After a Bastionhost administrator adds a user for an O&M administrator, the O&M administrator can log on to the required bastion host as the user. This topic describes how to add a user, modify the user information, lock or unlock the user, host the public key of the user, and delete the user in the console of a bastion host.

User types

In the console of a bastion host, you can import Alibaba Cloud Resource Access Management (RAM) users, create local users, and import Active Directory (AD)-authenticated or Lightweight Directory Access Protocol (LDAP)-authenticated users. The following table describes how to add different types of users.

User type Scenario
RAM user If a RAM user is created for an O&M administrator, you can click Import RAM Users to import the RAM use. Then, the O&M administrator can use the RAM user to log on to the required bastion host.
Local user You can choose Import Other Users > Create User or Import Other Users > Import Users from File to create accounts for O&M administrators. This allows O&M administrators to log on to the required bastion host.
AD-authenticated user You can configure AD authentication on a bastion host and import an AD-authenticated user to the bastion host. Then, an O&M administrator can use the AD-authenticated user to log on to the bastion host.

Before you import the AD-authenticated user, make sure that you configured AD authentication. For more information, see Configure AD authentication.

LDAP-authenticated user You can configure LDAP authentication on a bastion host and import an LDAP-authenticated user to the bastion host. Then, an O&M administrator can use the LDAP-authenticated user to log on to the bastion host.

Before you import the LDAP-authenticated user, make sure that you configured LDAP authentication. For more information, see Configure LDAP authentication.

Add users

You can import RAM users, create local users, and import AD-authenticated or LDAP-authenticated users based on your business requirements. Then, O&M administrators can use the RAM users, accounts of the local users, AD-authenticated users, or LDAP-authenticated users to log on the required bastion hosts.

Import one or more RAM users

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. On the Users page, click Import RAM Users.
  4. If no RAM user is created, click Create RAM User in the Import RAM Users dialog box and create a RAM user as prompted.
    For more information, see Create a RAM user.
  5. In the Import RAM Users dialog box, click Import in the Actions column of the RAM user that you want to import. If you want to import multiple RAM users at a time, select the RAM users that you want to import and click Import in the upper-left corner.

Create one or more local users

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Create a single local user or import multiple local users from a file based on the steps described in the following table.
    Scenario Procedure
    Create a single local user
    1. Choose Import Other Users > Create User.
    2. In the Create User panel, configure the parameters and click Create.
      You can configure the basic information about the local user, such as Username, Password, User Group, and Remarks. You can also perform the following operations:
      • Select Users must reset the password at next logon: If you select this parameter, the local user must reset the password upon the next logon. This parameter is valid only for local users.
      • Specify Validity Period: After the validity period that you specified for the local user elapses, the status of the local user in the Status column is changed to Expired. An O&M administrator cannot use the local user to log on to the bastion host.
      • Configure Two-factor Authentication Methods: If you enable Two-factor Authentication Methods, the local user must enter a dynamic verification code that is sent by text message, email, or DingTalk after the local user enters the valid password. This helps reduce security risks.
        Note
        • If you enable Two-factor Authentication Methods for a local user, the local user must enter a dynamic verification code that is sent by text message or email when the local user attempts to log on to the required bastion host. Make sure that you enter the valid mobile phone number or email address of the local user. For more information about the countries and areas where SMS-based two-factor authentication is supported, see Supported countries and areas for SMS-based two-factor authentication.
        • The mobile phone number and email address that you entered are used only to receive verification codes or alert notifications.
        Valid values of Two-factor Authentication Methods:
        • For All Users: specifies that the global two-factor authentication methods are used. The global two-factor authentication methods are the two-factor authentication methods that you configure on the System Settings page. For more information, see Enable two-factor authentication.
        • For Single User: specifies that you must configure a separate two-factor authentication method for the local user. Bastionhost supports the following two-factor authentication methods:
          • Disable: specifies that two-factor authentication is disabled.
          • Text Message: specifies that two-factor authentication is implemented by using text messages. If you select this method, you must specify the mobile phone number of the local user.
          • Email: specifies that two-factor authentication is implemented by using emails. If you select this method, you must specify the email address of the local user.
          • DingTalk: specifies that two-factor authentication is implemented by using DingTalk notifications. If you select this method, you must specify the mobile phone number of the local user.
          Note If you select DingTalk when you enable two-factor authentication, make sure that the following requirements are met:
    Import multiple local users from a file
    1. Select Import Users from File from the Import Other Users drop-down list.
    2. Click Download User Template, download the user template package to your computer, and decompress the package. Then, enter the information about the local users that you want to import in a user template file, and save the information.
    3. In the Import Local Users dialog box, click Upload to upload the user template file that you edited.
    4. In the Preview dialog box, select the local users that you want to import and click Import.
    5. In the Import Local Users panel, confirm the information about the local users.

      If you select Users must reset the password at next logon, all imported local users must reset their passwords upon the next logon.

    6. Click Import Local Users.
    Note The local users that you want to import are displayed in a table. If some local users, for example, the first user, the third user, and the fifth user, share the same username, the bastion host imports only the fifth user. If a local user that you want to import shares the same username with an existing user in the bastion host, the information about the existing user is overwritten by the information about the local user that you want to import. You can click Details in the Import Local Users panel to view the information about the users that are not imported.

Import one or more AD-authenticated users

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Choose Import Other Users > Import AD Users.
  4. In the Import AD Users dialog box, click Import in the Actions column of the AD-authenticated user that you want to import. If you want to import multiple AD-authenticated users at a time, select the AD-authenticated users that you want to import and click Import in the upper-left corner.

Import one or more LDAP-authenticated users

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Choose Import Other Users > Import LDAP Users.
  4. In the Import LDAP Users dialog box, click Import in the Actions column of the LDAP-authenticated user that you want to import. If you want to import multiple LDAP-authenticated users at a time, select the LDAP-authenticated users that you want to import and click Import.

Modify user information

If the information about a user, such as the mobile phone number or email address, is changed, you must go to the console of the bastion host to which the user is imported to update the information at the earliest opportunity. Otherwise, the user may not receive verification codes and cannot log on to the bastion host. If the mobile phone number of the user is changed and is not updated in the bastion host in a timely manner, the user cannot log on to the bastion host because verification codes are sent to the previous mobile phone number.

Note You can modify the information only about local users, AD-authenticated users, and LDAP-authenticated users. You cannot modify the information about RAM users. For more information about how to modify the information about RAM users, see Modify the basic information about a RAM user.
  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. Find the user whose information you want to modify and click the username.
  4. On the Basic Info tab, modify the user information and click Update.

Lock or unlock a user

If a user no longer needs a bastion host to perform O&M operations within a specific period of time, you can lock the user on the Users page. The locked user can no longer log on to or perform O&M operations on the hosts on which the user is granted permissions. If a locked user needs to perform O&M operations, you can unlock the user.

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. On the Users page, select the user that you want to lock or unlock and then click Lock or Unlock.
    Notice The locking or unlocking operation immediately takes effect. Proceed with caution.
    The following list describes the locking and unlocking operations:
    • Lock: After the user is locked, the user can no longer log on to or perform O&M operations on the hosts on which the user is granted permissions. In the Status column of the user in the user list, the status changes from Normal to Locked. After the user is locked, you can still modify the basic information about the user, and authorize the user to manage specific hosts and host groups.
    • Unlock: After you unlock the user, the system sends you the message Unlock successfully. This indicates that the user is unlocked. The unlocked user can log on to or perform O&M operations on the hosts on which the user is granted permissions.

Host the public key of a user

You can configure a public key for a user to host the public key on a bastion host. Then, the user can use a private key to log on to the bastion host from an O&M client.

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. In the user list, click the username of the user for which you want to configure a public key. On the User Details page, click the User Public Key tab and click Add SSH Public Key.
  4. In the Add SSH Public Key panel, configure the Public Key Name, Public Key, and Remarks parameters.
  5. Click Add SSH Public Key.
    After you configure the public key, the public key is hosted on the bastion host. You can view the public key in the public key list.

Delete a user

If a user no longer needs to perform O&M operations on hosts by using a bastion host, you can delete the user to reduce security risks.

  1. Log on to your bastion host. For more information, see Log on to a bastion host.
  2. In the left-side navigation pane, choose Users > Users.
  3. In the user list, select the user that you want to delete and click Delete.