Gate One is an open source, web-based terminal emulator with a powerful plugin system. It comes bundled with a plugin that turns Gate One into an amazing SSH client but Gate One can actually be used to run any terminal application. You can even embed Gate One into other applications to provide an interface into serial consoles, virtual servers, or anything you like. It's a great supplement to any web-based administration interface.
Gate One works in any browser that supports WebSockets. No browser plugins required!
Gate One is released under a dual-license model. You are free to choose the license that best meets your requirements:
- The GNU Affero General Public License version 3 (AGPLv3).
- Gate One Commercial licensing.
The AGPLv3 is similar to the GPLv3 in that it requires that you publicly release the source code of your application if you distribute binaries that use Gate One. However, it has an additional obligation: You must make your source code available to everyone if your application is provided as Software-as-a-Service (SaaS) or it's part of an Application Service Provider solution.
For example, if you're running Gate One on your server as part of a SaaS solution you must give away all of your source code.
Here are some examples where Open Source licensing makes sense:
- Pre-installing Gate One as part of an open source Linux distribution.
- Embedding Gate One into an open source application that is licensed under the AGPLv3 or the GPLv3 [1].
- Bundling Gate One with an open source appliance.
- Making Gate One available as part of an open source software repository.
Considerations: Unless you want your source code to be freely available to everyone you should opt for Gate One's Commercial License.
The Commercial License offerings for Gate One are very flexible and afford businesses the flexibility to include Gate One as part of their products and services without any source code obligations. It also provides licensees with a fully-supported solution and assurances.
Here are some examples where commercial licensing is typically necessary:
- Including Gate One in software sold to customers who install it on their own equipment.
- Selling software that requires the installation of Gate One.
- Selling hardware that comes with Gate One pre-installed.
- Bundling with or including Gate One in any product protected by patents whereby you do not wish to indemnify the end-user from all patent obligations related to the purchase or use of the product.
If you merely install Gate One for production use in your business you do not need a commercial license. For these situations, Liftoff Software offers a number of commercial support and assurance options.
For more information on Gate One Commercial Licensing or support please visit our website (NOTE: Site may not be live yet).
In order to use Gate One you'll need to install the Tornado framework. You'll get additional functionality if you also install pyOpenSSL and the python-kerberos module. All three can usually be taken care of in a single command:
user@modern-host:~ $ sudo pip install tornado pyopenssl kerberos
...or if you have an older operating system:
user@legacy-host:~ $ sudo easy_install tornado pyopenssl kerberos
Note
The use of pip is recommended. See http://www.pip-installer.org/en/latest/installing.html if you don't have it.
Gate One can be installed via a number of methods, depending on which package you've got. Assuming you've downloaded the appropriate Gate One package for your operating system to your home directory...
user@redhat:~ $ sudo rpm -Uvh gateone*.rpm
user@ubuntu:~ $ sudo dpkg -i gateone*.deb
user@whatever:~ $ tar zxvf gateone*.tar.gz; cd gateone*; sudo python setup.py install
This translates to: Extract; Change into the gateone* directory; Install.
The first time you execute gateone.py it will create a default configuration file as /opt/gateone/server.conf:
user_dir = "/opt/gateone/users"
log_file_num_backups = 10
certificate = "/opt/gateone/certificate.pem"
sso_service = "HTTP"
dtach = True
embedded = False
session_logging = True
sso_realm = "EXAMPLE.COM"
auth = None
log_file_prefix = "/var/log/gateone/webserver.log"
log_file_max_size = 104857600
session_dir = "/tmp/gateone"
cookie_secret = "A45CharacterStringGeneratedAtRandom012345678"
syslog_session_logging = False
syslog_facility = "daemon"
address = "0.0.0.0"
debug = False
command = "/opt/gateone/plugins/ssh/scripts/ssh_connect.py -S '/tmp/gateone/%SESSION%/%r@%h:%p' -a '-oUserKnownHostsFile=%USERDIR%/%USER%/known_hosts'"
session_timeout = "5d"
keyfile = "/opt/gateone/keyfile.pem"
port = 443
Note
The order of these settings does not matter.
These options match up directly with Gate One's command line options which you can view at any time by executing "gateone.py --help":
root@host:~ $ ./gateone.py --help Usage: ./gateone.py [OPTIONS] Options: --help show this help information --log_file_max_size max size of log files before rollover --log_file_num_backups number of log files to keep --log_file_prefix=PATH Path prefix for log files. Note that if you are running multiple tornado processes, log_file_prefix must be different for each of them (e.g. include the port number) --log_to_stderr Send log output to stderr (colorized if possible). By default use stderr if --log_file_prefix is not set and no other logging is configured. --logging=info|warning|error|none Set the Python log level. If 'none', tornado won't touch the logging configuration. --address Run on the given address. --auth Authentication method to use. Valid options are: none, kerberos, google. --certificate Path to the SSL certificate. Will be auto-generated if none is provided. --command Run the given command when a user connects (e.g. 'nethack'). --cookie_secret Use the given 45-character string for cookie encryption. --debug Enable debugging features such as auto-restarting when files are modified. --disable_ssl If enabled, Gate One will run without SSL (generally not a good idea). --dtach Wrap terminals with dtach. Allows sessions to be resumed even if Gate One is stopped and started (which is a sweet feature =). --embedded Run Gate One in Embedded Mode (no toolbar, only one terminal allowed, etc. See docs). --keyfile Path to the SSL keyfile. Will be auto-generated if none is provided. --kill Kill any running Gate One terminal processes including dtach'd processes. --port Run on the given port. --session_dir Path to the location where session information will be stored. --session_logging If enabled, logs of user sessions will be saved in <user_dir>/logs. Default: Enabled --session_timeout Amount of time that a session should be kept alive after the client has logged out. Accepts <num>X where X could be one of s, m, h, or d for seconds, minutes, hours, and days. Default is '5d' (5 days). --sso_realm Kerberos REALM (aka DOMAIN) to use when authenticating clients. Only relevant if Kerberos authentication is enabled. --sso_service Kerberos service (aka application) to use. Defaults to HTTP. Only relevant if Kerberos authentication is enabled. --syslog_facility Syslog facility to use when logging to syslog (if syslog_session_logging is enabled). Must be one of: auth, cron, daemon, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, news, syslog, user, uucp. Default: daemon --syslog_session_logging If enabled, logs of user sessions will be written to syslog. --user_dir Path to the location where user files will be stored.
These options are detailed below in the format of:
log_file_max_size = 104857600 # Which is the result of: 100 * 1024 * 1024
This defines the maximum size of Gate One's web server log file in bytes before it is automatically rotated.
Note
Web server log settings don't apply to Gate One's user session logging features.
log_file_max_size = 10
The maximum number of backups to keep of Gate One's web server logs.
log_file_prefix = "/var/log/gateone/webserver.log"
This is the path where Gate One's web server logs will be kept. You'll get an error message if Gate One doesn't have permission to create the parent directory (if it doesn't exist) or if it can't write to files there.
log_file_prefix = False
This option tells Gate One to send web server logs to stderr (instead of to the log file).
logging = "info"
Specifies the log level of the web server logs. The default is "info". Can be one of, "info", "warning", "error", or "none".
address = "0.0.0.0"
The address that Gate One will listen for connections. Default is "0.0.0.0" (all addresses).
auth = None # NOTE: "none" (in quotes) also works.
Specifies how you want Gate One to authenticate clients. One of, "none", "google", or "kerberos".
certificate = "/opt/gateone/certificate.pem" # NOTE: The actual default is "<path to gateone>/certificate.pem"
The path to the SSL certificate Gate One will use in its web server.
Note
The file must be in PEM format.
command = "/opt/gateone/plugins/ssh/scripts/ssh_connect.py -S '/tmp/gateone/%SESSION%/%r@%h:%p' -a '-oUserKnownHostsFile=%USERDIR%/%USER%/known_hosts'"
# NOTE: The actual default is "<path to gateone>/plugins/ssh/scripts/ssh_connect.py ..."
This option specifies the command Gate One will run when a user connects or opens a new terminal. The default is for Gate One to run the ssh_connect.py script. Any interactive terminal application should work (e.g. 'nethack').
cookie_secret = "A45CharacterStringGeneratedAtRandom012345678" # NOTE: Yours will be different ;)
This is a 45-character string that Gate One will use to encrypt the cookie stored at the client. By default Gate One will generate one at random when it runs for the first time. Only change this if you know what you're doing.
Note
If you change this string in the server.conf you'll need to restart Gate One for the change to take effect.
What happens if you change it? All users existing, unexpired sessions will need to be re-authenticated. Not really a big deal since Gate One will restore everything the user was doing after the re-auth. In most cases changing the cookie secret will be completely transparent to the user.
Tip
You may have to change this key at a regular interval throughout the year depending on your compliance needs. Every few months is probably not a bad idea regardless.
debug = False
Turns on debugging: Runs Gate One in the foreground and logs all sorts of extra messages to stdout.
disable_ssl = False
Disables SSL support in Gate One. Generally not a good idea unless you know what you're doing. There's really only two reasons why you'd want to do this:
- Gate One will be running behind a proxy server that handles the SSL encryption.
- Gate One will only be connected to via localhost (kiosks, console devices, etc).
dtach = True
This feature is special: It enables Gate One to be restarted (think: upgraded) without losing user's connected sessions. This option is enabled by default.
Note
If you ever need to restart Gate One (and dtach support is enabled) users will be shown a message indicating that they have been disconnected and their browsers should automatically reconnect in 5 seconds. A 5-second maintenance window ain't bad!
embedded = False
This option tells Gate One to run in embedded mode: No interface icons will be shown to the user and certain features such as opening additional terminal windows will be disabled.
Note
Doesn't actually do anything yet. Should be available and working in the 1.0 release.
keyfile = "/opt/gateone/keyfile.pem" # NOTE: The actual default is "<path to gateone>/keyfile.pem"
The path to the SSL key file Gate One will use in its web server.
Note
The file must be in PEM format.
# It would be silly to set this in server.conf--but you could! Gate One wouldn't start but hey, whatever floats your boat!
If running with dtach support, this will kill all user's running terminal applications. Giving everyone a fresh start, as it were.
port = 443
The port Gate One should listen for connections.
Note
Gate One must run as root to utilize ports 1-1024.
session_dir = "/tmp/gateone"
The path where Gate One should keep temporary user session information. Defaults to /tmp/gateone (will be auto-created if not present).
session_logging = True
This tells Gate One to enable server-side logging of user sessions. These logs can be viewed or played back (like a video) using the Log Viewer application.
Note
Gate One stores logs of user sessions in the location specified in the user_dir option.
session_timeout = "5d"
This setting controls how long Gate One will wait before force-killing a user's disconnected session (i.e. where the user hasn't used Gate One in, say, "5d"). It accepts the following <num><character> types:
Character Meaning Example s Seconds '60s' ➡ 60 Seconds m Minutes '5m' ➡ 5 Minutes h Hours '24h' ➡ 24 Hours d Days '7d' ➡ 7 Days
Note
Even if you're using --dtach all programs associated with the user's session will be terminated when it times out.
sso_realm = "EXAMPLE.COM"
If auth = "kerberos", tells Gate One which Kerberos realm or Active Directory domain to use when authenticating users. Otherwise this setting will be ignored.
sso_realm = "HTTP"
If auth = "kerberos", tells Gate One which Kerberos service to use when authenticating clients. This is the 'service/' part of a servicePrincipalName (e.g. HTTP/somehost.example.com).
Note
Unless you really know what you're doing do not use anything other than HTTP (in all caps).
syslog_facility = "daemon"
if syslog_session_logging = True, specifies the syslog facility that user session logs will use when syslog_session_logging is enabled.
syslog_session_logging = False
This option tells Gate One to send logs of user sessions to the host's syslog daemon. Special characters and escape sequences will be sent as-is so it is up to the syslog daemon as to how to handle them. In most cases you'll wind up with log lines that look like this:
Oct 1 19:18:22 gohost gateone: %anonymous 1: Connecting to: ssh://user@somehost:22
Oct 1 19:18:22 gohost gateone: %anonymous 1: #033]0;user@somehost#007
Oct 1 19:18:22 gohost gateone: %anonymous 1: #033]_;ssh|user@somehost:22#007
Note
This option enables centralized logging if your syslog daemon is configurd to use a remote log host.
user_dir = "/opt/gateone/users" # NOTE: The actual default is "<path to gateone>/users"
Specifies the location where persistent user files will be kept. Things like session logs, ssh files (known_hosts, keys, etc), and similar are stored here.
Footnotes
| [1] | The GPLv3 and AGPLv3 each include clauses (in section 13 of each license) that together achieve a form of mutual compatibility. See AGPLv3 Section 13 and GPLv3 Section 13 |