Configuration

The first time you execute gateone.py it will create a default configuration file as /opt/gateone/settings/10server.conf:

10server.conf

// This is Gate One's main settings file.
{
    // "gateone" server-wide settings fall under "*"
    "*": {
        "gateone": { // These settings apply to all of Gate One
            "address": "",
            "ca_certs": null,
            "cache_dir": "/tmp/gateone_cache",
            "certificate": "certificate.pem",
            "combine_css": "",
            "combine_css_container": "#gateone",
            "combine_js": "",
            "cookie_secret": "Yjg3YmUzOGUxM2Q2NDg3YWI1MTI1YTU3MzVmZTI3YmUzZ",
            "debug": false,
            "disable_ssl": false,
            "embedded": false,
            "enable_unix_socket": false,
            "gid": "0",
            "https_redirect": false,
            "js_init": "",
            "keyfile": "keyfile.pem",
            "locale": "en_US",
            "log_file_max_size": 100000000,
            "log_file_num_backups": 10,
            "log_file_prefix": "/opt/gateone/logs/webserver.log",
            "log_to_stderr": null,
            "logging": "info",
            "origins": [
                "localhost", "127.0.0.1", "enterprise",
                "enterprise.example.com", "10.1.1.100"],
            "pid_file": "/tmp/gateone.pid",
            "port": 443,
            "session_dir": "/tmp/gateone",
            "session_timeout": "5d",
            "syslog_facility": "daemon",
            "syslog_host": null,
            "uid": "0",
            "unix_socket_path": "/tmp/gateone.sock",
            "url_prefix": "/",
            "user_dir": "/opt/gateone/users",
            "user_logs_max_age": "30d"
        }
    }
}

Note

The settings under "gateone" can appear in any order.

These options match up directly with Gate One's command line options which you can view at any time by executing "gateone.py --help":

$ gateone --help
[E 160618 14:04:28 __init__:18] In order to use the X11 application you must install the xpyb module.  This can usually be handled via:  sudo pip install xpyb ||  sudo apt-get install python-xpyb
Usage: /usr/local/bin/gateone [OPTIONS]

Options:


/usr/local/lib/python3.5/dist-packages/gateone-1.2.0-py3.5.egg/gateone/core/configuration.py options:

  --help                           Show this help information

/usr/local/lib/python3.5/dist-packages/tornado-4.3-py3.5-linux-x86_64.egg/tornado/log.py options:

  --log_file_max_size              max size of log files before rollover (default 100000000)
  --log_file_num_backups           number of log files to keep (default 10)
  --log_file_prefix=PATH           Path prefix for log files. Note that if you are running multiple tornado processes, log_file_prefix must be different for each of them (e.g. include the port number)
  --log_rotate_interval            The interval value of timed rotating (default 1)
  --log_rotate_mode                The mode of rotating files(time or size) (default size)
  --log_rotate_when                specify the type of TimedRotatingFileHandler interval other options:('S', 'M', 'H', 'D', 'W0'-'W6') (default midnight)
  --log_to_stderr                  Send log output to stderr (colorized if possible). By default use stderr if --log_file_prefix is not set and no other logging is configured.
  --logging=debug|info|warning|error|none 
                                   Set the Python log level. If 'none', tornado won't touch the logging configuration. (default info)

gateone options:

  --address                        Run on the given address.  Default is all addresses (IPv6 included).  Multiple address can be specified using a semicolon as a separator (e.g. '127.0.0.1;::1;10.1.1.100').
  --api_keys                       The 'key:secret,...' API key pairs you wish to use (only applies if using API authentication)
  --api_timestamp_window           How long before an API authentication object becomes invalid. (default 30s)
  --auth                           Authentication method to use.  Valid options are: none, api, cas, google, ssl, pam (default none)
  --ca_certs                       Path to a file containing any number of concatenated CA certificates in PEM format.  They will be used to authenticate clients if the 'ssl_auth' option is set to 'optional' or 'required'.
  --cache_dir                      Path where Gate One should store temporary global files (e.g. rendered templates, CSS, JS, etc). (default /home/riskable/.gateone/cache)
  --certificate                    Path to the SSL certificate.  Will be auto-generated if not found. (default /etc/gateone/ssl/certificate.pem)
  --combine_css                    Combines all of Gate One's CSS Template files into one big file and saves it to the given path (e.g. ./gateone.py --combine_css=/tmp/gateone.css).
  --combine_css_container          Use this setting in conjunction with --combine_css if the <div> where Gate One lives is named something other than #gateone (default gateone)
  --combine_js                     Combines all of Gate One's JavaScript files into one big file and saves it to the given path (e.g. ./gateone.py --combine_js=/tmp/gateone.js)
  --command                        DEPRECATED: Use the 'commands' option in the terminal settings.
  --config                         DEPRECATED.  Use --settings_dir. (default /opt/gateone/server.conf)
  --configure                      Only configure Gate One (create SSL certs, conf.d, etc).  Do not start any Gate One processes. (default False)
  --cookie_secret                  Use the given 45-character string for cookie encryption.
  --debug                          Enable debugging features such as auto-restarting when files are modified. (default False)
  --disable_ssl                    If enabled Gate One will run without SSL (generally not a good idea). (default False)
  --embedded                       When embedding Gate One this option is available to plugins, applications, and templates so they know they're running in embedded mode and can change behavior (if necessary). (default False)
  --enable_unix_socket             Enable Unix socket support. (default False)
  --gid                            Drop privileges and run Gate One as this group/gid. (default 1000)
  --https_redirect                 If enabled a separate listener will be started on port 80 that redirects users to the configured port using HTTPS. (default False)
  --js_init                        A JavaScript object (string) that will be used when running GateOne.init() inside index.html.  Example: --js_init="{theme: 'white'}" would result in GateOne.init({theme: 'white'})
  --keyfile                        Path to the SSL keyfile.  Will be auto-generated if none is provided. (default /etc/gateone/ssl/keyfile.pem)
  --locale                         The locale (e.g. pt_PT) Gate One should use for translations.  If not provided, will default to $LANG (which is 'en_US' in your current shell). (default en_US)
  --multiprocessing_workers        The number of processes to spawn use when using multiprocessing. Default is: <number of cores> + 1.  Set to 0 to disable multiprocessing.
  --new_api_key                    Generate a new API key that an external application can use to embed Gate One. (default False)
  --origins                        A semicolon-separated list of origins you wish to allow access to your Gate One server over the WebSocket.  This value may contain hostnames/FQDNs (e.g. foo;foo.bar;) and IP addresses.  This
                                   value must contain all the hostnames/IPs that users will use to connect to Gate One.  Alternatively, '*' may be  specified to allow access from anywhere.  NOTE: Using a '*' is only a good idea
                                   if you've configured Gate One to use API authentication. (default localhost;127.0.0.1;somehost.example.com;somehost;127.0.1.1)
  --pam_realm                      Basic auth REALM to display when authenticating clients.  Default: hostname.  Only relevant if PAM authentication is enabled. (default somehost)
  --pam_service                    PAM service to use.  Defaults to 'login'. Only relevant if PAM authentication is enabled. (default login)
  --pid_file                       Define the path to the pid file. (default /home/riskable/.gateone/gateone.pid)
  --port                           Run on the given port. (default 10443)
  --session_dir                    Path to the location where session information will be stored. (default /home/riskable/.gateone/sessions)
  --session_timeout                Amount of time that a session is allowed to idle before it is killed.  Accepts <num>X where X could be one of s, m, h, or d for seconds, minutes, hours, and days.  Set to '0' to disable the
                                   ability to resume sessions. (default 5d)
  --settings_dir                   Path to the settings directory. (default /home/riskable/.gateone/conf.d)
  --ssl_auth                       Enable the use of client SSL (X.509) certificates as a secondary authentication factor (the configured 'auth' type will come after SSL auth).  May be one of 'none', 'optional', or 'required'.
                                   NOTE: Only works if the 'ca_certs' option is configured. (default none)
  --sso_realm                      Kerberos REALM (aka DOMAIN) to use when authenticating clients.  Only relevant if Kerberos authentication is enabled.
  --sso_service                    Kerberos service (aka application) to use.  Only relevant if Kerberos authentication is enabled. (default HTTP)
  --syslog_facility                Syslog facility to use when logging to syslog (if syslog_session_logging is enabled).  Must be one of: auth, cron, daemon, kern, local0, local1, local2, local3, local4, local5, local6, local7,
                                   lpr, mail, news, syslog, user, uucp. (default daemon)
  --uid                            Drop privileges and run Gate One as this user/uid. (default 1000)
  --unix_socket_mode               Unix socket mode (if --enable_unix_socket=True). (default 0600)
  --unix_socket_path               Path to the Unix socket (if --enable_unix_socket=True). (default /tmp/gateone.sock)
  --url_prefix                     An optional prefix to place before all Gate One URLs. e.g. '/gateone/'.  Use this if Gate One will be running behind a reverse proxy where you want it to be located at some sub-URL path.
                                   (default /)
  --user_dir                       Path to the location where user files will be stored. (default /home/riskable/.gateone)
  --user_logs_max_age              Maximum length of time to keep any given user log before it is automatically removed. (default 30d)
  --version                        Display version information.

terminal options:

  --dtach                          Wrap terminals with dtach. Allows sessions to be resumed even if Gate One is stopped and started (which is a sweet feature). (default True)
  --kill                           Kill any running Gate One terminal processes including dtach'd processes. (default False)
  --session_logging                If enabled, logs of user sessions will be saved in <user_dir>/<user>/logs.  Default: Enabled (default True)
  --syslog_session_logging         If enabled, logs of user sessions will be written to syslog. (default False)

Commands:

  Usage: /usr/local/bin/gateone <command> [OPTIONS]

  GateOne supports many different CLI 'commands' which can be used to invoke special functionality provided by plugins and applications (and application's plugins).  Each command can have it's own options and most will have a
  --help function of their own.

Commands provided by 'gateone':

  broadcast                        Broadcast messages to users connected to Gate One.
  install_license                  Install a commercial license for Gate One.
  validate_authobj                 Test API authentication by validating a JSON auth object.

Commands provided by 'gateone.applications.terminal':

  termlog                          View terminal session logs.

Example command usage:

  /usr/local/bin/gateone termlog --help

These options are detailed below in the format of:

Name
--command_line_option
Default value as it is defined in the .conf files in the `settings_dir`.
Description

Tornado Framework Options

The options below are built-in to the Tornado framework. Since Gate One uses Tornado they'll always be present.

log_file_max_size

--log_file_max_size=bytes
"log_file_max_size": 104857600 // Which is the result of: 100 * 1024 * 1024

This defines the maximum size of Gate One's web server log file in bytes before it is automatically rotated.

Note

Web server log settings don't apply to Gate One's user session logging features.

log_file_num_backups

--log_file_num_backups=integer
"log_file_max_size": 10

The maximum number of backups to keep of Gate One's web server logs.

log_file_prefix

--log_file_prefix=string (file path)
"log_file_prefix": "/opt/gateone/logs/webserver.log"

This is the path where Gate One's web server logs will be kept.

Note

If you get an error like this:

IOError: [Errno 13] Permission denied: '/opt/gateone/logs/webserver.log'

It means you need to change this setting to somewhere your user has write access such as /var/tmp/gateone_logs/webserver.log.

log_to_stderr

--log_to_stderr=boolean
"log_to_stderr": False

This option tells Gate One to send web server logs to stderr (instead of to the log file).

logging

--logging=string (info|warning|error|none)
"logging": "info"

Specifies the log level of the web server logs. The default is "info". Can be one of, "info", "warning", "error", or "none".

Global Gate One Options

The options below represent settings that are specific to Gate One, globally. Meaning, they're not tied to specific applications or plugins.

address

--address=string (IPv4 or IPv6 address)
"address": "" // Empty string means listen on all addresses

Specifies the IP address or hostname that Gate One will listen for incoming connections. Multiple addresses may provided using a semicolon as the separator. For example:

"address": "localhost;::1;10.1.1.100" // Listen on localhost, the IPv6 loopback address, and 10.1.1.100

See also

--port

api_keys

--api_keys=string (key1:secret1,key2:secret2,...)
"api_keys": {
    "ZWVkOWJjZ23yNjNlNDQ1YWE3MThiYmI0M72sujFhODFiZ": "NTg5NTllOTIyMD1lNGU1MzkzZDM4NjVkZWNGNDdlN2RmO"
}

Specifies a list of API keys (key:value pairs) that can be used when performing using Gate One's authentication API.

api_timestamp_window

--api_timestamp_window=string (special: [0-9]+[smhd])
"api_timestamp_window": "30s"

This setting controls how long API authentication objects will last before they expire if --auth is set to 'api' (default is 30 seconds). It accepts the following <num><character> types:

Character Meaning Example
s Seconds '60s' ➡ 60 Seconds
m Minutes '5m'  ➡ 5 Minutes
h Hours '24h' ➡ 24 Hours
d Days '7d'   ➡ 7 Days

Note

If the value is too small clock drift between the Gate One server and the web server embedding it can cause API authentication to fail. If the setting is too high it provides a greater time window in which an attacker can re-use that token in the event the Gate One server is restarted. Important: Gate One keeps track of used authentication objects but only in memory. If the server is restarted there is a window in which an API authentication object can be re-used (aka an authentication replay attack). That is why you want the api_timestamp_window to be something short but not too short as to cause problems if a clock gets a little out of sync.

auth

--auth=string (none|pam|google|kerberos|api)
"auth": "none"

Specifies how you want Gate One to authenticate clients. One of, "none", "pam", "google", "kerberos", or "api".

ca_certs

--ca_certs=string (file path)
"ca_certs": "/opt/gateone/ca_certs.pem" // Default is None

Path to a file containing any number of concatenated CA certificates in PEM format. They will be used to authenticate clients if the --ssl_auth option is set to 'optional' or 'required'.

cache_dir

--cache_dir=string (directory path)
"cache_dir": "/tmp/gateone_cache"

Path to a directory where Gate One will cache temporary information (for performance/memory reasons). Mostly for things like templates, JavaScript, and CSS files that have been rendered and/or minified.

certificate

--certificate=string (file path)
"certificate": "/etc/gateone/ssl/certificate.pem"

The path to the SSL certificate Gate One will use in its web server.

Note

The file must be in PEM format.

combine_css

--combine_css=string (file path)

This option tells Gate One to render and combine all its CSS files into a single file (i.e. so you can deliver it via some other web server/web cache/CDN). The file will be saved at the provided path.

combine_css_container

--combine_css_container=string (e.g. 'gateone')

When combining CSS into a single file, this option specifies the name of the '#gateone' container element (if something else). It is used when rendering CSS templates.

combine_js

--combine_js=string (file path)

This option tells Gate One to combine all its JavaScript files into a single file (i.e. so you can deliver it via some other web server/web cache/CDN). The file will be saved at the provided path.

command

--command=string (program path)

Deprecated since version 1.2: This option has been replaced by the Terminal application's 'commands' option which supports multiple. See Terminal Configuration.

config

--config=string (file path)

Deprecated since version 1.2: This option has been replaced by the --settings_dir option.

debug

--debug=boolean
"debug": false

Turns on Tornado's debug mode: If a change is made to any Python code while gateone.py is running it will automatically restart itself. Cached templates will also be regenerated.

disable_ssl

--disable_ssl=boolean
"disable_ssl": false

Disables SSL support in Gate One. Generally not a good idea unless you know what you're doing. There's really only two reasons why you'd want to do this:

  • Gate One will be running behind a proxy server that handles the SSL encryption.
  • Gate One will only be connected to via localhost (kiosks, console devices, etc).

embedded

--embedded=boolean
"embedded": false

This option is available to applications, plugins, and CSS themes/templates (if desired). It is unused by Gate One proper but can be used at your discretion when embedding Gate One.

Note

This isn't the same thing as "embedded mode" in the JavaScript code. See GateOne.prefs.embedded in gateone.js.

enable_unix_socket

--enable_unix_socket=boolean
"enable_unix_socket": false

Tells Gate One to listen on a Unix socket. The path to said socket is defined in --unix_socket_path.

gid

--gid=string
"gid": "0" // You could also put "root", "somegroup", etc

If run as root, Gate One will drop privileges to this group/gid after starting up. Default: 0 (aka root)

https_redirect

--https_redirect
"https_redirect": false

If https_redirect is enabled, Gate One will listen on port 80 and redirect incoming connections to Gate One's configured port using HTTPS.

js_init

--js_init=string (JavaScript Object)
"js_init": ""

This option can be used to pass parameters to the GateOne.init() function whenever Gate One is opened in a browser. For example:

"js_init": "{'theme': 'white', 'fontSize': '120%'}"

For a list of all the possible options see GateOne.prefs in the Developer Documentation under gateone.js.

Note

This setting will only apply if you're not using embedded mode.

keyfile

--keyfile=string (file path)
"keyfile": "/etc/gateone/ssl/keyfile.pem"

The path to the SSL key file Gate One will use in its web server.

Note

The file must be in PEM format.

locale

--locale=string (locale string)
"locale": "en_US"

This option tells Gate One which local translation (native language) to use when rendering strings. The first time you run Gate One it will attempt to automatically detect your locale using the $LANG environment variable. If this variable is not set it will fall back to using en_US.

Note

If no translation exists for your local the English strings will be used.

new_api_key

--new_api_key

This command line option will generate a new, random API key and secret for use with applications that will be embedding Gate One. Instructions on how to use API-based authentication can be found in the Embedding Gate One Into Other Applications.

Note

By default generated API keys are placed in <settings_dir>/20api_keys.conf.

origins

--origins=string (semicolon-separated origins)
"origins": ["localhost", "127.0.0.1", "enterprise", "enterprise\\..*.com", "10.1.1.100"]

Note

The way you pass origins on the command line is very different from how they are stored in 10server.conf. The CLI option uses semicolons to delineate origins whereas the 10server.conf contains an actual JSON array.

By default Gate One will only allow connections from web pages that match the configured origins. If a user is denied access based on a failed origin check a message will be logged like so:

[I 120831 15:32:12 gateone:1043] WebSocket closed (ANONYMOUS).
[E 120831 15:32:17 gateone:943] Access denied for origin: https://somehost.company.com

Note

Origins do not contain protocols/schemes, paths, or trailing slashes!

Warning

If you see unknown origins the logs it could be an attacker trying to steal your user's sessions! The origin that appears in the log will be the hostname that was used to connect to the Gate One server. This information can be used to hunt down the attacker. Of course, it could just be that a new IP address or hostname has been pointed to your Gate One server and you have yet to add it to the --origins setting ☺.

pam_realm

--pam_realm=string (hostname)
"pam_realm": "somehost"

If --auth is set to "pam" Gate One will present this string in the BASIC auth dialog (essentially, the login dialog will say, "REALM: <pam_realm>"). Also, the user's directory will be created in --user_dir as user@. Make sure to use path-safe characters!

pam_service

--pam_service=string
"pam_service": "login"

If --auth is set to "pam", tells Gate One which PAM service to use when authenticating clients. Defaults to 'login' which is typically configured via /etc/pam.d/login.

Tip

You can change this to "gateone" and create a custom PAM config using whatever authentication back-end you want. Just set it as such and create /etc/pam.d/gateone with whatever PAM settings you like.

pid_file

--pid_file=string
"pid_file": "/var/run/gateone.pid"

The path to Gate One's PID file.

Note

If you're not running Gate One as root it's possible to get an error like this:

IOError: [Errno 13] Permission denied: '/var/run/gateone.pid'

This just means you need to change this setting to point somewhere your user has write access such as /tmp/gateone.pid.

port

--port=integer (1-65535)
"port": 443

The port Gate One should listen for connections.

Note

Gate One must started as root to utilize ports 1-1024.

Tip

If you set --uid and/or --gid to something other than "0" (aka root) Gate One will drop privileges to that user/group after it starts. This will allow the use of ports under 1024 while maintaining security best practices by running as a user/group with lesser privileges.

session_dir

--session_dir=string (file path)
"session_dir": "/tmp/gateone"

The path where Gate One should keep temporary user session information. Defaults to /tmp/gateone (will be auto-created if not present).

session_timeout

--session_timeout=string (special: [0-9]+[smhd])
"session_timeout": "5d"

This setting controls how long Gate One will wait before force-killing a user's disconnected session (i.e. where the user hasn't used Gate One in, say, "5d"). It accepts the following <num><character> types:

Character Meaning Example
s Seconds '60s' ➡ 60 Seconds
m Minutes '5m'  ➡ 5 Minutes
h Hours '24h' ➡ 24 Hours
d Days '7d'   ➡ 7 Days

Note

Even if you're using --dtach all programs associated with the user's session will be terminated when the timeout is reached.

ssl_auth

--ssl_auth=string (None|optional|required)
"ssl_auth": "none"

If set to 'required' or 'optional' this setting will instruct Gate One to authenticate client-side SSL certificates. This can be an excellent added layer of security on top of Gate One's other authentication options. Obviously, only the 'required' setting adds this protection. If set to 'optional' it merely adds information to the logs.

Note

This option must be set to 'required' if --auth is set to "ssl". The two together allow you to use SSL certificates as a single authentication method.

sso_realm

--sso_realm=string (Kerberos realm or Active Directory domain)
"sso_realm": "EXAMPLE.COM"

If --auth is set to "kerberos", tells Gate One which Kerberos realm or Active Directory domain to use when authenticating users. Otherwise this setting will be ignored.

Note

SSO stands for Single Sign-On.

sso_service

--sso_service=string (kerberos service name)
"sso_service": "HTTP"

If --auth is set to "kerberos", tells Gate One which Kerberos service to use when authenticating clients. This is the 'service/' part of a principal or servicePrincipalName (e.g. HTTP/somehost.example.com).

Note

Unless you really know what you're doing do not use anything other than HTTP (in all caps).

syslog_facility

--syslog_facility=string (auth|cron|daemon|kern|local0|local1|local2|local3|local4|local5|local6|local7|lpr|mail|news|syslog|user|uucp)
"syslog_facility": "daemon"

if --syslog_session_logging is set to True, specifies the syslog facility that user session logs will use in outgoing syslog messages.

uid

--uid=string
"uid": "0" // You could also put "root", "someuser", etc

If run as root, Gate One will drop privileges to this user/uid after starting up. Default: 0 (aka root)

unix_socket_path

--unix_socket_path=string (file path)
"unix_socket_path": "/tmp/gateone.sock"

Path to the Unix socket (if --enable_unix_socket is "true").

url_prefix

--url_prefix=string (e.g. "/ssh/")
"url_prefix": "/"

This specifies the URL path Gate One will live when it is accessed from a browser. By default Gate One will use "/" as its base URL; this means that you can connect to it using a URL like so: https://mygateone.company.com/

That "/" at the end of the above URL is what the url_prefix is specifying. If you wanted your Gate One server to live at https://mygateone.company.com/gateone/ you could set url_prefix="/gateone/".

Note

This feature was added for users running Gate One behind a reverse proxy so that many apps (like Gate One) can all live behind a single base URL.

Tip

If you want to place your Gate One server on the Internet but don't want it to be easily discovered/enumerated you can specify a random string as the gateone prefix like url_prefix="/fe34b0e0c074f486c353602/". Then only those who have been made aware of your obfuscated URL will be able to access your Gate One server (at https://gateone.company.com/fe34b0e0c074f486c353602/ ☺)

user_dir

--user_dir=string (file path)
"user_dir": "/var/lib/gateone/users"

Specifies the location where persistent user files will be kept. Things like session logs, ssh files (known_hosts, keys, etc), and similar are stored here.

user_logs_max_age

--user_logs_max_age=string (special: [0-9]+[smhd])
"user_dir": "30d"

This setting controls how long Gate One will wait before old user session logs are cleaned up. It accepts the following <num><character> types:

Character Meaning Example
s Seconds '60s' ➡ 60 Seconds
m Minutes '5m'  ➡ 5 Minutes
h Hours '24h' ➡ 24 Hours
d Days '7d'   ➡ 7 Days

Note

This is not a Terminal-specific setting. Other applications can and will use user session logs directory (<user_dir>/logs).

version

--version

Displays the current Gate One version as well as the version information of any installed applications. Example:

root@host:~ $ gateone --version
Gate One:
     Version: 1.2.0 (20140226213756)
Installed Applications:
     Terminal Version: 1.2
     X11 Version: 1.0

Terminal Application Options

The options below are specific (and supplied by) the Terminal application.

dtach

--dtach=boolean
"dtach": true

This feature is special: It enables Gate One to be restarted (think: upgraded) without losing user's connected sessions. This option is enabled by default.

If dtach support is enabled but the dtach command cannot be found Gate One will output a warning message in the log.

Note

If you ever need to restart Gate One (and dtach support is enabled) users will be shown a message indicating that they have been disconnected and their browsers should automatically reconnect in 5 seconds. A 5-second maintenance window ain't bad!

kill

--kill

If running with dtach support, this will kill all user's running terminal applications. Giving everyone a fresh start, as it were.

session_logging

--session_logging
session_logging = True

This tells Gate One to enable server-side logging of user terminal sessions. These logs can be viewed or played back (like a video) using the Log Viewer application.

Note

Gate One stores logs of user sessions in the location specified in the --user_dir option.

syslog_session_logging

--syslog_session_logging
"syslog_session_logging": false

This option tells Gate One to send logs of user sessions to the host's syslog daemon. Special characters and escape sequences will be sent as-is so it is up to the syslog daemon as to how to handle them. In most cases you'll wind up with log lines that look like this:

Oct  1 19:18:22 gohost gateone: ANONYMOUS 1: Connecting to: ssh://user@somehost:22
Oct  1 19:18:22 gohost gateone: ANONYMOUS 1: #033]0;user@somehost#007
Oct  1 19:18:22 gohost gateone: ANONYMOUS 1: #033]_;ssh|user@somehost:22#007

Note

This option enables centralized logging if your syslog daemon is configurd to use a remote log host.