M4PAM - DB, RDP & SSH
Overview
The mamori server has built-in proxies for RDP, SSH and database connections. To apply controls and provide access-on-demand over database and server connections you must route all desired connections via the proxies running on the mamori server.
The feaures that become available via the proxies are listed below.
Enable Mamori database proxies to
Enable Mamori RDP & SSH proxies to
Steps
Step 1 - Update cloud RDS and target servers to whitelist only application servers and the mamori server
Step 2 - Configure mamori data sources, SSH and RDP logins
Step 3 - Provision user access and test access via mamori
Step 4 - Lockdown the application service accounts that are going via mamori
If this is required for a critial application, then have one HA mamori server for the application traffic and another for the ad hoc traffic
Database Access Controls
The mamori proxies handle native connections for the 5 main database wire protocols (Oracle, MySQL, Postgres, MS SQL Server & MongoDB). Any database that uses the same wire protocol are also supported. For example, greenplum, redshift and cockroach DB are supported because they use the postgres wire protocol.
Databases, like teradata and impala, are supported via the mamori client jdbc and odbc driver.One of the datasource permissions granted to a user is the passthrough mode the session will operate under. The table below describes the 3 available passthrough modes.
Passthrough Mode | Description |
---|---|
PASSTHROUGH | 100% passthrough. Has No statement checking, no masking |
MASKED PASSTHROUGH | Applies masking and statement permission checks. Allows code blocks that can't be analyzed. |
PROTECTED PASSTHROUGH | Applies masking. Only allows statements that can beanalyzed or are in the signed statement list |
Steps
Step 1 - Add your data sources
Step 2 - Add database credentials to mamori roles
Step 3 - Add database permissions to mamori roles
Step 4 - Grant credential and permission roles to users
Step 5 - Define Access On-Demand policies
Step 6 - Verify connections from client tools
Add Datasources
Prerequisites
Click Datasources
Click
Next, edit the datasource details
Field Description Datasource Name The reference for this datasource Database name in SQL tools.
Datasource Type The datasource type Datasource Group Set if you are going to push down db credentials via mamori Driver defaulted to driver for datasource type Connection Details Enter database connection information Credential Reset Days Convert credential to a Mamori managed credential and reset it every X days Credential Role The role that is linked to this managed crendential Click Save
authSource=admin;tls=true
or the Connection URL Suffix:
&authSource=admin&tls=true
useSSL=false
Add Credentials To A Role
Click Roles
Add or Edit an existing role
Click Database & Data Access
Click Credentials
Add the credential to the target datasource
Click OK
Add Permissions To A Role
The following instructions will grant a role the required permissions to run selects
-
MASKED PASSTHROUGH for all datasources
-
SELECT on all objects in all datasources
Click Roles
Add or Edit an existing role
Click Database & Data Access
Click Object Privileges
Click Add Object
Select Object Dialog Explanation
The object selection dialog has 4 fields : datasource,database,schema & table
Expand the object tree to the level you want to select and click on the paste button that displays on mouse over.
Place * in the appropriate fields if you want ALL objects at that level
Set * for datasource & click OK
Select the MASKED PASSTHROUGH permission
Click Add Object and enter * in all 4 fields & Click OK
Select the SELECT permission
Click Close
Grant roles to users
Click Roles
Click on Change Assigned Users grid menu for the role
Select users
Access On-Demand
To provide on-demand datasource access to a user
- Do not grant the crendential role to a user
- Grant the user the request role specified in the policy
The policy will grant the credential role to the user when it is executed.
To create a policy follow the steps below
Prerequisites
Click Policies
Click Access On Demand
Click Add
Policy Editor
For detailed field descriptions click here
Add a time parameter
Enter the statement below in the policy script
On Demand PolicyGRANT YOUR_ACCESS_ROLE_NAME TO :applicant VALID for :time minutes;
Connection Strings
To connect via the mamori server from your database tools update the connection strings as per the table below
Connection Without Mamori Via Mamori Host the database ip the mamori server ip Port the database listener the mamori proxy port. See Ports Database the database name the alias in mamori for the database Authentication database credentials Mamori SSO + 2FA
Proxy Workflow

Remote Systems
If your datasources or servers on are on another network or can only be accessed via SSH tunnels, then before you add them you will need to either create the network entry with the mamori service or add them as wireguard peers.
The three types of network you are make are:
- SSH Tunnel
- Open VPN
- IpSec
SSH Tunnel
Prerequisites
Place the public key in the target machine's authorized keys
Click Server Settings
Click Keys
Click
Set the key properties
Field Description Type SSH Tunnel Name Your reference for the tunnel SSH User ssh target account name SSH Host ssh target host name SSH Post target ssh port Local Port the port that will be used locally Target Host default to localhost Port port being mapped to on the target Private Key Select the private key to use for the tunnel Click OK
SSH Logins
Mamori allows you to grant a user access to an ssh login. When a user tries to connect with the login, the client connection is verified against one of the public ssh keys defined for their mamori account.
Create
Prerequisites
Place the public key in the target machine's authorized keys
Click SSH Logins
Click
Set the properties
Field Description Name Your reference for the login Remote User target ssh login name Remote Host target host name TCP Post target ssh port Private Key Select the private key to use for the login Password Password to use for the login Click OK
Grant
Prerequisites
Edit a user or role
Click SSH & SERVER ACCESS
Click SSH LOGIN
Select the SSH Login to grant
Click Close
Using
To ssh via mamori you need ensure you have added a public ssh key to your mamori account. Follow the instructions below to add your public ssh key.
Login to the mamori portal
Click on your login name to see your profile menu
Click SSH & SERVER ACCESS
Click PUBLIC SSH KEY
Set the properties
Field Description Name Your reference for the key Public Key Paste in your public key Click ADD KEY
Make an ssh connection from a terminal or tool
ssh -p sshproxyport thesshlogin@mamoriserver -- example ssh -p 1122 prodserver@mymamoriserver
click here for instructions on how to view your current SSH proxy port.
RDP Session
Mamori allows you to grant a user access to an RDP session. Remote desktop sessions operate in two modes:
- pre-authenticated : a user is multi-factored but does not have to enter the desktop OS login details
- authenticated : a user is multi-factored and must enter the desktop OS login details
Create
Click Remote Desktops
Click
Click the GENERAL tab
Set the properties
Field Description Connection Name Your reference for the remote desktop session Hostname Target server Port Target server port.
Defaults to 3389Remote Username OS login name Remote Password OS login password Remote Domain OS login domain Security Server session authentication mode.
Defaults to AnyIgnore TSL certificate validation errors Defaults to true Connect to system console Defaults to false Click the ADVANCED tab
Set the properties
Field Description Server Keyboard Layout Session keyboard layout Initial program to start Executable name Colour Depth Defaults to 64K Colours Width Defaults to 1024 Height Defaults to 768 DPI Defaults to 96 Click OK
Grant
Prerequisites
Edit a user or role
Click SSH & SERVER ACCESS
Click REMOTE DESKTOPS
Select the remote desktop session to grant
Click Close
Using
To use a remote desktop session
Login to the mamori portal
Click Remote Desktops
Find the remote desktop you want to access
Click the launch button on the target desktop