Bastionhost automatically rotates host account passwords and Secure Shell (SSH) keys on a schedule you define, eliminating manual credential rotation and reducing the risk of stale credentials.
Prerequisites
Before you begin, make sure that you have:
A Bastionhost Enterprise Edition or SM-compliant Edition instance. To purchase a new instance, see Purchase an instance. To upgrade an existing instance, see Upgrade an instance type.
Host assets imported and host accounts escrowed in Bastionhost. To import host assets, see Create a host. To escrow host accounts, see Manage host accounts.
Limitations
Shared key rotation is not supported.
Each host account can be associated with only one password change task at a time.
Execution modes
Choose between two scheduling modes when creating a task:
| Mode | Behavior | Use when |
|---|---|---|
| Periodic execution | Runs repeatedly at a fixed interval (maximum 365 days) | You need recurring rotation on a regular cadence |
| Scheduled execution | Runs automatically at the scheduled time you specify | You need a rotation at a specific date and time |
For both modes, the execution time must be at least five minutes after the current time.
Example schedules:
| Goal | Mode | Configuration |
|---|---|---|
| Rotate passwords every 30 days starting at midnight on the first of the month | Periodic execution | Set the start time to the first of the month at 00:00, interval to 30 days |
| Rotate keys once before an upcoming compliance audit | Scheduled execution | Set the date and time to at least five minutes in the future |
| Rotate every Monday at 02:00 | Periodic execution | Set the start time to the next Monday at 02:00, interval to 7 days |
If a scheduled execution time coincides with a manual Run Now trigger, Bastionhost runs the task only once. A manual run does not reset or cancel the next scheduled execution.
Create a password change task
Log on to the Bastionhost console. See Log on to the system.
In the left navigation pane, choose Assets > Password Change.
On the Password Change page, click Create Password Change Task.
In the Password Change Task panel, configure the parameters described in the following table, then click Create.
| Parameter | Description |
|---|---|
| Task Name | Enter a name for the task. |
| Task Type | Select Password Rotation or Key Rotation. |
| Execution Mode | Select Periodic Execution or Scheduled Execution. See Execution modes for guidance. |
| Password Rule | Available when Task Type is Password Rotation. Configure the following: Password Complexity — select at least two character types (digits, lowercase letters, uppercase letters, other characters); Password Length — set the minimum and maximum length (8–32 characters); Password Policy — set the minimum character count per type (0–32), character repetition limit (1–32), and an excluded character set. The total of minimum letter counts and other characters cannot exceed the password length. |
| Key Rule | Available when Task Type is Key Rotation. Configure the following: Key Algorithm — RSA or ED25519; Key Length (RSA only) — 2048, 3072, or 4096 bits; Encryption Password — a password to encrypt the generated private key. |
| Remarks | (Optional) Enter additional notes about the task. |
Click Associate Accounts. On the Escrowed Accounts tab, click Add Host Account.
In the Add Host Account dialog box, select the host accounts to associate, then click Add.
A confirmation message appears: Password Change Task Is Successfully Associated With The Host Account. The task is now listed on the Password Change Tasks page.
A host account can be associated with only one password change task. For Password Rotation tasks, only accounts with an escrowed password can be added. For Key Rotation tasks, only accounts with an escrowed SSH private key can be added.
More operations
After a task is created, it runs automatically at the configured time. To trigger a run outside the schedule:
On the Password Change Tasks page, select the task and click Run Now at the bottom of the list.
If multiple tasks are triggered simultaneously, they execute sequentially. A manual run does not affect the next scheduled run.
In the Password Change list, click the task name. On the Managed Accounts tab, select one or more host accounts and click Immediately change the password.
View password change records
In the Password Change list, click the name of a task that has run.
On the Managed Accounts tab, click the status in the Status column.
In the Password Change Records panel, review the details of the change.
After a task completes successfully, export the new credentials and audit log.
In the Password Change list, click the name of a completed task. On the Password Change History tab, click Export Password.
In the Export Password Change History dialog box, enter a file encryption password (4–32 characters), then click Export Password Change History.
Bastionhost compresses the host account passwords into a .zip file and downloads it to your computer.
Store the file encryption password securely. You need it to open the exported .zip file and retrieve the passwords.
Supported operating systems
| Operating system | Version |
|---|---|
| Windows | Microsoft Windows: Windows 7, Windows 8, Windows 10 |
| Microsoft Windows Server: Windows Server 2008, Windows Server 2012R2, Windows Server 2016, Windows Server 2019, Windows Server 2022 | |
| Linux | Alibaba Cloud Linux: 3.2104 64-bit, 2.1903 LTS 64-bit, 2.1903 64-bit Quick Launch |
| CentOS: CentOS 6.10 to CentOS 8.5, CentOS Stream 8, CentOS Stream 9 | |
| Ubuntu: Ubuntu 20.04 64-bit, Ubuntu 18.04 64-bit, Ubuntu 16.04 32-bit, Ubuntu 20.04 64-bit UEFI, Ubuntu 22.04 64-bit | |
| Debian: Debian 11.8 64-bit, Debian 8.9 64-bit | |
| openSUSE: 15.1 64-bit, 15.2 64-bit, 42.3 64-bit | |
| SUSE Linux Enterprise Server: 15 SP2 64-bit, 12 SP5 64-bit | |
| CoreOS: 34.20210529.3.0_3, 33.20210217.3.0_3 | |
| Red Hat Enterprise Linux: 7 (64-bit) to 8 (64-bit) |