SSH proxy for Xton Access Manager

The client owns and operates a privileged access manager that allows companies to restrict access to data via an existing Active Directory environment. This will enable companies to isolate the privileged information to reduce the risk of it being stolen and increase companies’ level of control and awareness over their environments.

Businesses often find themselves in the following complex scenario: on the one hand, they have their own privileged accounts and systems that must always be available and can easily be accessed by the administrators. On the other hand, upper management personnel and external auditors demand that all of the access to the accounts be secured to those very same systems. 

They are always worried about a security breach, so they are always demanding audit reports, granular permissions, notifications and other safeguards. The Xton Access Manager needs to satisfy the wants and demands of both sides.

Softwarium solved this problem by creating the Secure Shell (SSH) proxy functionality based on the Apache Mina – SSH framework. Essentially, we created a “man in the middle” (MITM) proxy for connecting the SSH. This was done so that users who are accustomed to using the desktop-based SSH client app can continue to use it without using the web-based sessions that we offered initially. 

To create the proxy, we used both the client and server parts of the framework. The client first connects to the server part and in the username field enters their login for XTAM and, concurrently with the login, the record id / record name / IP address. 

After verifying the password, workflows and MFA, we launch the proxy to server connection and redirect in / out / err flows between these two connections. Like with the keystrokes recording case, we support recording the text that the user typed inside the session. To catch the transferred files, we provided support for the SCP / SFTP protocols, and we can save all transferred files on the server so that the supervisor can view them later.

We also have our interactive shell in this proxy. It goes into effect if the user did not correctly enter the remote server’s record ID, record name, or IP address. We made basic commands in the shell to display the records for which the user has rights and can connect to the record directly from the shell. In this case, if the user logs out of the remote session (presses ctrl-d or logout), then they go back to the shell.

Thanks to the development services provided by Softwarium, the client was able to satisfy two seemingly contradictory requirements, i.e. easy access to the systems for administrators while maintaining strict security. By offering such functionality to their customers, the client could capitalize on new business opportunities and get a competitive advantage.