Imprivata Privileged Access Management Product Update 2.3.201908042210
August 4, 2019
PAM Update: Added password strength indicator with recommendations and support for distributed SSH Proxy deployment
This update adds a visual password strength indicator with recommendations on how to improve weaker passwords and support for distributed SSH Proxy deployment serving native SSH clients to connect to devices in isolated networks.
Added visual password strength indicator with recommendations on how to improve weaker passwords
This update added a visual password strength indicator ranking typed passwords on the scale from Weak to Very Strong to all places system users type passwords.
The indicator also provides suggestions about improving password strength for weak and fair ranked passwords.
The graphical indicator ranks password strength on the record editing screen for each password field, on the on-demand password reset screen, on the local user editing form and on the user profile password reset form.
In addition to this, the update adds generated password example preview on the Password Formula editor to visualize the passwords that can be generated using the formula on the screen.
The password sample also includes the password strength indicator together with the password strength improvement recommendations.
Added support for distributed SSH Proxy chaining serving native SSH clients to connect to devices in isolated networks
The new update adds the option to chain SSH Proxy servers to enable distributed deployment when a native SSH client (such as PuTTY or Secure CRT) connects to the destination device in the network outside of the reach of both the client computer and main node SSH Proxy server through the remote SSH Proxy server deployed into the destination network.
Such a scenario was supported for a long time for in-browser sessions through distributed session managers (see the article in the links section below). This update brings this option to the sessions established using native SSH clients.
Remote SSH Proxy will be enabled automatically on the remote node based on HTTP Proxy configuration (HTTP Proxy Enabled and HTTP Proxy Port) and the encryption key (defined by the main node configuration property cas.tgc.crypto.signing.key) communicated from the main node.
Alternatively, Remote SSH Proxy deployed on a non-remote node could be enabled on any PAM node by synchronizing encryption key (cas.tgc.crypto.signing.key) in the configuration property file between SSH Proxy chain nodes in addition to specifying parameters: xtam.http.proxy.enabled=true and xtam.http.proxy.port to initialize the Remote SSH Proxy serving in a local mode.
Note that technically Remote SSH Proxy is implemented as HTTP Proxy which is why HTTP Proxy parameters are reused for the configuration.
The main node configuration for Remote SSH Proxy is based on the Proximity Groups following the logic in-browser Session Manager uses to distribute the traffic.
SSH Proxy connection will choose the Remote SSH Proxy server based on the destination server host name, IP address or a vault where the records are located.