Creating SSH Tunnels for Secure Access
A common scenario we hear from our users is that they want to provide access to an internal resource (for example, a production database) without having to open access to it externally. In addition, allowing their Admins and Developers to continue to use their native client tools is usually a must have requirement. So how can you satisfy such a requirement will maintaining security?
The answer is simple; use XTAM’s privileged access management while employing SSH tunnels. Using a secure, password-less SSH session to the jump server, the user’s traffic from their client is then tunneled to the desired endpoint.
Other common scenarios where SSH Tunnels are used:
- Ports cannot or should not be opened
- The service or system should only be accessible internally
- Firewall configurations
- Security architecture requires it
In the following example, we will demonstrate how XTAM is configured to use a Unix jump server in order to provide a SSH tunnel from an external SQL Developer client to an internal Oracle database.
Create a Unix record in XTAM that will be used as the jump server for the ssh tunnel
Open your preferred SSH client (our example is using the Windows 10 Command Prompt) and create your tunnel using the following syntax:
ssh <your XTAM userName>#<XTAM record name or ID of the jump server>@<XTAM host url>-p <XTAM SSH Proxy port number> -L <local listening port>:<remote host>:<remote listening port>
ssh firstname.lastname@example.org -p 2022 -L 1521:10.0.0.145:1521
- bwilliams – our XTAM user
- 41603 – our XTAM record ID for our Unix jump server. You can also use the XTAM record Name, assuming it is unique.
- xtam.company.com – our XTAM host URL
- 2022 – our XTAM SSH Proxy port number
- 1521 – our local listening port (1521 is the default for Oracle)
- 10.0.0.145 – our Oracle database host IP
- 1521 – our remote listening port
- -N – (optional) to create the tunnel as a user with the “nologin” shell
You should now see the display message XTAM Secure Proxy Shell indicating that the traffic is being routed through XTAM. At the password prompt, enter the XTAM user’s password.
Once authenticated, the SSH tunnel is created. We can now connect to our internal Oracle database using localhost or 127.0.0.1 as the Hostname and port 1521. The traffic will be forwarded to the destination server behind our firewall.
When finished, you can close the tunnel.
Application SSH Tunnel Configuration Examples
Oracle SQL Developer