Imprivata Privileged Access Management Product Update 2.3.202109131006

September 12, 2021

PAM Update: Added SQL Proxy support to connect to servers in isolated networks and added channel restriction options for SSH Proxy

This update added SQL Proxy support to connect to servers in isolated networks and added channel restriction options to SSH Proxy.

Added SQL Proxy support to connect to servers in isolated networks

The update added SQL Proxy support to connect to servers in isolated networks through remote session managers.

With this update, SQL Proxy starts to respect proximity groups configuration to route traffic to specific servers given by IP address, host mask, or Vault location through the selected remote session manager appropriate for the selection criteria.

The option allows accessing remote Oracle servers behind the firewall through the single open session manager interface.

Added the option to restrict channels available through SSH Proxy connection

The update added the option to restrict channels available through SSH Proxy connection. SSH Proxy opens the possibility to establish shell, sftp, tunnel, and exec (SCP) channels.

The new option allows system owners to restrict access to certain channels system-wide with the option to override global settings for an individual record.

To control the list of channels available in SSH Proxy on a system-wide level uses the global parameter SSH Proxy Allowed Channels.

This parameter controls what channels / subsystems are allowed to use by client software when connecting through an SSH Proxy server.

Supported channels are:

  • shell – Allow shell connection
  • exec – Allow remote command execution including scp transfer
  • sftp – Allow file transfer using SFTP protocol
  • tunnel – Allow SSH tunnels over SSH Proxy

The system-wide settings could be overridden on record level using String custom filed named SshChannels.

There are two scenarios to override channel settings:

  1. List channels allowed for the current records. This will allow only shell and exec channels to open: shell, exec
  2. Use system defaults but add or remove specific channels. This will use the setting from the system parameter but allow sftp and deny tunnel channels: +sftp,-tunnel