Database & SSH Logins

Overview

The mamori server has built-in proxies for SSH and database connections. To apply controls and provide access-on-demand over database and ssh connections you must route all desired connections via the proxies running on the mamori server.

The feaures that become available via the proxies are listed below.

Enable Mamori database proxies to

SSO & multi-factor database connections

Access-On-Demand to RDS, servers, and databases

Update access to RDS & servers without having to modify network rules

SQL firewall rules

Identity based activity monitoring & audit

Isolate databases and RDS from random network IP access and scans

Controls Database permissions without having to created specialized DB credentials

Eliminate handing DevOps team database credentials

Enable Mamori SSH proxies to

SSO & multi-factor SSH, SCP & SFTP connections

Record & playback sessions

Prevent tunnelling

Simplify server key management and deployment

Eliminate named account sprawl

Steps

Step 1 - Add the mamori server to the whitelist of target RDS and servers

Step 2 - Configure mamori data sources and ssh logins

Step 3 - Provision user access and test access via mamori

Step 4 - Update RDS and servers to whitelist only application servers and the mamori server

Step 5 - Lockdown the application service accounts that are going via mamori

Typically application database connections are only routed through the mamori server if you want to implement gobal masking rules or apply SQL injection prevention policies.

If this is required for a critial application, then have one HA mamori server for the application traffic and another for the ad hoc traffic

Database Access Controls

The mamori proxies handle native connections for the 5 main database wire protocols (Oracle, MySQL, Postgres, MS SQL Server & MongoDB). Any database that uses the same wire protocol are also supported. For example, greenplum, redshift and cockroach DB are supported because they use the postgres wire protocol.

Databases, like teradata and impala, are supported via the mamori client jdbc and odbc driver.

One of the datasource permissions granted to a user is the passthrough mode the session will operate under. The table below describes the 3 available passthrough modes.

Passthrough Mode	Description
PASSTHROUGH	100% passthrough. Has No statement checking, no masking
MASKED PASSTHROUGH	Applies masking. Allows all statements
PROTECTED PASSTHROUGH	Applies masking. Only allows statements that can beanalyzed or are in the signed statement list

Steps

Step 1 - Add your data sources

Step 2 - Add database credentials to mamori roles

Step 3 - Add database permissions to mamori roles

Step 4 - Grant credential and permission roles to users

Step 5 - Define Access On-Demand policies

Step 6 - Verify connections from client tools

Add Datasources

Prerequisites

Ensure the appropriate drivers are installed

Click Datasources

Click

Next, edit the datasource details

Field Description
Datasource Name The reference for this datasource
Database name in SQL tools.
Datasource Type The datasource type
Datasource Group Set if you are going to push down db credentials via mamori
Driver defaulted to driver for datasource type
Connection Details Enter database connection information

Click Save

Field	Description
Datasource Name	The reference for this datasource Database name in SQL tools.
Datasource Type	The datasource type
Datasource Group	Set if you are going to push down db credentials via mamori
Driver	defaulted to driver for datasource type
Connection Details	Enter database connection information

If creating a mongo datasource, the authSource db and tls settings can be passed in under the advanced settings using either the Connection Properties:

authSource=admin;tls=true

or the Connection URL Suffix:

&authSource=admin&tls=true

Add Credentials To A Role

Click Roles

Add or Edit an existing role

Click Database & Data Access

Click Credentials

Add the credential to the target datasource

Click OK

Add Permissions To A Role

The following instructions will grant a role the required permissions to run selects

MASKED PASSTHROUGH for all datasources
SELECT on all objects in all datasources

You can replace * with specific object names.

Click Roles

Add or Edit an existing role

Click Database & Data Access

Click Object Privileges

Click Add Object

Select Object Dialog Explanation

The object selection dialog has 4 fields : datasource,database,schema & table

Expand the object tree to the level you want to select and click on the paste button that displays on mouse over.

Place * in the appropriate fields if you want ALL objects at that level

Set * for datasource & click OK

Select the MASKED PASSTHROUGH permission

Click Add Object and enter * in all 4 fields & Click OK

Select the SELECT permission

Click Close

Grant roles to users

Click Roles

Click on Change Assigned Users grid menu for the role

Select users

Access On-Demand

To provide on-demand datasource access to a user

Do not grant the crendential role to a user
Grant the user the request role specified in the policy

The policy will grant the credential role to the user when it is executed.

To create a policy follow the steps below

Prerequisites

Define a role with credentials & permissions

Define Alert Channels

Click Policies

Click Access On Demand

Click Add

Policy Editor

For detailed field descriptions click here

Add a time parameter

Enter the statement below in the policy script
On Demand Policy
GRANT YOUR_ACCESS_ROLE_NAME TO :applicant VALID for :time minutes;

Connection Strings

To connect via the mamori server from your database tools update the connection strings as per the table below

Connection Without Mamori Via Mamori
Host the database ip the mamori server ip
Port the database listener the mamori proxy port. See Ports
Database the database name the alias in mamori for the database
Authentication database credentials Mamori SSO + 2FA

Connection	Without Mamori	Via Mamori
Host	the database ip	the mamori server ip
Port	the database listener	the mamori proxy port. See Ports
Database	the database name	the alias in mamori for the database
Authentication	database credentials	Mamori SSO + 2FA

Some SQL Server tools do not have a database field in their connection dialog. For these tools append the mamori datasource name to the username.

For example, myadlogin@mydatasource

Proxy Workflow

Remote Systems

If your datasources or servers on are on another network or can only be accessed via SSH tunnels, then before you add them you will need to either create the network entry with the mamori service or add them as wireguard peers.

The three types of network you are make are:

SSH Tunnel
Open VPN
IpSec

SSH Tunnel

Prerequisites

Create an ssh key

Place the public key in the target machine's authorized keys

Click Server Settings

Click Keys

Click

Set the key properties

Field Description
Type SSH Tunnel
Name Your reference for the tunnel
SSH User ssh target account name
SSH Host ssh target host name
SSH Post target ssh port
Local Port the port that will be used locally
Target Host default to localhost
Port port being mapped to on the target
Private Key Select the private key to use for the tunnel

Click OK

Field	Description
Type	SSH Tunnel
Name	Your reference for the tunnel
SSH User	ssh target account name
SSH Host	ssh target host name
SSH Post	target ssh port
Local Port	the port that will be used locally
Target Host	default to localhost
Port	port being mapped to on the target
Private Key	Select the private key to use for the tunnel

SSH Logins

Mamori allows you to grant a user access to an ssh login. When a user tries to connect with the login, the client connection is verified against one of the public ssh keys defined for their mamori account.

Ideally setup sudo and non-sudo ssh logins, and then make the sudo ssh login available only via an access on-demand request.

Prerequisites

Create an ssh key

Place the public key in the target machine's authorized keys

Click SSH Logins

Click

Set the properties

Field Description
Name Your reference for the login
Remote User target ssh login name
Remote Host target host name
TCP Post target ssh port
Private Key Select the private key to use for the login
Password Password to use for the login

Click OK

Field	Description
Name	Your reference for the login
Remote User	target ssh login name
Remote Host	target host name
TCP Post	target ssh port
Private Key	Select the private key to use for the login
Password	Password to use for the login

Prerequisites

Edit a user or role

Click SSH & SERVER ACCESS

Click SSH LOGIN

Select the SSH Login to grant

Click Close

To ssh via mamori you need ensure you have added a public ssh key to your mamori account. Follow the instructions below to add your public ssh key.

Login to the mamori portal

Click on your login name to see your profile menu

Click SSH & SERVER ACCESS

Click PUBLIC SSH KEY

Set the properties

Field Description
Name Your reference for the key
Public Key Paste in your public key

Click ADD KEY

Make an ssh connection from a terminal or tool
 ssh -p sshproxyport thesshlogin@mamoriserver
 -- example
 ssh -p 1122 prodserver@mymamoriserver

Field	Description
Name	Your reference for the key
Public Key	Paste in your public key

click here for instructions on how to view your current SSH proxy port.

Database & SSH Logins

Overview

Steps

Database Access Controls

Steps

Add Datasources

Add Credentials To A Role

Add Permissions To A Role

Grant roles to users

Access On-Demand

Connection Strings

Proxy Workflow

Remote Systems

SSH Tunnel

SSH Logins

Create an SSH Login

Grant an SSH Login

Using an SSH Login