The User Settings tab lets you control how users authenticate, how failed logon attempts are handled, password requirements, and what happens to inactive accounts. Configure these settings to harden your Bastionhost instance against unauthorized access.
Prerequisites
Before you begin, make sure you have:
A Bastionhost instance
Administrator access to the Bastionhost console
Configure user settings
Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.
In the Bastionhost instance list, find the target instance and click Manage.
In the left navigation pane, click System Settings.
On the User Settings tab, configure the parameters described in the following sections, then click Save.
User logon settings
Control which authentication methods users can use when logging on to the bastion host.
| Parameter | Description |
|---|---|
| Disable Password-based SSH Logon | When enabled, users must authenticate with a key pair or O&M token to perform O&M operations over SSH or through an SSH tunnel. Password-based SSH logon is blocked. |
| Disable SSH Public Key Authentication | When enabled, users must authenticate with a password or O&M token to perform O&M operations using SSH-based O&M tools or to access databases over an SSH tunnel. SSH public key authentication is blocked. |
| Disable CAPTCHA for private O&M portal | When enabled, a completely automated public Turing test to tell computers and humans apart (CAPTCHA) is skipped when a user logs on to the O&M portal through the private endpoint. CAPTCHAs are only triggered for logons over a public network. Enable this if users cannot reach the bastion host over the public endpoint. |
Logon lock configuration
Account lockout policy
Lock accounts after repeated failed logon attempts to protect against brute-force attacks.
| Parameter | Default | Valid values | Description |
|---|---|---|---|
| Account Lockout Threshold | 5 | 0–999 | Number of consecutive failed logon attempts before an account is locked. Set to 0 to never lock accounts. |
| Account Lockout Duration | 30 minutes | 0–10080 minutes | How long a locked account remains inaccessible. Set to 0 to keep the account locked until an administrator manually unlocks it. |
| Reset Account Lockout Counter After | 5 minutes | 0–10080 minutes | If the number of failed attempts stays below the threshold, the failure counter resets to 0 after this period elapses. |
How the counter reset works: If Account Lockout Threshold is 5 and Reset Account Lockout Counter After is 5 minutes, and a user fails their fourth logon attempt at 14:00:00 with no further failed attempts between 14:00:00 and 14:05:00, the counter resets to 0 at 14:05:00.
IP lockout
Lock source IP addresses that repeatedly fail to log on.
| Parameter | Default | Valid values | Description |
|---|---|---|---|
| Account Lockout Threshold | 30 | — | Number of logon failures from the same source IP address before that IP is locked. Set to 0 to disable IP locking. |
| Reset Account Lockout Counter After | 5 | 1–10080 | Minutes before the logon failure counter for an IP address resets to 0. |
| IP addresses in blacklist | — | — | Displays all currently locked IP addresses. Locked IPs are never automatically unlocked — an administrator must manually unlock them before they can access the bastion host again. |
User password security settings
Set password expiration and reuse restrictions for local users.
| Parameter | Default | Valid values | Description |
|---|---|---|---|
| Password Validity Period | 0 days | 0–365 days | Number of days before a local user's password expires and a reset is required. Set to 0 so passwords never expire. Applies to local users only. |
| Password History | 5 | 0–30 | Number of previous passwords a user cannot reuse when resetting their password. Set to 0 to impose no reuse restrictions. |
User status settings
Detect and act on accounts that have not been used for a long time.
| Parameter | Default | Valid values | Description |
|---|---|---|---|
| Mark Inactive User Accounts | 0 days | 0–365 days | Number of days of inactivity after which an account is marked as Inactive. Set to 0 to disable this marking. |
| Automatically Lock Inactive User Accounts | 10 minutes | 10–1440 minutes or 1–24 hours | Interval at which the system checks for and automatically locks accounts that have been inactive for a long time. Locked users can only log on again after an administrator unlocks their accounts. |
| Automatic synchronization of status and information about AD- and LDAP-authenticated users | 240 minutes | 15–14400 minutes | How often Bastionhost syncs the configuration and status of users authenticated through Active Directory (AD) or Lightweight Directory Access Protocol (LDAP). |