After adding a host to Bastionhost, register the host's existing OS accounts in Bastionhost. Grant users access to those accounts to enable password-free logon.
Bastionhost stores host account credentials locally and does not sync them back to the server or ECS instance.
Prerequisites
Before you begin, make sure that:
The target host is already added to Bastionhost
The OS account you want to register already exists on the server — Bastionhost does not create OS accounts, it only manages credentials for accounts that exist on the host
Create an account for a single host
Log on to the Bastionhost console. For details, see Log on to the system.
In the left navigation pane, choose Assets > Hosts.
In the Operations column of the target host, click Create Host Account.
In the Create Host Account panel, set the following parameters and click Create.
Parameter Required Description Protocol Yes The protocol used to connect to the host. Supported: SSH. Logon Name Yes The username of the OS account on the server. Authentication Type Yes How Bastionhost authenticates to the host. See Authentication types below. Privileged Account No Marks this account as a privileged account. A privileged account can change passwords of standard accounts during a password change task. Only SSH protocol accounts support this. If your instance was upgraded from a version earlier than V3.2.47, accounts named rootandadministratorare automatically identified as privileged accounts after the upgrade. For accounts created after the upgrade, select this checkbox manually.Enable Only SFTP Permission No Restricts this account to Secure File Transfer Protocol (SFTP) only — it cannot be used for SSH logon. Configure with caution. Use Privileged Account to Change Password No When a password change task runs for this account, Bastionhost uses the host's privileged account to perform the change. The privileged account and its password must already be registered in Bastionhost. Only SSH protocol accounts support this. 
(Optional) Click Verify to test the username and password of the account. If verification fails, see Issues related to connecting to a server from Bastionhost.
Create accounts for multiple hosts
Log on to the Bastionhost console. For details, see Log on to the system.
In the left navigation pane, choose Assets > Hosts.
In the Hosts list, select the hosts for which you want to create accounts.
At the bottom of the list, choose Batch > Host Account > Add Account.
In the Add Account dialog box, set Authentication Type, Protocol, and Logon Name, then click OK.
When creating an account with the SSH protocol, enable Enable Only SFTP Permission to restrict the account to SFTP only. That account cannot be used for SSH logon.
For batch operations via API or file import, see Host accounts (Supported only in V3.2.17 and later).
Authentication types
Bastionhost supports three authentication types for host accounts:
Password
Bastionhost authenticates to the host using the account's username and password. Validating the password confirms the validity of the managed account.
If password validation fails, see Issues related to connecting to a server from Bastionhost.
Private key
Bastionhost authenticates using a private key you upload. When a user connects, Bastionhost uses the private key to authenticate to the target server. The server verifies authentication against the public key.
Supported key formats:
Keys generated with
ssh-keygen -m PEM -t rsaEd25519 keys
Shared key
Multiple host accounts share the same public-private key pair. Select an existing shared key that is already configured in Bastionhost. To configure a shared key, see Shared keys.
Use this type when multiple accounts use the same key pair for authentication.
When exporting hosts, you can choose whether to include password or key details. For details, see Export the host list.
Modify a host account
Log on to the Bastionhost console. For details, see Log on to the system.
In the left navigation pane, choose Assets > Hosts.
On the Hosts page, find the host and click its name.
On the Host Account tab, click the username of the account you want to edit.
In the Edit Host Account panel, update the account information and click Save.
Delete a host account
Log on to the Bastionhost console. For details, see Log on to the system.
In the left navigation pane, choose Assets > Hosts.
On the Hosts page, find the host and click its name.
On the Host Account tab, select the account and click Delete at the bottom of the list.
In the confirmation dialog box, click Delete.
Usage notes
By default, Bastionhost enables Allow Access to Hosts by Using Unauthorized Host Accounts. This allows users to attempt logon to a server by manually entering a username and password, even if they have not been granted permissions on any registered host account.
To require users to log on only with accounts for which they have been explicitly granted permissions, disable this option. For details, see O&M configuration.