Imprivata Privileged Access Management Product Update 2.3.201901141010

January 13, 2019

PAM Update: Adds MFA option for native SSH clients, Python example for REST API and exclusive session enforcement

Highlights of this update include the MFA option for native SSH clients connecting through SSH Proxy, the Python example to access PAM REST API and the option to enforce single sessions established for the same record.

Added Multi-Factor Authentication option for native SSH clients connecting through SSH Proxy

This update brings MFA enforcement for logins using native SSH clients such as PuTTY, Secure CRT or ssh shell.

It allows quick implementation of MFA for Unix, Linux and IoT access using familiar workflow significantly improving the security of the network.

The current implementation supports Google Authenticator natively while relying on GUI generated one-time tokens (use Profile / Preferences) to support other providers including the option to login to PAM using SAML identity providers such as AzureAD, ADFS, Okta or Shibboleth.

The option could be disabled using xtam.ssh.proxy.mfa.disable=true parameter.

Added Python example to access PAM REST API

PAM provides a complete standard based platform-agnostic REST API for every configuration and operation function.

This week we have extended our sample library with the example of Python script accessing and creating new PAM data. The sample library now includes examples of communicating with PAM servers using Unix Shell, PowerShell, Groovy, VBScript, Java, JavaScript and Python platforms.

Added the option to enforce exclusive sessions established for the same record

The update introduces a global parameter Exclusive Session that, when enabled, enforces a single in-browser session created for a selected record ensuring that only one person can access a destination server at a time.

While this function could have been implemented previously using the Checkout option in access workflows, the Exclusive Session parameter is an easy way to add a single session per record option system-wide without forcing users to add access reason and lock time when accessing servers.

This option is useful in combination with another update that allows record viewers with connecting privileges to review currently open sessions for the selected record on the record view screen to track shared account use to the actual user of the system.

Added the option to verify remote Windows host name match with the hostname on the record for script execution

The update adds the option to verify remote Windows host name match with the host name on the record before executing any script on the remote computer to detect misconfigured or attacked name resolution service.

Manipulating name resolution service is a potentially dangerous attack on the script execution system that might cause password reset executed on the wrong computer.

The option to check the computer name with the DNS resolved name creates another barrier to prevent DNS manipulation to interfere with the improper password reset.

The option is enabled by the presence of the unchecked checkbox field HostNameDNS in the record type of the record describing the destination computer. Checking the field disables the option to verify the host for the specific record.