Xton Access Manager Product Update 2.3.202012062257
Today we released new update to the Xton Privileged Access Manager software. This update adds AWS CLI Proxy to support zero trust connections for Amazon AWS command line tool, forward tunnel option for transparent perimeter deployments, host and port controls for SSH Proxy tunnel sessions, and password reset option for unix hosts to use sudo-based shadow account requiring a password prompt.
Introduced AWS CLI Proxy add-on
The update introduces AWS CLI Proxy add-on to support zero trust connections for Amazon AWS command line tool. The option allows to share privileged access to AWS infrastructure without sharing AWS keys. The function uses AWS Access Keys record type to create records to store AWS Access Key and Secret Key. Users with Connect permissions to the record can execute AWS command line utility directing it through XTAM AWS CLI Proxy using XTAM REST API token as a secret key and a Record ID-based access key. XTAM AWS Proxy will forward the request to AWS servers using AWS keys from the record and return the result back to the client while generating audit logs, session report and session events with the commands executed by the command line utility. XTAM ASW CLI Proxy respects role-based permissions to the record, configured access request workflows including time-, location- and approval-based access as well as API Token expiration and location validation.
XTAM AWS CLI Proxy operates on the protocol level allowing tools other than native AWS CLI tool to take advantage of AWS CLI Proxy.
To enable XTAM AWS CLI Proxy, server owners should enable XTAM HTTP Proxy in Administration / Settings / Parameters section and restart the service. Note that AWS CLI Proxy requires special license to enable the option.
To redirect AWS CLI tool to XTAM record, users should use the following properties. Note that AWS CLI tool has multiple ways to specify these properties. The description below references environment variables. Follow documentation for AWS CLI tool about different methods to specify these parameters.
- HTTPS_PROXY – XTAM HTTP Proxy URL in the form https://xtam.company.com:8081
- HTTP_PROXY – XTAM HTTP Proxy URL in the form https://xtam.company.com:8081
- AWS_CA_BUNDLE – Path to XTAM HTTP Proxy certificate downloaded from Management / My Profile / Preferences / Certificate
- AWS_ACCESS_KEY_ID – XTAM user and asset definition in the form TOKEN-ID#RECORD where TOKEN-ID is REST API token ID generated using Administration / Tokens screen. RECORD is either XTAM Record ID or record search criteria identifying a single record with AWS access keys
- AWS_SECRET_ACCESS_KEY – REST API token generated using Administration / Token screen. TOKEN-ID in the AWS_ACCCESS_KEY specification references the ID of the same token
Added the option to control forwarding host and forwarding port when connecting to SSH tunnels built using SSH Proxy
The update adds security restrictions on the SSH Proxy tunnels forward hosts and ports to limit user options to connect to only allowed servers and ports in the destination networks. The option allows to define strictly controlled tunnel options for specified point-to-point communications. When the tunnel is designed to connect only to specified service on selected computers, the option restrict the option for a user to connect to other computers or to other services by building different tunnel through the same privileged asset. SSH Proxy produces Operation Error audit log record for the attempt to build a tunnel for restricted forward host or port.
To enable the option add the following fields to the record type of the tunnel record
- AllowedHosts (Type: String, Display name: Allowed Hosts) with value is a comma separated list of allowed host, mask/bits or ipFrom-ipTo range (example: 10.0.0.31,10.1.2.0/24,10.2.0.10-10.2.0.30)
- AllowedPorts (Type: String, Display name: Allowed Ports) with value is a comma separated list of allowed port or portFrom-portTo range (example: 1433,14000-14100)
Added forward tunnel option to Transparent Perimeter deployment
The update adds the option for the node to establish and to maintain forward tunnel to the master node to limit all traffic from the remote node to the master node to SSH tunnel port 22 including HTTPS traffic from remote worker to the master node as well as reverse traffic from the master node to remote session managers. The option further simplifies remote network requirements for the remote node configuration.
The configuration for the forward tunnels is performed using the following properties on the remote node in $XTAM/web/conf/catalina.properties file:
- xtam.forward.tunnel.remoteHost=Master node host for SSH connection
- xtam.forward.tunnel.remotePort=Master node port for SSH connection
- xtam.forward.tunnel.remoteUser=Master node user for SSH connection
- xtam.forward.tunnel.remotePassword=Master node user password or Private Key password for SSH connection
- xtam.forward.tunnel.remoteKey=Optional path to master node Private Key for SSH connection as an alternative for remoteUser
- xtam.forward.tunnel.forwardHost=Host in the master node network to forward tunnel to
- xtam.forward.tunnel.forwardPortLocal=Forwarded port on the remote node to map as a master node port
- xtam.forward.tunnel.forwardPortRemote=Master node port to forward traffic to (usually 443)
- xtam.forward.tunnel.forwardBindingAddress=Binding address on the remote node to expose the port to other interfaces
Note that index in xtam.forward.tunnel configuration allows to specify multiple tunnels maintained by the remote node. Forward tunnel SSH connection could be established using user / password or user / private key (optionally with password). Also note that for proper HTTPS configuration the remote node DNS resolution of the master node name should be defined for the local host of the remote node.
Added the option to reset Unix password using sudo based shadow account prompting for the password
The update added the option to manage account on Unix Hosts using shadow account that can reset passwords using sudo function that prompts for the shadow account password. To use this option use the script Password Reset Remote SSH using Shadow with Prompt. The option extends the library of password reset strategies working in different configurations.
- XTAM Gateway
- XTAM REST API Documentation
- XTAM Password Vault Free Trial Download
- Xton Access Manager User Manual
- Getting Started Guide
- Xton Technologies News and Events
- Xton Access Manager How-To Guides
- Explore Our PAM Features and Highlights
- Explore a pre-configured live demo in our environment
- Best Practices Guide provides insights into both Concepts and Design elements for users looking to build out their PAM deployment
The software requires about five minutes to install on a freshly built Windows or Linux server or desktop with 2+ Gb RAM and no pre-requisites. After installation, please follow our Getting Started Guide for step-by-step introduction to the application.
Read the product documentation including Windows and Linux installation instructions as well as Getting Started Guide: https://www.xtontech.com/resources/documentation/
Follow this link for the instructions how to update the existing setup: https://www.xtontech.com/resources/faq/updating-xton-access-manager-version/
Check the software pricing, including options and licensing FAQ: https://www.xtontech.com/store/
We appreciate your feedback and comments about Xton Access Manager and also about handling privileged accounts, passwords, keys and certificates as well as sessions to remote computers in general.
Thank you for your interest in our product.
Xton Technologies team
Xton Access Manager for Privileged Access Management (PAM) provides complete, control for your privileged passwords, secrets, certificates and documents to meet audit requirements while limiting your risk of security breaches. It’s easy to install, affordable, cloud-ready and offers unlimited use and storage
Please fill out this form to receive a download link to get started today, even on your current desktop or laptop. Documentation is available to help or you can email or call us to request a trial extension, discuss questions and share your feedback. We would love to talk to you.
The Featured image for this article is Social media vector created by stories – www.freepik.com