After a Bastionhost administrator adds a user for an O&M administrator on a bastion host instance, the O&M administrator can log on to the instance as the user. This topic describes how to add a user, modify the user information, lock or unlock a user, host the public key of a user, and delete a user on a bastion host instance.

User types

On a bastion host instance, you can import Alibaba Cloud Resource Access Management (RAM) users, create local users, and import Active Directory (AD)-authenticated or Lightweight Directory Access Protocol (LDAP)-authenticated users. The following table describes how to add different types of users.

User typeScenario
RAM userIf a RAM user is created for an O&M administrator, you can click Import RAM Users to import the RAM user. Then, the O&M administrator can use the RAM user to log on to the desired bastion host.
Local userYou can choose Import Other Users > Create User or Import Users from File to create local users for O&M administrators. Then, O&M administrators can use the accounts of the local users to log on to the desired bastion host.
AD-authenticated user or LDAP-authenticated userYou can configure AD or LDAP authentication on a bastion host and import an AD-authenticated user or LDAP-authenticated user to the bastion host. Then, an O&M administrator can use the AD-authenticated user or LDAP-authenticated user to log on to the bastion host.

Before you import the AD-authenticated user or LDAP-authenticated user, make sure that you configured AD or LDAP authentication. For more information, see Configure AD authentication or LDAP authentication.

Create users

You can import RAM users, create local users, and import AD-authenticated or LDAP-authenticated users based on your business requirements. Then, O&M administrators can use the RAM users, accounts of the local users, AD-authenticated users, or LDAP-authenticated users to log on the required bastion hosts.

Import RAM users

  1. Log on to your bastion host. For more information, see Log on to the console of a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. On the Users page, click Import RAM Users.
  4. If no RAM user is created, click Create RAM User in the Import RAM Users dialog box and create a RAM user as prompted.
    For more information, see Create a RAM user.
  5. In the Import RAM Users dialog box, click Import in the Actions column of the RAM user that you want to import. If you want to import multiple RAM users at a time, select the RAM users that you want to import and click Import in the upper-left corner.
    Note To enable two-factor authentication for a RAM user, log on to the RAM console and enable multi-factor authentication (MFA). For more information, see Enable an MFA device for an Alibaba Cloud account.

Create local users

  1. Log on to your bastion host. For more information, see Log on to the console of a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Create a single local user or import multiple local users from a file based on the steps described in the following table.
    ScenarioProcedure
    Create a single local user
    1. Choose Import Other Users > Create User.
    2. In the Create User dialog box, configure the parameters and click Create.
      When you configure the user information, you must set Authentication Method to Local Authentication. In addition to configuring basic information, you can configure the following settings:
      • Select Users must reset the password at next logon: If you select this parameter, the local user must reset the password upon the next logon. This parameter is valid only for local users.
      • Specify Validity Period: After the validity period that you specified for the local user elapses, the status of the local user in the Status column is changed to Expired. An O&M administrator cannot use the local user to log on to the bastion host.
      • Configure Two-factor Authentication Methods: If you enable Two-factor Authentication Methods, the local user must enter a dynamic verification code that is sent by text message, email, or DingTalk after the local user enters the valid password. This helps reduce security risks.
        Note
        • If you enable Two-factor Authentication Methods for a local user, the local user must enter a dynamic verification code that is sent by text message or email when the local user attempts to log on to the required bastion host. Make sure that you enter the valid mobile phone number or email address of the local user. For more information about the countries and areas where SMS-based two-factor authentication is supported, see Supported countries and areas for SMS-based two-factor authentication.
        • The mobile phone number and email address that you entered are used only to receive verification codes or alert notifications.
        You can select one of the two items from the Two-factor Authentication Methods drop-down list:
        • For All Users: specifies that the global two-factor authentication methods are used. The global two-factor authentication methods are the two-factor authentication methods that you configure on the System Settings page. For more information, see Enable two-factor authentication.
        • For Single User: specifies that you must configure a separate two-factor authentication method for the local user. Bastionhost supports the following two-factor authentication methods:
          • Disable: specifies that two-factor authentication is disabled.
          • Text Message: specifies that two-factor authentication is implemented by using text messages. If you select this method, you must specify the mobile phone number of the local user.
          • Email: specifies that two-factor authentication is implemented by using emails. If you select this method, you must specify the email address of the local user.
          • DingTalk: specifies that two-factor authentication is implemented by using DingTalk notifications. If you select this method, you must specify the mobile phone number of the local user.
            Note If you select DingTalk when you enable two-factor authentication, make sure that the following requirements are met:
            • The mobile phone number of the user who performs O&M operations is specified. For more information, see Modify the information about a user.
            • An internal enterprise application is created by the DingTalk administrator, and the operation that is used to obtain member information based on the mobile phone numbers and names of the members is activated for the application.
            • The values of AppKey, AppSecret, and AgentId of the internal enterprise application are obtained.
          • OTP App: specifies that authentication is implemented by using the mobile OTP token of the current user. The user must bind the OTP token first.
            Note If you select this authentication method, you must download the standard TOTP authentication software, such as an Alibaba Cloud app. Then, log on to the Bastionhost O&M portal by using a public endpoint. In the left-side navigation pane, click Security Settings. On the Mobile OTP Token tab, click Set Token, and then scan the QR code to bind the OTP token for authentication. For more information about how to obtain the O&M addresses of a bastion host, see Homepage overview of a bastion host.
    Import multiple local users from a file
    1. Select Import Users from File from the Import Other Users drop-down list.
    2. Click Download User Template, download the user template package to your computer, and decompress the package. Then, enter the information about the local users that you want to import in a user template file, and save the information.
    3. In the Import Local Users dialog box, click Upload to upload the user template file that you edited.
    4. In the Preview dialog box, select the local users that you want to import and click Import.
    5. In the Import Local Users panel, confirm the information about the local users.

      If you select Users must reset the password at next logon, all imported local users must reset their passwords upon the next logon.

    6. Click Import Local Users.
    Note The local users that you want to import are displayed in a table. If some local users, for example, the first user, the third user, and the fifth user, share the same username, the bastion host imports only the fifth user. If a local user that you want to import shares the same username with an existing user in the bastion host, the information about the local user is not imported. You can click Details in the Import Local Users panel to view the information about the users that are not imported.
  4. Optional:If you want the bastion host to notify users of the O&M address, you must specify the mobile number or email address of the local users, and select Send O&M Addresses to User.

Import AD Users

  1. Log on to your bastion host. For more information, see Log on to the console of a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Choose Import Other Users > Import AD Users.
  4. In the Import AD Users dialog box, click Import in the Actions column of the AD-authenticated user that you want to import. If you want to import multiple AD-authenticated users at a time, select the AD-authenticated users that you want to import and click Import in the lower-left corner.

Import one or more LDAP-authenticated users

  1. Log on to your bastion host. For more information, see Log on to the console of a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Choose Import Other Users > Import LDAP Users.
  4. In the Import LDAP Users dialog box, click Import in the Actions column of the LDAP-authenticated user that you want to import. If you want to import multiple LDAP-authenticated users at a time, select the LDAP-authenticated users that you want to import and click Import in the lower-left corner.

Modify the information about a user

If the information about a user, such as the mobile phone number or email address, is changed, you must go to the console of the bastion host to which the user is imported to update the information at the earliest opportunity. Otherwise, the user may not receive verification codes and cannot log on to the bastion host. If the mobile phone number of the user is changed and is not updated in the bastion host in a timely manner, the user cannot log on to the bastion host because verification codes are sent to the previous mobile phone number.

Note You can modify the information only about local users, AD-authenticated users, and LDAP-authenticated users. You cannot modify the information about RAM users. For more information about how to modify the information about RAM users, see Modify the basic information about a RAM user.
  1. Log on to your bastion host. For more information, see Log on to the console of a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Find the user whose information you want to modify and click the username.
  4. On the Basic Info tab, modify the user information and click Update.

Lock or unlock a user

If a user no longer needs a bastion host to perform O&M operations within a specific period of time, you can lock the user on the Users page. The locked user can no longer log on to or perform O&M operations on the hosts on which the user is granted permissions. If a locked user needs to perform O&M operations, you can unlock the user.

  1. Log on to your bastion host. For more information, see Log on to the console of a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. On the Users page, select the user that you want to lock or unlock and click Lock or Unlock in the Batch drop-down list.
    Note The locking or unlocking operation immediately takes effect. Proceed with caution.
    The following list describes the locking and unlocking operations:
    • Lock: After the user is locked, the user can no longer log on to or perform O&M operations on the hosts on which the user is granted permissions. In the Status column of the user in the user list, the status changes from Normal to Locked. After the user is locked, you can still modify the basic information about the user, and authorize the user to manage specific hosts and host groups.
    • Unlock: After you unlock the user, the system sends you the message Unlock successfully. This indicates that the user is unlocked. The unlocked user can log on to or perform O&M operations on the hosts on which the user is granted permissions.

Host the public key of a user

You can configure a public key for a user to host the public key on a bastion host. Then, the user can use a private key to log on to the bastion host from an O&M client.

  1. Log on to your bastion host. For more information, see Log on to the console of a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. In the user list, click the username of the user for which you want to configure a public key. On the User Details page, click the User Public Key tab and click Add SSH Public Key.
  4. In the Add SSH Public Key panel, configure the Public Key Name, Public Key, and Remarks parameters.
  5. Click Add SSH Public Key.
    After you configure the public key, the public key is hosted on the bastion host. You can view the public key in the public key list.

Delete a user

If a user no longer needs to perform O&M operations on hosts by using a bastion host, you can delete the user to reduce security risks.

  1. Log on to your bastion host. For more information, see Log on to the console of a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. In the user list, select the user that you want to delete and click Delete.