Imprivata Privileged Access Management Product Update 2.3.202106062305

June 6, 2021

PAM Update: Added target host selection, and host or network restriction options when connecting to SSH servers using native clients

This update added interactive target host selection and host or network restriction options when connecting to SSH servers using native clients.

Added target host selection option when connecting to SSH servers using native clients

The update adds a target host selection option when connecting to SSH servers using native clients.

The option allows asset owners to white list, several destination hosts, instead of specifying a single target host to connect.

When a user connects to such an asset using a native SSH client, the system will prompt the user to select one of the destination hosts from the list presented by the system from the configured white list.

To enable hosts whitelisting, create record level Text field Hosts to store comma-, semicolon-, colon- or newline-separated list of hosts or host:port combinations.

When the list of allowed hosts is defined for the record, SSH Proxy connect action prompts for the host selection to choose the host to connect with the credentials on record.

Added target host or network restriction option when connecting to SSH servers using native clients

The update adds a target host or network restriction option when connecting to SSH servers using native clients. The option allows the asset owners to allow users to provide destination host on record by specifying empty Host field in the record yet still restrict destination host selection by white listing destination hostname, IP addresses or IP-ranges. The option simplifies access configuration for complex networks.

To enable target host restriction, create record level Text field AllowedResolvedHosts to store a comma-separated list of hosts, IP, or IP-ranges (from-to or IP/bits) combinations. When a user provides a destination host to connect to a record configured with an empty host, the system will only allow connections to the destinations in compliance with the specified restrictions.

The target host restriction option is applicable for both WEB SSH and SSH Proxy connections made by native SSH clients.

Added server-side enforcement of white listed domains when injecting credentials to WEB Portals accessed through HTTP Proxy

The update fixed the security issue that allowed to make HTTP Proxy to reveal credentials injected into authentication workflow on one WEB Portal to another, potentially malicious, WEB Portal when using the same access token.

The update enforces HTTP Proxy to validate the destination URL on the server side with the URL on the WEB Portal record to restrict access to this specific domain.

To enable domain white listing for multiple sites in cases of SSO redirections, create record level Text field AllowedHosts to store a comma-separated list of hosts allowed for HTTP Proxy password injection procedure.