Bastionhost provides the O&M settings feature. The feature allows you to configure O&M settings, such as Special Asset Accounts, Special Host Configuration, Duration Limit, Idle Timeout Interval, and Duration to Lock Users Upon Session Blocking based on your business requirements. This prevents host resources from being wasted. This topic describes how to configure O&M settings.
Procedure
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, click System Settings.
On the O&M Configuration tab, configure the parameters and click Save.
Section
Parameter
Description
O&M Token
Validity Period of O&M Token
Specifies the time period within which an O&M token can be repeatedly used after the O&M token is applied. After the time period elapses, you must apply for a new O&M token.
Valid values: 1 to 480 minutes or 1 to 8 hours.
NoteIf O&M review is enabled, the validity period of the O&M token that is approved by the Bastionhost administrator takes effect.
After the settings of O&M tokens are modified, you must apply for a new O&M token for the change to take effect.
O&M Token Renewal
Specifies whether to allow O&M engineers to renew O&M tokens and the number of times to renew an O&M token. Each renewal increases 1 hour of validity period.
Valid values: 1 to 20.
NoteAfter the settings of O&M tokens are modified, you must apply for a new O&M token for the change to take effect.
If O&M review is enabled, O&M engineers cannot renew O&M tokens.
Timeout Period for O&M Approval
Specifies the time period after which an O&M application is automatically rejected. The value 0 specifies that an O&M application is never automatically rejected.
Special Asset Accounts
Allow Access to Hosts by Using Bastionhost Account and Password
Specifies whether users can access hosts by using the account and password of a bastion host.
This configuration is suitable for scenarios in which the bastion host account is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) servers, the host is in the same domain as the bastion host, and the username and password of the server account are the same as those of the bastion host.
Allow Access to Hosts by Using Unauthorized Host Accounts
Specifies whether to allow password-free access from users to hosts on which the users do not have permissions. This parameter is selected by default.
This configuration takes effect only when a user accesses hosts on which the user does not have permissions.
If a user does not have permissions to access a host, the user can find and select a host that has the user parameter unspecified. Then, the user can enter the username and password of the bastion host to access and perform O&M operations on the host.
If this parameter is cleared, the host account on which the user does not have permissions is not displayed in the asset list during O&M.
Special Host Configuration
Allow Host Fingerprinting
This parameter is selected by default.
A host fingerprint is a unique identifier that Bastionhost uses to identify a Linux host. A host fingerprint can be used to prevent unauthorized users from accessing hosts by redirecting traffic. We recommend that you select this parameter.
Personalized Desktop Enabled
This parameter is cleared by default.
This configuration takes effect only for Windows hosts. If you select this parameter, users can use personalized desktops in Windows.
NotePersonalized desktops consume a large amount of bandwidth. Proceed with caution.
Idle Timeout Interval
The maximum duration of an idle O&M session. If the duration of an idle O&M session reaches the specified value, the session is automatically disconnected. This way, host resources are not consumed by idle O&M sessions.
Valid values: 0 to 60. Unit: minutes. The value 0 indicates that the duration is not limited.
NoteIn an idle O&M session, a user logs on to a host but does not perform O&M operations.
Duration Limit
Specifies the maximum total duration of O&M sessions. If the total duration reaches the specified value, ongoing sessions are automatically disconnected. Default value: 7 days.
Valid values: 1 to 168 hours or 1 to 7 days.
NoteThis parameter does not take effect if you perform O&M operations on databases.
Duration to Lock Users Upon Session Blocking (Unit: Minutes)
Specifies the period of time during which an O&M session can be interrupted by the administrator. During the specified period of time, users cannot perform O&M operations on all hosts.
Valid values: 0 to 60. Unit: minutes. The value 0 indicates that the duration is not limited.