All Products
Search

This Product

    Bastionhost:Configure O&M settings

    Document Center

    Bastionhost:Configure O&M settings

    Last Updated:Oct 10, 2023

    Bastionhost provides the O&M settings feature. The feature allows you to configure O&M settings, such as Special Asset Accounts, Special Host Configuration, Duration Limit, Idle Timeout Interval, and Duration to Lock Users Upon Session Blocking based on your business requirements. This prevents host resources from being wasted. This topic describes how to configure O&M settings.

    Procedure

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, click System Settings.

    4. On the O&M Configuration tab, configure the parameters and click Save.

      Section

      Parameter

      Description

      O&M Token

      Validity Period of O&M Token

      Specifies the time period within which an O&M token can be repeatedly used after the O&M token is applied. After the time period elapses, you must apply for a new O&M token.

      Valid values: 1 to 480 minutes or 1 to 8 hours.

      Note

      • If O&M review is enabled, the validity period of the O&M token that is approved by the Bastionhost administrator takes effect.

      • After the settings of O&M tokens are modified, you must apply for a new O&M token for the change to take effect.

      O&M Token Renewal

      Specifies whether to allow O&M engineers to renew O&M tokens and the number of times to renew an O&M token. Each renewal increases 1 hour of validity period.

      Valid values: 1 to 20.

      Note

      • After the settings of O&M tokens are modified, you must apply for a new O&M token for the change to take effect.

      • If O&M review is enabled, O&M engineers cannot renew O&M tokens.

      Timeout Period for O&M Approval

      Specifies the time period after which an O&M application is automatically rejected. The value 0 specifies that an O&M application is never automatically rejected.

      Special Asset Accounts

      Allow Access to Hosts by Using Bastionhost Account and Password

      Specifies whether users can access hosts by using the account and password of a bastion host.

      This configuration is suitable for scenarios in which the bastion host account is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) servers, the host is in the same domain as the bastion host, and the username and password of the server account are the same as those of the bastion host.

      Allow Access to Hosts by Using Unauthorized Host Accounts

      Specifies whether to allow password-free access from users to hosts on which the users do not have permissions. This parameter is selected by default.

      This configuration takes effect only when a user accesses hosts on which the user does not have permissions.

      • If a user does not have permissions to access a host, the user can find and select a host that has the user parameter unspecified. Then, the user can enter the username and password of the bastion host to access and perform O&M operations on the host.

      • If this parameter is cleared, the host account on which the user does not have permissions is not displayed in the asset list during O&M.

      Special Host Configuration

      Allow Host Fingerprinting

      This parameter is selected by default.

      A host fingerprint is a unique identifier that Bastionhost uses to identify a Linux host. A host fingerprint can be used to prevent unauthorized users from accessing hosts by redirecting traffic. We recommend that you select this parameter.

      Personalized Desktop Enabled

      This parameter is cleared by default.

      This configuration takes effect only for Windows hosts. If you select this parameter, users can use personalized desktops in Windows.

      Note

      Personalized desktops consume a large amount of bandwidth. Proceed with caution.

      Idle Timeout Interval

      The maximum duration of an idle O&M session. If the duration of an idle O&M session reaches the specified value, the session is automatically disconnected. This way, host resources are not consumed by idle O&M sessions.

      Valid values: 0 to 60. Unit: minutes. The value 0 indicates that the duration is not limited.

      Note

      In an idle O&M session, a user logs on to a host but does not perform O&M operations.

      Duration Limit

      Specifies the maximum total duration of O&M sessions. If the total duration reaches the specified value, ongoing sessions are automatically disconnected. Default value: 7 days.

      Valid values: 1 to 168 hours or 1 to 7 days.

      Note

      This parameter does not take effect if you perform O&M operations on databases.

      Duration to Lock Users Upon Session Blocking (Unit: Minutes)

      Specifies the period of time during which an O&M session can be interrupted by the administrator. During the specified period of time, users cannot perform O&M operations on all hosts.

      Valid values: 0 to 60. Unit: minutes. The value 0 indicates that the duration is not limited.