Database & SSH Logins

Overview

The mamori server has built-in proxies for SSH and database connections. To apply controls and provide access-on-demand over database and ssh connections you must route all desired connections via the proxies running on the mamori server.

The feaures that become available via the proxies are listed below.

Enable Mamori database proxies to

SSO & multi-factor database connections
Access-On-Demand to RDS, servers, and databases
Update access to RDS & servers without having to modify network rules
SQL firewall rules
Identity based activity monitoring & audit
Isolate databases and RDS from random network IP access and scans
Controls Database permissions without having to created specialized DB credentials
Eliminate handing DevOps team database credentials

Enable Mamori SSH proxies to

SSO & multi-factor SSH, SCP & SFTP connections
Record & playback sessions
Prevent tunnelling
Simplify server key management and deployment
Eliminate named account sprawl



Steps

Step 1 - Add the mamori server to the whitelist of target RDS and servers

Step 2 - Configure mamori data sources and ssh logins

Step 3 - Provision user access and test access via mamori

Step 4 - Update RDS and servers to whitelist only application servers and the mamori server

Step 5 - Lockdown the application service accounts that are going via mamori

Typically application database connections are only routed through the mamori server if you want to implement gobal masking rules or apply SQL injection prevention policies.

If this is required for a critial application, then have one HA mamori server for the application traffic and another for the ad hoc traffic




Database Access Controls

The mamori proxies handle native connections for the 5 main database wire protocols (Oracle, MySQL, Postgres, MS SQL Server & MongoDB). Any database that uses the same wire protocol are also supported. For example, greenplum, redshift and cockroach DB are supported because they use the postgres wire protocol.

Databases, like teradata and impala, are supported via the mamori client jdbc and odbc driver.

One of the datasource permissions granted to a user is the passthrough mode the session will operate under. The table below describes the 3 available passthrough modes.

Passthrough ModeDescription
PASSTHROUGH100% passthrough. Has No statement checking, no masking
MASKED PASSTHROUGHApplies masking. Allows all statements
PROTECTED PASSTHROUGHApplies masking. Only allows statements that can beanalyzed or are in the signed statement list



Steps

Step 1 - Add your data sources

Step 2 - Add database credentials to mamori roles

Step 3 - Add database permissions to mamori roles

Step 4 - Grant credential and permission roles to users

Step 5 - Define Access On-Demand policies

Step 6 - Verify connections from client tools



Add Datasources

Prerequisites

Ensure the appropriate drivers are installed

Click Datasources

Click

Next, edit the datasource details

FieldDescription
Datasource NameThe reference for this datasource

Database name in SQL tools.

Datasource TypeThe datasource type
Datasource GroupSet if you are going to push down db credentials via mamori
Driverdefaulted to driver for datasource type
Connection DetailsEnter database connection information

Click Save



If creating a mongo datasource, the authSource db and tls settings can be passed in under the advanced settings using either the Connection Properties:

authSource=admin;tls=true

or the Connection URL Suffix:

&authSource=admin&tls=true



Add Credentials To A Role

Click Roles

Add or Edit an existing role

Click Database & Data Access

Click Credentials

Add the credential to the target datasource

Click OK



Add Permissions To A Role

The following instructions will grant a role the required permissions to run selects

  • MASKED PASSTHROUGH for all datasources

  • SELECT on all objects in all datasources

You can replace * with specific object names.

Click Roles

Add or Edit an existing role

Click Database & Data Access

Click Object Privileges

Click Add Object

Select Object Dialog Explanation

The object selection dialog has 4 fields : datasource,database,schema & table

Expand the object tree to the level you want to select and click on the paste button that displays on mouse over.

Place * in the appropriate fields if you want ALL objects at that level

Set * for datasource & click OK

Select the MASKED PASSTHROUGH permission

Click Add Object and enter * in all 4 fields & Click OK

Select the SELECT permission

Click Close



Grant roles to users

Click Roles

Click on Change Assigned Users grid menu for the role

Select users



Access On-Demand

To provide on-demand datasource access to a user

  • Do not grant the crendential role to a user
  • Grant the user the request role specified in the policy

The policy will grant the credential role to the user when it is executed.



To create a policy follow the steps below

Prerequisites

Define a role with credentials & permissions

Define Alert Channels

Click Policies

Click Access On Demand

Click Add

Policy Editor

For detailed field descriptions click here

Add a time parameter

Enter the statement below in the policy script

On Demand Policy
GRANT YOUR_ACCESS_ROLE_NAME TO :applicant VALID for :time minutes;



Connection Strings

To connect via the mamori server from your database tools update the connection strings as per the table below

ConnectionWithout MamoriVia Mamori
Hostthe database ipthe mamori server ip
Portthe database listenerthe mamori proxy port. See Ports
Databasethe database namethe alias in mamori for the database
Authenticationdatabase credentialsMamori SSO + 2FA
Some SQL Server tools do not have a database field in their connection dialog. For these tools append the mamori datasource name to the username.

For example, myadlogin@mydatasource

Proxy Workflow


Remote Systems

If your datasources or servers on are on another network or can only be accessed via SSH tunnels, then before you add them you will need to either create the network entry with the mamori service or add them as wireguard peers.

The three types of network you are make are:

  • SSH Tunnel
  • Open VPN
  • IpSec



SSH Tunnel

Prerequisites

Create an ssh key

Place the public key in the target machine's authorized keys

Click Server Settings

Click Keys

Click

Set the key properties

FieldDescription
TypeSSH Tunnel
NameYour reference for the tunnel
SSH Userssh target account name
SSH Hostssh target host name
SSH Posttarget ssh port
Local Portthe port that will be used locally
Target Hostdefault to localhost
Portport being mapped to on the target
Private KeySelect the private key to use for the tunnel

Click OK


SSH Logins

Mamori allows you to grant a user access to an ssh login. When a user tries to connect with the login, the client connection is verified against one of the public ssh keys defined for their mamori account.

Ideally setup sudo and non-sudo ssh logins, and then make the sudo ssh login available only via an access on-demand request.



Create an SSH Login

Prerequisites

Create an ssh key

Place the public key in the target machine's authorized keys

Click SSH Logins

Click

Set the properties

FieldDescription
NameYour reference for the login
Remote Usertarget ssh login name
Remote Hosttarget host name
TCP Posttarget ssh port
Private KeySelect the private key to use for the login
PasswordPassword to use for the login

Click OK



Grant an SSH Login

Prerequisites

Edit a user or role

Click SSH & SERVER ACCESS

Click SSH LOGIN

Select the SSH Login to grant

Click Close



Using an SSH Login

To ssh via mamori you need ensure you have added a public ssh key to your mamori account. Follow the instructions below to add your public ssh key.

Login to the mamori portal

Click on your login name to see your profile menu

Click SSH & SERVER ACCESS

Click PUBLIC SSH KEY

Set the properties

FieldDescription
NameYour reference for the key
Public KeyPaste in your public key

Click ADD KEY

Make an ssh connection from a terminal or tool

 ssh -p sshproxyport thesshlogin@mamoriserver
 -- example
 ssh -p 1122 prodserver@mymamoriserver

click here for instructions on how to view your current SSH proxy port.

Edit this page on GitHub Updated at Tue, Oct 19, 2021