
            "PYTHON": {"command": "/bin/python", "description": "Start Python Shell"},
            "PERL": {"command": "/bin/perl -d -e42", "description": "Start Perl Debugger Interactively"},
            "RUBY": {"command": "/bin/irb", "description": "Start Interactive Ruby Shell"}}


If you want to customize how things work beyond these configuration files, then you can edit various files under the directory where gateone was installed on your system.
For example, to change the branding on the main screen from "Gate One - Applications", then the /usr/lib/python2.7/site-packages/gateone-1.2.0-py2.7.egg/gateone/static directory contains the file gateone.js, where I updated line 3342 to the following:

titleH2.innerHTML = gettext("OCS Learning Gateway");

Running GateOne Unprivileged

By default, the gateone.service systemd configuration file has the service run as the root user.  Since I wanted to be able to start programming shells, this was not something that I wanted to allow.  So, I modified the systemd configuration file for gateone.service found at: /usr/lib/systemd/system/gateone.service 

In the [Service] block, I added:
User=gateone

Update: In the 10server.conf, the uid value can also be changed from 0 to the uid of an unprivileged user.  This allows the server to start with root privileges to bind to a port, but then drop them. 

Here's what the whole gateone.service file looks like now:
[Unit]
Description=Web-based terminal

[Service]
Type=simple
PIDFile=/tmp/gateone.pid
WorkingDirectory=/var/lib/gateone
ExecStart=/usr/bin/gateone
Restart=on-abort
User=gateone

[Install]
WantedBy=multi-user.target


Next, I created the service account to match and set the proper ACLs on the user's home directory:

useradd -r -s /sbin/nologin -d /var/lib/gateone gateone
setfacl -Rm d:u:gateone:rwx /var/lib/gateone
setfacl -Rm u:gateone:rwx /var/lib/gateone

Then, I switched from the root account to the gateone user with sudo:

sudo -u gateone bash

As the gateone user, I executed gateone to create the default configuration:

gateone

Once it runs, break out of the service

CTRL-c

The configuration files for the gateone user were updated by copying from the /etc/gateone/conf.d

cp /etc/gateone/conf.d/*.conf ~gateone/.gateone/conf.d/


Applications

To send a message to the screen, you can get an application to use the JavaScript:
GateOne.Visual.displayMessage('Message notification');

To send text to the terminal application, you can use the JavaScript:
GateOne.Terminal.sendString('python\n')

No comments:

About Me - WrightRocket

My photo

I've worked with computers for over 30 years, programming, administering, using and building them from scratch.

I'm an instructor for technical computer courses, an editor and developer of training manuals, and an Android developer.