All Products
Search
Document Center

Bastionhost:Manage users

Last Updated:Mar 14, 2024

After you add a user to the console of a bastion host, an O&M engineer can log on to the bastion host as the user and perform O&M operations on the hosts or databases on which the user has permissions.

User types

In the console of a bastion host, you can import Alibaba Cloud Resource Access Management (RAM) users, create local users, and import Active Directory (AD)-authenticated or Lightweight Directory Access Protocol (LDAP)-authenticated users. Then, O&M engineers can log on to the bastion host as the preceding users.

User type

Description

RAM user

After a RAM user is created in the RAM console, you can click Import RAM Users to import the RAM user to the console of the bastion host.

Local user

You can create a single user or import multiple users from a file to create local users.

AD- or LDAP-authenticated users

You can configure AD authentication or LDAP authentication on the bastion host and import an AD-authenticated user or LDAP-authenticated user to the bastion host.

Note

Before you import the AD-authenticated user or LDAP-authenticated user, make sure that you configured AD- or LDAP authentication. For more information, see Configure AD authentication or LDAP authentication.

User list description

The following table describes the columns in the user list.

Column

Description

Username

The username of an account that is used to log on to the bastion host.

  • RAM user: the logon name that you specify when you create a RAM user. For more information about how to change the username, see Modify the basic information about a RAM user.

  • Local user: the username that you specify when you create the local user. You cannot change the username.

  • AD- or LDAP-authenticated user: the username that is synchronized from the AD or LDAP server. If you want to change the username, change it on the AD or LDAP server.

Authentication Source

The type of a user. For example, Local Authentication is displayed for a local user.

Two-factor Authentication Methods

When a user logs on to the console of the bastion host by using the username-password logon method, two-factor authentication is required for the user. The user must enter a dynamic verification code that is sent by text message, email, or DingTalk notification. This reduces the risk of password leaks.

  • RAM user: RAM-based Authentication. You must log on to the RAM console to configure a two-factor authentication method for RAM users. For more information, see Bind an MFA device to a RAM user.

  • Local user or AD- or LDAP-authenticated user:

    • Global Settings: For more information about how to configure a two-factor authentication method for all users, see Enable two-factor authentication.

    • User-specific Settings: For more information about how to configure a two-factor authentication method for a single user, see Create or import a user.

OTP App

Indicates whether the current user is bound with a time-based one-time password (TOTP). For more information about how to bind a TOTP, see Create or import a user.

Note

TOTPs are not applied to RAM users.

Status

The status of a user. For more information about user status, see Configure the parameters on the User Settings tab.

  • Inactive: If the user does not log on to the bastion host within the specified period of time, the user is marked as Inactive.

  • Password Expired: After the validity period of the password elapses, the user is marked as Password Expired.

  • Locked:

    • If a user enters invalid passwords for the specified consecutive times when the user logs on to the bastion host or a the user is locked by the administrator, the user is marked as Locked.

    • If you turn on Automatically Lock Inactive User Accounts on the System Settings page, the system automatically locks users who have not logged on to the bastion host for a long period of time. The users are marked as Locked.

  • The source from which the user is imported is deleted: If a user is deleted from the AD or LDAP server or the base distinguished name (base DN) of the user is inconsistent with the base DN that is configured on the bastion host, the user is marked as The source from which the user is imported is deleted. This status can be used only to filter AD- or LDAP-authenticated users.

Actions

The operations that you can perform to grant permissions to a user. For more information, see Host authorization or Asset group authorization.

Create users

You can create or import users to a bastion host based on your business requirements. Then, O&M engineers can log on the bastion host as the users.

Import RAM users

  1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

  2. In the left-side navigation pane, choose Users > Users.

  3. On the Users page, click Import RAM Users.

  4. Optional: If no RAM user is created, click Create RAM User in the Import RAM Users dialog box and create a RAM user as prompted.

    For more information, see Create a RAM user.

  5. In the Import RAM Users dialog box, click Import in the Actions column of the RAM user that you want to import. If you want to import multiple RAM users at a time, select the RAM users that you want to import and click Import in the upper-left corner.

    Note

    To enable two-factor authentication for a RAM user, log on to the RAM console and enable multi-factor authentication (MFA). For more information, see Bind an MFA device to an Alibaba Cloud account.

Create local users

  1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

  2. In the left-side navigation pane, choose Users > Users.

  3. On the Users page, create a single local user or import multiple local users from a file based on the steps described in the following table.

    Scenario

    Procedure

    Create a single local user

    1. Choose Import Other Users > Create User.

    2. In the Create User panel, configure the parameters and click Create.

      When you configure the user information, you must set Authentication Method to Local Authentication. In addition to configuring basic information, you can configure the following settings:

      • Select Users must reset the password at next logon.: If you select this parameter, the local user must reset the password upon the next logon. This parameter is valid only for local users.

      • Specify Validity Period: After the validity period that you specified for the local user elapses, the status of the local user in the Status column is changed to Expired. An O&M engineer cannot use the local user to log on to the bastion host.

      • Configure Two-factor Authentication Methods: If you enable Two-factor Authentication Methods, the local user must enter a dynamic verification code that is sent by text message, email, or DingTalk after the local user enters the valid password. This helps reduce security risks.

        Note
        • If you enable Two-factor Authentication Methods for a local user, the local user must enter a dynamic verification code that is sent by text message or email when the local user attempts to log on to the bastion host. Make sure that you enter the valid mobile phone number or email address of the local user. For more information about the countries and areas where text message-based two-factor authentication is supported, see Supported countries and areas for text message-based two-factor authentication.

        • The mobile phone number and email address that you entered are used only to receive verification codes or alert notifications.

        You can select one of the two items from the Two-factor Authentication Methods drop-down list:

        • For All Users: specifies that the global two-factor authentication methods are used. The global two-factor authentication methods are the two-factor authentication methods that you configure on the System Settings page. For more information, see Enable two-factor authentication.

        • For Single User: specifies that you must configure a separate two-factor authentication method for the local user. Bastionhost supports the following two-factor authentication methods:

          • Disable: specifies that two-factor authentication is disabled.

          • Text Message: specifies that two-factor authentication is implemented by using text messages. If you select this method, you must specify the mobile phone number of the local user.

          • Email: specifies that two-factor authentication is implemented by using emails. If you select this method, you must specify the email address of the local user.

          • DingTalk: specifies that two-factor authentication is implemented by using DingTalk notifications. If you select this method, you must specify the mobile phone number of the local user.

            Note

            If you select DingTalk when you enable two-factor authentication, make sure that the following requirements are met:

            • The mobile phone number of the user who performs O&M operations is specified. For more information, see Modify the information about a user.

            • An internal enterprise application is created by the DingTalk administrator, and the operation that is used to obtain member information based on the mobile phone numbers and names of the members is activated for the application.

            • The values of AppKey, AppSecret, and AgentId of the internal enterprise application are obtained.

          • OTP App: specifies that authentication is implemented by using the mobile OTP token of the current user. The user must bind the OTP token first.

            Note

            If you select this authentication method, you must download the standard TOTP authentication software, such as an Alibaba Cloud app. Then, log on to the Bastionhost O&M portal by using a public endpoint. In the left-side navigation pane, click Security Settings. On the Enable OTP tab, click Bind OTP App, and then scan the quick response (QR) code to bind the OTP token for authentication. For more information about how to obtain the O&M addresses of a bastion host, see Homepage overview of a bastion host.

        • Configure Two-factor Notification Sending Language:

          • If you select For All Users, the current user uses the two-factor notification sending language that is configured on the System Settings page. For more information, see Enable two-factor authentication.

          • If you select For Single User, you can select Simplified Chinese or English as the two-factor notification sending language.

    Import multiple local users from a file

    1. Select Import Users from File from the Import Other Users drop-down list.

    2. Click Download User Template, download the user template package to your computer, and decompress the package. Then, enter the information about the local users that you want to import in a user template file, and save the information.

    3. In the Import Local Users dialog box, click Upload to upload the user template file that you edited.

    4. In the Preview dialog box, select the local users that you want to import and click Import.

    5. In the Import Local Users panel, confirm the information about the local users and click Import Local Users.

      If you select Users must reset the password at next logon., all imported local users must reset their passwords upon the next logon.

    Note

    The local users that you want to import are displayed in a table. If some local users, for example, the first user, the third user, and the fifth user, share the same username, the bastion host imports only the fifth user. If a local user that you want to import shares the same username with an existing user in the bastion host, the information about the local user is not imported You can click Details in the Import Local Users panel to view the information about the users that are not imported.

  4. Optional: If you want the bastion host to notify users of the O&M address, you must specify the mobile phone number or email address of the local users, and select Send O&M Addresses to User.

Import AD- or LDAP-authenticated users

Before you import the AD-authenticated user or LDAP-authenticated user, make sure that you configured AD or LDAP authentication. For more information, see Configure AD authentication or LDAP authentication.

  1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

  2. In the left-side navigation pane, choose Users > Users.

  3. Choose Import Other Users > Import AD Users or Import LDAP Users.

  4. In the Import AD Users or Import LDAP Users dialog box, click Import in the Actions column of the AD- or LDAP-authenticated user that you want to import.

    You can also import multiple AD- or LDAP-authenticated users at a time.

Export users

After you export users, you can view the users in a local CSV file.

  1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

  2. In the left-side navigation pane, choose Users > Users.

  3. On the Users page, click Export Users in the upper-right corner.

Modify the information about a user

If the information about a user, such as the mobile phone number or email address, is changed, you must go to the console of the bastion host to which the user is imported to update the information at the earliest opportunity. Otherwise, the user may not receive verification codes and cannot log on to the bastion host. If the mobile phone number of the user is changed and is not updated in the bastion host in a timely manner, the user cannot log on to the bastion host because verification codes are sent to the previous mobile phone number.

Note

You can modify the information only about local users, AD-authenticated users, and LDAP-authenticated users. You cannot modify the information about RAM users. For more information about how to modify the information about RAM users, see Modify the basic information about a RAM user.

  1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

  2. In the left-side navigation pane, choose Users > Users.

  3. Find the user whose information you want to modify and click the username.

  4. On the Basic Info tab, modify the user information and click Update.

Lock or unlock a user

If a user no longer needs a bastion host to perform O&M operations within a specific period of time, you can manually lock the user or configure a trigger condition to automatically lock the user. If a locked user needs to perform O&M operations, you can unlock the user.

Automatically lock a user

By default, Bastionhost provides a feature to automatically lock a user. When a user enters invalid passwords more than five times in a row, Bastionhost locks the user. A Bastionhost administrator can specify the number of Account Lockout Threshold. For more information, see Configure the parameters on the User Settings tab.

Manually lock or unlock a user

Important

Manual user locking or unlocking immediately takes effect. If a user is manually locked, the user cannot log on to the authorized server to perform O&M operations. Proceed with caution.

  1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

  2. In the left-side navigation pane, choose Users > Users.

  3. On the Users page, select the user that you want to lock or unlock. At the lower part of the user list, choose Batch > Locked or Batch > Unlock.

    • Locked: After you lock a user, you receive the The user is locked. message. The value in the Status column of the locked user changes from Normal to Locked. After you lock a user, you can still modify the basic information about the user and authorize the user to manage hosts and asset groups.

    • Unlock: After you unlock the user, you receive the The user is unlocked. message. The user can log on to the bastion host to perform O&M operations on the authorized host.

Host the public key of a user

You can configure a public key for a user to host the public key on a bastion host. Then, the user can use a private key to log on to the bastion host from an O&M client. For more information, see Perform SSH-based O&M.

  1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

  2. In the left-side navigation pane, choose Users > Users.

  3. In the user list, click the username of the user for which you want to configure a public key. On the user details page, click the User Public Key tab and click Add SSH Public Key.

  4. In the Add SSH Public Key panel, configure the public key name and content. Then, click Add SSH Public Key.

    After you configure the public key, the public key is hosted on the bastion host. You can view the public key in the public key list.

Delete a user

If a user no longer needs to perform O&M operations on hosts by using a bastion host, you can delete the user to reduce security risks.

  1. Log on to the console of a bastion host. For more information, see Log on to the console of a bastion host.

  2. In the left-side navigation pane, choose Users > Users.

  3. In the user list, select the user that you want to delete and click Delete below the user list.