All Products
Search

This Product

    Bastionhost:FAQ related to passwords and key pairs

    Document Center

    Bastionhost:FAQ related to passwords and key pairs

    Last Updated:Mar 31, 2026

    Logging on to Bastionhost

    Can I use a key pair to log on to Bastionhost in SSH mode?

    Yes. You can log on to Bastionhost over SSH on port 60022 using either a key pair or a password.

    Can I still log on with a key pair after my password expires?

    Yes. Key pair logon works regardless of whether your password has expired.

    How do I change my Bastionhost logon password?

    As an O&M engineer, you have two options:

    • Self-service: Log on to Bastionhost and change your password. See Security policies for O&M engineers.

    • Contact the administrator: Ask the Bastionhost administrator to reset your password.

    Bastionhost accessing ECS instances

    Why am I prompted to enter a password after I configure key pair authentication?

    Bastionhost tries key pair authentication first when connecting to an Elastic Compute Service (ECS) instance. If key pair authentication fails, it falls back to password authentication automatically.

    The most common cause is a misconfigured private key. Ensure that the private key is correctly configured on your bastion host and verify that you can access the server with this private key. See Configure SSH private key authentication.

    For information about how to configure SSH private key authentication, see Configure SSH private key authentication.

    If no password is configured for the host account, the fallback to password authentication prompts for the ECS instance's system password, not a Bastionhost password.

    How do I generate a key pair and configure key pair authentication for an ECS instance?

    Bastionhost supports RSA and Ed25519 key pairs. The following example generates an RSA key pair for the root account.

    1. On the ECS instance, switch to the .ssh directory:

      cd ~/.ssh/

    2. Generate an RSA key pair in PEM format:

      ssh-keygen -t RSA -m PEM

      This creates two files in the current directory: id_rsa (private key) and id_rsa.pub (public key).

    3. Copy the private key id_rsa to the host account on your bastion host. See Configure host accounts.

    4. Copy the public key to authorized_keys:

      cp id_rsa.pub authorized_keys
    When creating a host account using the CreateHostAccount API operation, encode the key pair value in Base64.