After a Bastionhost administrator adds a user for an O&M administrator, the O&M administrator
can log on to the required bastion host as the user. This topic describes how to add
a user, modify the user information, lock or unlock the user, host the public key
of the user, and delete the user in the console of a bastion host.
User types
In the console of a bastion host, you can import Alibaba Cloud Resource Access Management
(RAM) users, create local users, and import Active Directory (AD)-authenticated or
Lightweight Directory Access Protocol (LDAP)-authenticated users. The following table
describes how to add different types of users.
User type |
Scenario |
RAM user |
If a RAM user is created for an O&M administrator, you can click Import RAM Users
to import the RAM use. Then, the O&M administrator can use the RAM user to log on
to the required bastion host.
|
Local user |
You can choose Import Other Users > Create User or Import Other Users > Import Users
from File to create accounts for O&M administrators. This allows O&M administrators
to log on to the required bastion host.
|
AD-authenticated user |
You can configure AD authentication on a bastion host and import an AD-authenticated
user to the bastion host. Then, an O&M administrator can use the AD-authenticated
user to log on to the bastion host.
Before you import the AD-authenticated user, make sure that you configured AD authentication.
For more information, see Configure AD authentication.
|
LDAP-authenticated user |
You can configure LDAP authentication on a bastion host and import an LDAP-authenticated
user to the bastion host. Then, an O&M administrator can use the LDAP-authenticated
user to log on to the bastion host.
Before you import the LDAP-authenticated user, make sure that you configured LDAP
authentication. For more information, see Configure LDAP authentication.
|
Add users
You can import RAM users, create local users, and import AD-authenticated or LDAP-authenticated
users based on your business requirements. Then, O&M administrators can use the RAM
users, accounts of the local users, AD-authenticated users, or LDAP-authenticated
users to log on the required bastion hosts.
Import one or more RAM users
- Log on to your bastion host. For more information, see Log on to a bastion host.
- In the left-side navigation pane, choose .
- On the Users page, click Import RAM Users.
- If no RAM user is created, click Create RAM User in the Import RAM Users dialog box and create a RAM user as prompted.
- In the Import RAM Users dialog box, click Import in the Actions column of the RAM user that you want to import. If you want to import multiple RAM
users at a time, select the RAM users that you want to import and click Import in the upper-left corner.
Create one or more local users
- Log on to your bastion host. For more information, see Log on to a bastion host.
- In the left-side navigation pane, choose .
- Create a single local user or import multiple local users from a file based on the
steps described in the following table.
Scenario |
Procedure |
Create a single local user |
- Choose .
- In the Create User panel, configure the parameters and click Create.
You can configure the basic information about the local user, such as Username, Password, User Group, and Remarks. You can also perform the following operations:
- Select Users must reset the password at next logon: If you select this parameter, the local user must reset the password upon the next
logon. This parameter is valid only for local users.
- Specify Validity Period: After the validity period that you specified for the local user elapses, the status
of the local user in the Status column is changed to Expired. An O&M administrator cannot use the local user to log on to the bastion host.
- Configure Two-factor Authentication Methods: If you enable Two-factor Authentication Methods, the local user must enter a dynamic
verification code that is sent by text message, email, or DingTalk after the local
user enters the valid password. This helps reduce security risks.
Note
- If you enable Two-factor Authentication Methods for a local user, the local user must
enter a dynamic verification code that is sent by text message or email when the local
user attempts to log on to the required bastion host. Make sure that you enter the
valid mobile phone number or email address of the local user. For more information
about the countries and areas where SMS-based two-factor authentication is supported,
see Supported countries and areas for SMS-based two-factor authentication.
- The mobile phone number and email address that you entered are used only to receive
verification codes or alert notifications.
Valid values of Two-factor Authentication Methods:
- For All Users: specifies that the global two-factor authentication methods are used. The global
two-factor authentication methods are the two-factor authentication methods that you
configure on the System Settings page. For more information, see Enable two-factor authentication.
- For Single User: specifies that you must configure a separate two-factor authentication method for
the local user. Bastionhost supports the following two-factor authentication methods:
- Disable: specifies that two-factor authentication is disabled.
- Text Message: specifies that two-factor authentication is implemented by using text messages.
If you select this method, you must specify the mobile phone number of the local user.
- Email: specifies that two-factor authentication is implemented by using emails. If you
select this method, you must specify the email address of the local user.
- DingTalk: specifies that two-factor authentication is implemented by using DingTalk notifications.
If you select this method, you must specify the mobile phone number of the local user.
Note If you select DingTalk when you enable two-factor authentication, make sure that the
following requirements are met:
|
Import multiple local users from a file |
- Select Import Users from File from the Import Other Users drop-down list.
- Click Download User Template, download the user template package to your computer, and decompress the package.
Then, enter the information about the local users that you want to import in a user
template file, and save the information.
- In the Import Local Users dialog box, click Upload to upload the user template file that you edited.
- In the Preview dialog box, select the local users that you want to import and click Import.
- In the Import Local Users panel, confirm the information about the local users.
If you select Users must reset the password at next logon, all imported local users must reset their passwords upon the next logon.
- Click Import Local Users.
Note The local users that you want to import are displayed in a table. If some local users,
for example, the first user, the third user, and the fifth user, share the same username,
the bastion host imports only the fifth user. If a local user that you want to import
shares the same username with an existing user in the bastion host, the information
about the existing user is overwritten by the information about the local user that
you want to import. You can click Details in the Import Local Users panel to view the information about the users that are not imported.
|
Import one or more AD-authenticated users
- Log on to your bastion host. For more information, see Log on to a bastion host.
- In the left-side navigation pane, choose .
- Choose .
- In the Import AD Users dialog box, click Import in the Actions column of the AD-authenticated user that you want to import. If you want to import
multiple AD-authenticated users at a time, select the AD-authenticated users that
you want to import and click Import in the upper-left corner.
Import one or more LDAP-authenticated users
- Log on to your bastion host. For more information, see Log on to a bastion host.
- In the left-side navigation pane, choose .
- Choose .
- In the Import LDAP Users dialog box, click Import in the Actions column of the LDAP-authenticated user that you want to import. If you want to import
multiple LDAP-authenticated users at a time, select the LDAP-authenticated users that
you want to import and click Import.
Modify user information
If the information about a user, such as the mobile phone number or email address,
is changed, you must go to the console of the bastion host to which the user is imported
to update the information at the earliest opportunity. Otherwise, the user may not
receive verification codes and cannot log on to the bastion host. If the mobile phone
number of the user is changed and is not updated in the bastion host in a timely manner,
the user cannot log on to the bastion host because verification codes are sent to
the previous mobile phone number.
Note You can modify the information only about local users, AD-authenticated users, and
LDAP-authenticated users. You cannot modify the information about RAM users. For more
information about how to modify the information about RAM users, see
Modify the basic information about a RAM user.
- Log on to your bastion host. For more information, see Log on to a bastion host.
- In the left-side navigation pane, choose .
- Find the user whose information you want to modify and click the username.
- On the Basic Info tab, modify the user information and click Update.
Lock or unlock a user
If a user no longer needs a bastion host to perform O&M operations within a specific
period of time, you can lock the user on the Users page. The locked user can no longer
log on to or perform O&M operations on the hosts on which the user is granted permissions.
If a locked user needs to perform O&M operations, you can unlock the user.
- Log on to your bastion host. For more information, see Log on to a bastion host.
- In the left-side navigation pane, choose .
- On the Users page, select the user that you want to lock or unlock and then click Lock or Unlock.
Notice The locking or unlocking operation immediately takes effect. Proceed with caution.
The following list describes the locking and unlocking operations:
- Lock: After the user is locked, the user can no longer log on to or perform O&M operations
on the hosts on which the user is granted permissions. In the Status column of the user in the user list, the status changes from Normal to Locked. After the user is locked, you can still modify the basic information about the user,
and authorize the user to manage specific hosts and host groups.
- Unlock: After you unlock the user, the system sends you the message Unlock successfully. This indicates that the user is unlocked. The unlocked user can log on to or perform
O&M operations on the hosts on which the user is granted permissions.
Host the public key of a user
You can configure a public key for a user to host the public key on a bastion host.
Then, the user can use a private key to log on to the bastion host from an O&M client.
- Log on to your bastion host. For more information, see Log on to a bastion host.
- In the left-side navigation pane, choose .
- In the user list, click the username of the user for which you want to configure a
public key. On the User Details page, click the User Public Key tab and click Add SSH Public Key.
- In the Add SSH Public Key panel, configure the Public Key Name, Public Key, and Remarks parameters.
- Click Add SSH Public Key.
After you configure the public key, the public key is hosted on the bastion host.
You can view the public key in the public key list.
Delete a user
If a user no longer needs to perform O&M operations on hosts by using a bastion host,
you can delete the user to reduce security risks.
- Log on to your bastion host. For more information, see Log on to a bastion host.
- In the left-side navigation pane, choose .
- In the user list, select the user that you want to delete and click Delete.