I have been searching for a free or even budget friendly cloud authentication service lately and came across JumpCloud. It is a very interesting solution and more importantly provides a free tier where you can easily integrate and test it without any restrictions or expiry for up to 10 users and devices. After signing up, I received an email from its CEO, Rajat, which was short and sweet and asked for any feedback. Although I took my time to reply back after a couple of months, his response has always been quick and very helpful.
It was a great first impression because I had already pointed out that my interest and usage would be for my homelab and obviously in the free tier which meant he was not just trying to promote the solution for profit but was genuinely seeking feedback.
Why do I need a cloud directory?
I have been using Zentyal community edition in my lab for years. Zentyal provides a Samba based Active Directory implementation with web based administration portal. You can use it as an AD replacement with built-in ISC DHCP and Bind DNS but I only use it as central authentication for various internal systems, such as hypervisor (Proxmox), firewall (Opnsense), password manager (Syspass) and VPN connections.
I recently wanted to provide lab access to one of my friends and while most people don’t see this as an issue, having to set and know his password was a problem for me. As admins in enterprise environments we would normally set a temporary password and user is then able to change that at first logon (Microsoft AD environment) which relies on physical access to internal resources. My friend on the other hand, only needed access to Proxmox via browser to test a few things and was not going to log into an AD joined Windows VM or workstation.
Although the search for Cloud based directory had started before this, I now had a good reason and a new requirement to have such service. One of the advantages of using a service like JumpCloud is being able to provision users and provide an email address so that they can set their own password and your involvement as an admin is very minimal!
It’s easy to get started. All you need to do is, sign up for a free account without having to provide any credit card information.
After that, you can sign in to your admin portal and manage users, systems, etc. I do like the UI very much, it is easy to find what you need and doesn’t hide anything under layers of unnecessary sub-menus.
First thing for me was to configure a JumpCloud LDAP instance. You can of course sync from an on-prem AD, G Suite or even Office 365. Once that was set up, I created an LDAP bind user for authentication requests and non-admin users for myself and my friend.
To create an LDAP bind user, you just need to check Enable as LDAP Bind DN option.
You can also select the user groups and systems a user is a member of or can log in to.
There are two options for groups, user or system groups. The idea is to group similar, access/policy wise, systems (as you would for users) in a system group and apply certain policies.
To manage a system or server, JumpCloud needs an agent installed. The best thing about it, is the easy provisioning and automation friendly process. You can click on the big plus button in Systems tab to get to the instructions, then select the operating system or automation tool and follow along. It even provides a list of supported OS and other info with links to documentation! It really could not be easier!
Installation of agent is really easy and in less than a minute you’ll see the provisioned system on the portal.
Simply click on the system/server object on the portal to view system stats, OS version and IP details. To enable/disable various SSH options for a Linux system, expand Settings under system’s Details tab. Of course this can be applied via a system policy to a group of servers too.
You can can also select specific users to be provisioned on the server from Users tab.
JumpCloud agent provisions local users to allow access to Linux, Windows or Mac systems.
Another favourite of mine, is the ability to make a user admin/sudo on all systems they are associated to. There’s even an option for password-less sudo! Click on a user object and look in Details tab to find them.
You can also add SSH public key to users’ profiles so that it gets provisioned on the Linux system(s). Alternatively the user can log onto the user portal and add that information too.
JumpCloud offers Multi Factor Authentication for portal and system access. It can also link to your DUO account for a clean PUSH notification MFA but only for user and admin portal.
So how does it work? Simple. When you log into a system with MFA enforced, it will ask for the verification code. Bear in mind that this is only for JumpCloud managed users and won’t force MFA on other users. You cannot enable MFA if password authentication is enabled, and once you disable password authentication for SSH it will affect all users as it is a global configuration on the system.
JumpCloud offers an easy-to-configure RADIUS option too. Select RADIUS from the global menu on the left and then click on the big plus button. Server Name can be anything, IP is your public IP and choose a strong phrase for shared secret. You can also enable MFA for RADIUS authentication. This is useful for VPN connections for example where it adds yet another layer of security.
Besides the obvious pros of a cloud-based RADIUS, there are couple of cons with JumpCloud’s implementation.
Even though the authentication request has to come from your public IP address, RADIUS protocol is by no means secure. The shared secret only protects the password by hashing and that, regardless of length or complexity, is not the best way to protect communications over the internet.
Then there’s MFA option, which is great however it is only available with TOTP for RADIUS and systems. I have been using DUO for almost two years with the combination of OpenVPN server on Opnsense firewall, and it’s as easy as pressing the approve pop-up on the mobile app to authorize the VPN connection. With JumpCloud RADIUS, you have to type in the TOTP key from an authenticator app with a comma at the end and followed by user password. This is in contrast not as user friendly and prone to having TOTP expired by the time you finish typing!
Having brought up both of these with Rajat, his response was actually quite comforting and hopefully there will be improvements in the near future. Below is the un-edited response from Rajat:
Faranoosh - thanks for your note - I’ve passed your comments along to our team. On the RADIUS security side, we are planning on implementing cert-based authentication, so I’m hopeful that should cover some of the concerns there. I would also expect us to improve the MFA experience there and expand to other methods such as push as well, but that may not be in the short-term.
Security & Encryption
Last but not least, is the concern over security and encryption of communication between various services and JumpCloud or any DaaS solution. Although JumpCloud does allow clear text LDAP, they also provide and encourage either LDAPS or LDAP with STARTTLS. I was more familiar with LDAPS and configured one of the Proxmox hosts to authenticate with JumpCloud.
Being a bit curious, I tried both clear text LDAP and encrypted LDAPS and captured the corresponding packets on the host (with tshark). I then transferred the files to my desktop and analyzed them with WireShark.
Below you can see the clear text LDAP authentication. Proxmox host sends out the request and after ACK from JumpCloud, initiates the LDAP authentication process. Digging deeper into the packets, you can see all the sensitive information such as LDAP bind user and end user’s password in plain text. I left my (test) password there intentionally because it really does make you think when you see this in real life and in a real packet leaving one of your servers out to the open net!
After seeing the horror of plain text authentication, I switched to LDAPS and performed another packet capture. Proxmox sends out the request, JumpCloud sends back ACK and you see TLS negotiation and handshake! All the communication is then encrypted with JumpCloud’s public key.
I don’t even need to hide anything from this screenshot and application data shows encrypted LDAP communication, which contains all those clear text passwords, user info and even my JumpCloud LDAP instance information!
JumpCloud is a very promising platform. It is very easy to sign up and start in the free tier without any financial commitment. The unrestricted free tier is also perfect for trialing JumpCloud and presenting a fully functional POC.
There are also features like MDM (Apple devices) and SSO for applications to help reduce pain points in enterprise environments.
JumpCloud free is limited to only 10 users AND 10 systems which is a great start. The subscription model is per user and you can also customize it to fit your requirements. If you’re wondering about the number of systems you can manage in a paid model, it is a ratio of 4 systems to 1 user according to Rajat.
When you are a paid customer you receive a ratio of 4 systems to 1 user, so if you had 100 users, you could manage 400 systems.
Disclaimer This is not a sponsored review of JumpCloud and by no means an advice to subscribe or use the service.