SSH Tunnels for Privileged Access

Creating SSH Tunnels for Secure Access

A common scenario we hear from our users is that they want to provide access to an internal resource (for example, a production database) without having to open access to it externally.

In addition, allowing their Admins and Developers to continue to use their native client tools is usually a must have requirement.

So how can you satisfy such a requirement will maintaining security?

The answer is simple: use PAM’s privileged access management while employing SSH tunnels.

Using a secure, password-less SSH session to the jump server, the user’s traffic from their client is then tunneled to the desired endpoint.

 

Other common scenarios where SSH Tunnels are used:

  • Ports cannot or should not be opened
  • The service or system should only be accessible internally
  • Firewall configurations
  • Security architecture requires it

To enable the capturing of SQL statements to the PAM Session Event report, please read our Capturing SQL Traffic article.

In the following example, we will demonstrate how PAM is configured to use a Unix jump server in order to provide a SSH tunnel from an external SQL Developer client to an internal Oracle database.

 

To make use of SSH tunneling, you first must enable the SSH Proxy feature in PAM. If you have not this feature yet, please first read our SSH Proxy article and then return here when complete.

 

To learn how you can use a Public/Private key pair to authenticate SSH proxy sessions, please read our SSH Session Public Key Authentication article.

 

The following sections describe how to create secure SSH records in PAM and then how to use these records in your native desktop clients.

 

ssh -p 2022 pamuser#i-4bbAmkj4QYq@pam.company.com -L 1521:10.0.0.31:1521

Where:

pamuser is the user with permission to PAM record

i-4bbAmkj4QYq - record ID of Unix Host record providing tunnel service

pam.company.com - host name of PAM server

2022 - PAM SSH Proxy Port

1521 - port for tunneling

10.0.0.31 - destination server IP address

Allowed Hosts

It is possible to add security restrictions on the SSH Proxy tunnels forward hosts and ports to limit user options to connect to only allowed servers and ports in the destination networks.

The option allows strictly controlled tunnel options to be defined for specified point-to-point communications.

When the tunnel is designed to connect only to specified service on selected computers, the option restrict the option for a user to connect to other computers or to other services by building different tunnel through the same privileged asset.

SSH Proxy produces Operation Error audit log record for the attempt to build a tunnel for restricted forward host or port.

To enable the option add the following fields to the record type of the tunnel record:

  • AllowedHosts (Type: String, Display name: Allowed Hosts) with value is a comma separated list of allowed host, mask/bits or ipFrom-ipTo range (example: 10.0.0.31,10.1.2.0/24,10.2.0.10-10.2.0.30)
  • AllowedPorts (Type: String, Display name: Allowed Ports) with value is a comma separated list of allowed port or portFrom-portTo range (example: 1433,14000-14100)