This topic provides answers to commonly asked questions about Bastionhost.

Bastionhost provides more features and improves user experience over scheduled version updates. Differences exist in features between different versions of Bastionhost instances. For more information, see Versions and documents. FAQ is divided into the following sections based on different versions of Bastionhost instances:

Can I use a key pair for authentication when I log on to a Bastionhost instance in SSH mode?

Yes, you can use a key pair or a password for authentication when you log on to a Bastionhost instance in SSH mode over port 60022.

Can I directly connect to the IP address of an ECS instance after I purchase a Bastionhost instance?

By default, Bastionhost instances have no control policies on IP addresses of ECS instances. If you have not configured an access control policy on the ECS instance, you can connect directly to the IP address of the ECS instance.
Note To ensure the compliance and integrity of server O&M, we recommend that you configure access control policies to allow O&M on ECS instances only over Bastionhost.

What configurations are required if I want to allow O&M personnel to access ECS instances for O&M only from a Bastionhost instance?

You can configure a security group for the ECS instance to allow IP address-based access to the ECS instance only from a Bastionhost instance. Alternatively, you can save logon credentials only in the Bastionhost instance to implement the access to an ECS instance only from a Bastionhost instance.

What do I do if an access failure message appears after I log on to a Bastionhost instance and attempt to access an ECS instance from this Bastionhost instance?

Check the firewall settings and the security group to which an ECS instance belongs. Make sure that no access control rules are configured to prohibit the access to the ECS instance for O&M from a Bastionhost instance.

What do I do if an error is reported when I use WinSCP to log on to an SFTP server?

Error message
Clear all options in the Directory reading options section of the WinSCP Login dialog box and then reconnect to the SFTP server. WinSCP Login dialog box

What do I do if I am prompted to enter a password when I use a private key to access an ECS instance?

You can perform the following operations to troubleshoot the issue:
  • Check the type of your private key. You can access an ECS instance from your Bastionhost instance only by using an RSA private key that is generated by the ssh-keygen tool. The private key does not contain a password.
  • You can use a private key to access an ECS instance and check whether valid credentials are added to the required authorized groups.

What do I do if I cannot access an ECS instance from my Bastionhost instance?

You can perform the following operations to troubleshoot the issue:
  • Check whether the security group rules of the target ECS instance are properly configured. Make sure that you can access O&M ports of the ECS instance from your Bastionhost instance.
  • Check whether access control limits, such as iptables, exist on the firewall of the ECS instance or other intermediate devices.
  • Check the port information that is used to access the ECS instance in Bastionhost. Make sure that the added credentials are valid.

How do I (O&M personnel) change the password to log on to a Bastionhost instance?

You can use one of the following methods to change the password to log on to a Bastionhost instance:
  • Contact the administrator of the Bastionhost instance.
  • Log on to the Bastionhost instance and change your logon password.

What ports are enabled for a Bastionhost instance? Can I change these ports?

The following ports are enabled for a Bastionhost instance by default:
  • HTTPS port 443 in a web console
  • SSH-compliant O&M port 60022
  • RDP-compliant O&M port 63389
Note You cannot change these ports in Bastionhost V2 and V3.1. You can change these ports in Bastionhost V3.2.

How do I access an ECS instance from my Bastionhost instance by using an internal IP address?

You can use one of the following methods:
  • Import an ECS instance. By default, you can access the ECS instance by using an internal IP address. For more information, see Import ECS instances.
  • In the left-side navigation pane of the Bastionhost instance, choose Assets > Hosts. On the Hosts page, select the host whose O&M IP address you want to change, and select Modify O&M IP Address from the Batch drop-down list in the lower-left corner. In the Modify O&M IP Address dialog box, set Host IP Address Type to Private IP Address and click OK.

How do I configure my Bastionhost instance if I want to access an ECS instance by using a port other than the SSH- or RDP-compliant standard port?

Bastionhost instances support custom O&M ports. Perform the following operations to customize a port in Bastionhost: In the left-side navigation pane of the Bastionhost instance, choose Assets > Hosts. On the Hosts page, find the target host and select Modify O&M Port from the Batch drop-down list in the lower-left corner. In the Modify O&M Port dialog box, specify Protocol and Port and click OK.

How long can audit videos in a Bastionhost instance be stored?

Audit videos can be stored for more than half a year in OSS. When the storage space of Bastionhost is about to reach the limit, the earliest audit logs and videos will be automatically cleared.