Bastionhost:Manage host accounts

Create a host account

1. Log on to the Bastionhost system. For more information, see Log on to the system.

2. In the navigation pane on the left, choose Assets > Hosts.

3. On the Hosts page, create a host account for the target host.

   Create a host account for a single host

   1. In the Operations column of the target host, click Create Host Account.

      Note

      Ensure that the corresponding operating system account is created on the server. Bastionhost does not sync the host account to the ECS instance or other source hosts.

   2. In the Create Host Account panel, set parameters such as Protocol, Logon Name, and Authentication Type for the account, and then click Create.

      Note

      You can click Verify to verify the username and password of the host account. For solutions to password validation errors, see What do I do if an error occurs when I validate the password for a new host account in Bastionhost?.

   3. Parameter descriptions.

      Configuration panel	Parameter	Description
      	Logon Name	The username of the account on the server.
      	Privileged Account	When you run a password change task, you can use a privileged account on the host to change the passwords of standard accounts. Note Currently, only accounts that use the Secure Shell (SSH) protocol support password rotation using a privileged account. If your instance was upgraded from a version earlier than V3.2.47, existing host accounts named root and administrator are automatically identified as privileged accounts after the upgrade. If you create an account after the upgrade, you must manually select the Privileged Account checkbox. To perform batch operations, you can create accounts by calling an API or importing them from a file. For more information, see Host accounts (Supported only in V3.2.17 and later).
      	Authentication Type	The authentication types include Password, Private Key, and Shared Key. Password: Validating the password confirms the validity of the managed account. You can troubleshoot issues based on the prompts on the interface. If password validation fails, see Issues related to connecting to a server from Bastionhost. Private Key: Private key authentication currently supports only keys generated using the ssh-keygen -m PEM -t rsa command and keys in Ed25519 format. Shared Key: Select an associated shared key that is already configured. Note You can choose whether to export password or key details when you export hosts. For more information, see Export the host list. If multiple host accounts share the same public-private key pair for authentication, you can use a shared key account. For information about how to configure a shared key, see Shared keys.
      	Enable Only SFTP Permission	After you enable this setting, the account cannot be used to log on with SSH permissions. Configure this setting with caution.
      	Use Privileged Account to Change Password	When a password change task is run for this managed account in Bastionhost, a privileged account on the host is used to change the password. This requires that the privileged account and its password have been added to Bastionhost. Note Currently, only accounts that use the SSH protocol support password rotation using a privileged account.

   Create host accounts for multiple hosts

   1. In the Hosts list, select the hosts for which you want to create accounts.

   2. At the bottom of the list, choose Batch > Host Account > Add Account.

      

   3. In the Add Account dialog box, set parameters such as Authentication Type, Protocol, and Logon Name, and then click OK.

   Note

   • When you create a host account with the SSH protocol, you can enable SFTP-only permission for the account. If you enable Enable Only SFTP Permission, the account cannot be used to log on using SSH. Configure this setting with caution.

   • By default, Bastionhost enables the Allow Access to Hosts by Using Unauthorized Host Accounts option. This means that if a user is not granted permissions on a specific host account, the user can still attempt to log on to the server by manually entering a username and password. If this setting is disabled, users can log on only using host accounts for which they have been granted permissions. To disable this setting, see O&M configuration.

Modify host account information

1. Log on to the Bastionhost system. For more information, see Log on to the system.

2. In the navigation pane on the left, choose Assets > Hosts.

3. On the Hosts page, find the host whose account information you want to modify and click the host name.

4. On the Host Account tab, find the account that you want to modify and click its username.

5. In the Edit Host Account panel, modify the account information and click Save.

Delete a host account

If you no longer need a host account, you can delete it.

1. Log on to the Bastionhost system. For more information, see Log on to the system.

2. In the navigation pane on the left, choose Assets > Hosts.

3. On the Hosts page, find the host whose account you want to delete and click the host name.

4. On the Host Account tab, select the account that you want to delete and click Delete at the bottom of the list.

5. In the dialog box that appears, click Delete.

References

• Configure host accounts

• O&M configuration

• Password and key issues