All Products
Search

This Product

    Bastionhost:Get started with Bastionhost as an administrator

    Document Center

    Bastionhost:Get started with Bastionhost as an administrator

    Last Updated:Apr 25, 2025

    This topic describes how to get started with Bastionhost as an administrator.

    Administrator configuration processes

    Operation

    Description

    References

    Import assets on which you want to perform O&M operations to a bastion host.

    The administrator adds the assets to the bastion host and creates an asset account. The assets include hosts, databases, and applications.

    Add a user to a bastion host.

    After the administrator adds a user to a bastion host, an O&M administrator can log on to the bastion host as the user and perform O&M operations on assets.

    In the console of a bastion host, you can create local users and synchronize Resource Access Management (RAM) users and Active Directory (AD)-authenticated, Lightweight Directory Access Protocol (LDAP)-authenticated, or Identity as a Service (IDaaS)-authenticated users. Then, the O&M administrator can log on to the bastion host as the preceding users.

    Manage users

    Authorize the user to manage assets and asset accounts.

    The administrator authorizes the user to perform O&M operations on specific hosts and host accounts.

    Authorize users or user groups to manage assets and asset accounts

    Obtain the O&M address of the bastion host and inform the O&M administrator of the O&M address.

    The administrator must obtain the O&M address of the bastion host in the console of the bastion host and inform the O&M administrator of the O&M address. Then, the O&M administrator can perform O&M operations by using the O&M portal or a client.

    Log on to the console of a bastion host

    Audit O&M sessions.

    The administrator can view audit information such as O&M logs and videos and block high-risk sessions in the bastion host.

    O&M audit

    Examples of Bastionhost

    In this section, Alibaba Cloud Elastic Compute Service (ECS) instances and local users are used.

    Step 1: Import ECS instances and manage the accounts of ECS instances

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Assets > Hosts.

    4. On the Hosts page, choose Import ECS Instances > Import Instances of Current Account. In the Select Region dialog box, select the region of the ECS instances that you want to import and click OK.

      image

    5. In the Import ECS Instances dialog box, select the ECS instances that you want to import and click Import.

    6. Find the ECS instance for which you want to create a host account and click Create Host Account in the Actions column.

      image

    7. On the Create Host Account page, configure the logon parameters of the ECS instance and click Create. The following table describes the parameters.

      Parameter

      Description

      Protocol

      The default protocol for Linux is SSH. The default protocol for Windows is Remote Desktop Protocol (RDP).

      Logon Name

      The username of the account that is used to log on to the ECS instance.

      Authentication Type

      Select Password.

      Note

      • If a key is required to log on to the ECS instance, select Private Key. Then, specify a key.

      • If you select Shared Key, you can specify a key and associate the key with multiple host accounts at a time. This enables more efficient host account management. For more information, see Use the shared key feature.

      Password

      The password of the account that is used to log on to the ECS instance.

      You can click Verify to check whether the username and password that you specify for the host account are valid. For information about how to resolve password errors, see What do I do if an error is returned during password verification for a new host account in Bastionhost?

      Enable Only SFTP Permission

      By default, this parameter is disabled.

      If you enable this parameter, Secure Shell (SSH)-based logon is disabled for the account.

    Step 2: Add a user to a bastion host

    1. In the left-side navigation pane, choose Users > Users.

    2. Choose Import Other Users > Create User.

      image

    3. In the Create User panel, configure the user information and click Create.

    Step 3: Authorize the user to manage assets and asset accounts

    1. On the Users page, find the user and click Authorize Hosts in the Actions column.

      image

    2. On the Managed Hosts tab, click Authorize Hosts.

    3. In the Authorize Hosts panel, select the required hosts and click OK.

    4. In the Authorized Accounts column, click No accounts found. Click here to authorize the user to manage the accounts of the asset group.

      image

    5. In the Select Account panel, select an account and click Update.

    Step 4: Obtain the O&M address of the bastion host and inform the O&M administrator of the O&M address

    1. In the left-side navigation pane, click Overview.

    2. In the Bastion Host Information section, obtain the O&M address of the bastion host and inform the O&M administrator of the O&M address and the username and password used to log on to the bastion host.

      image

    Step 5: Audit O&M sessions

    In the left-side navigation pane, click O&M Audit to view sessions. For more information, see O&M audit.

    image