JumpServer

TL;DR

• What it is: Open-source Privileged Access Management (PAM) platform — supports SSH, RDP, VNC, Kubernetes, databases, and RemoteApp through a single web browser interface.
• Who it’s for: DevOps and IT teams managing 50+ servers across mixed infrastructure (Linux, Windows, databases, K8s) who need centralized access control and session auditing.
• Cost savings: CyberArk starts at $40K+/year for enterprise PAM. JumpServer Community Edition is free. The enterprise edition uses tiered pricing by asset count but still comes in at a fraction of commercial PAM solutions.
• Key strength: Broadest protocol support among open-source PAM tools — native RDP with a high-performance proxy, database access for MySQL/PostgreSQL/Oracle/SQL Server, and Kubernetes access all from the browser.
• Key weakness: The community edition gates Just-In-Time access, ticket-based approval workflows, and multi-organization support behind the enterprise license. Documentation leans heavily Chinese-first, with English docs sometimes trailing behind.

---

What is JumpServer

JumpServer is an open-source bastion host and Privileged Access Management platform. You install it on a Linux server, point it at your infrastructure, and every SSH session, RDP connection, database query, and Kubernetes exec runs through JumpServer’s gateway. Every action gets recorded. Every user gets audited.

The project started at FIT2CLOUD (now LXware), a Beijing-based company, and has been open-source since its early days. It crossed 30,000 GitHub stars in March 2026 with over 500,000 cumulative deployments worldwide. The codebase is GPL-3.0 licensed, and the platform consists of several modular components: Core (the Django backend), Lina (the Vue.js web UI), Luna (the web terminal), KoKo (the SSH/SFTP handler), Lion (the RDP/VNC handler), and Chen (the database proxy).

What makes JumpServer different from Apache Guacamole or a simple SSH bastion is the PAM layer. Asset inventory, credential vaulting, role-based access control, command filtering, session recording with video playback, and approval workflows are built into the platform — not bolted on. This is the tool you deploy when “who accessed what and when” is a compliance requirement, not a nice-to-have.

---

Why people choose it over Teleport, CyberArk, and Guacamole

Versus Teleport. JumpServer’s own comparison lays out the trade-off directly: Teleport excels at identity-aware proxy patterns for SSH and Kubernetes, with a CLI-first workflow that appeals to infrastructure-as-code teams. But Teleport “often struggles when traditional enterprise assets like Windows Servers (RDP) or various database types (MySQL, Oracle, PostgreSQL, SQL Server) are involved.” JumpServer supports all of these out of the box. The other key difference is interface philosophy — Teleport relies heavily on CLI tools, “which creates friction for auditors and managers,” while JumpServer provides “a rich, localized web interface that allows non-technical stakeholders to review audit logs and manage access.” If your team is pure Linux/K8s DevOps, Teleport might fit better. If you manage a mixed Windows/Linux/database environment and need non-engineers to review audit logs, JumpServer is the stronger choice.

Versus CyberArk. The argument is straightforward — CyberArk’s enterprise PAM starts at $40K+/year and requires a dedicated deployment team. JumpServer Community Edition covers the core PAM use cases (session recording, credential vaulting, MFA, RBAC) for free, with a one-liner install script. For organizations that need PAM for compliance but can’t justify six-figure annual licensing, JumpServer fills that gap.

Versus Apache Guacamole. Guacamole is a clientless remote desktop gateway supporting VNC, RDP, and SSH through a browser. But Guacamole is a remote access tool, not a PAM platform. It doesn’t do credential vaulting, automated asset discovery, command filtering, or compliance-grade audit trails. If you just need browser-based remote access, Guacamole works. If you need to answer “which admin accessed the production database at 3am and what commands did they run,” you need JumpServer.

---

Features: what it actually does

Access protocols:

• SSH terminal and SFTP file transfer through the browser
• Native RDP with high-performance proxy — no client software needed
• VNC for graphical Linux/legacy systems
• Database proxy for MySQL, PostgreSQL, Oracle, SQL Server, and more
• Kubernetes exec through the web terminal
• RemoteApp for publishing Windows applications
• Web asset access for internal web portals

Security and compliance:

• Session recording with full video playback and command search
• Real-time session monitoring — admins can watch live sessions
• Command filtering and governance — block dangerous commands before execution
• Multi-Factor Authentication (MFA) with TOTP support
• LDAP/AD integration and synchronization
• SSO via OIDC, OAuth, SAML (enterprise edition)
• Just-In-Time access provisioning (enterprise edition)

Asset management:

• Automated multi-cloud asset discovery across AWS, Azure, GCP, and private clouds
• Credential rotation and vaulting — store and rotate admin passwords automatically
• Asset organization by region, department, or custom grouping

Architecture:

• Modular design with pluggable components
• High-availability deployment with HAProxy, MySQL Galera Cluster, and shared storage
• API-first design for integration with ITSM and ticketing systems

---

Pricing math

JumpServer Community Edition is free — GPL-3.0 licensed, unlimited users, unlimited sessions.

The Enterprise Edition uses tiered pricing by maximum IT assets managed:

SKU	Max Assets	Deployment
Basic	50	Standalone
Standard	500	Standalone or Active-Standby
Professional	5,000	Standalone or Active-Standby
Ultimate	Unlimited	HA + Active-Standby

Prices aren’t published — you contact sales. Enterprise-only features include multi-organization support, RBAC, SSO (SAML/OAuth/OIDC), multi-cloud asset sync, Oracle/SQL Server support, and ticket management.

Infrastructure costs: JumpServer recommends a minimum of 4 CPU cores and 8GB RAM. A basic deployment on a $20-40/month VPS handles 50-100 concurrent sessions.

---

Deployment reality

The quickstart is one command:

curl -sSL https://github.com/jumpserver/jumpserver/releases/latest/download/quick_start.sh | bash

This pulls Docker containers for all components and sets up a working instance. Default credentials are admin/ChangeMe — change immediately.

What actually takes time: Not the install — the onboarding. You need to register all your assets (servers, databases, K8s clusters), create system users with appropriate privilege levels, define authorization rules mapping users to assets, and configure command filtering policies. A staged rollout is recommended: lab setup first, then centralizing privileged entry points, then governance and MFA enforcement, then workflow automation.

Language note: The web interface is fully localized in English, Chinese, Japanese, Korean, Portuguese, Spanish, and Russian. However, the deepest documentation, community discussions, and troubleshooting threads are predominantly in Chinese. English documentation is available but sometimes lags behind.

---

Who should use this

Use JumpServer if:

• You manage mixed Windows/Linux environments with 50+ assets who need centralized PAM
• You have compliance requirements (SOX, PCI-DSS, HIPAA) that demand session recording and audit trails
• You’re evaluating CyberArk or BeyondTrust but lacking the budget for enterprise PAM licensing
• Your auditors and managers need a web UI to review access logs without technical knowledge

Not the right tool if:

• You’re a pure Kubernetes/Linux shop — Teleport’s identity-aware proxy model may fit better
• You only need browser-based remote access without PAM features — Apache Guacamole is simpler
• You need a fully managed SaaS PAM solution — JumpServer is self-hosted only
• Your team can’t handle Chinese-first documentation when troubleshooting edge cases

Sources

This review synthesizes 5 independent third-party articles along with primary sources from the project itself. Inline references throughout the review map to the numbered list below.

1. [1] medium.com (2025-01-09) — “High Availability PAM solution: Bastion Jumpserver” — deployment (link)
2. [2] alibabacloud.com (2019-05-09) — “How to Set Up Jumpserver Bastion Host on Alibaba Cloud ECS” — deployment (link)
3. [3] easypanel.io (2026-02-21) — “JumpServer | Self-Host on Easypanel” — deployment (link)
4. [4] jumpserver.com (2026) — “Open Source PAM Solution: A Practical Guide to Privileged Access Management (and How JumpServer Fits)” — praise (link)
5. [5] jumpserver.com (2026) — “JumpServer vs Teleport: Comparative Analysis” — comparison (link)
6. [6] GitHub repository — official source code, README, releases, and issue tracker (https://github.com/jumpserver/jumpserver)
7. [7] Official website — JumpServer project homepage and docs (https://jumpserver.com)

References [1]–[7] above were used to cross-check claims about features, pricing, deployment, and limitations in this review.