All Products
Search
Document Center

Bastionhost:Configure O&M settings

Last Updated:Jul 11, 2024

Bastionhost allows you to configure O&M settings in a fine-grained manner based on your business requirements. For example, you can configure Duration Limit, Idle Timeout Interval, and Duration to Lock Users Upon Session Blocking (Unit: Minutes). This avoids waste of host resources. This topic describes how to configure O&M settings.

Procedure

  1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

  2. In the bastion host list, find the bastion host that you want to manage and click Manage.

  3. In the left-side navigation pane, click System Settings.

  4. On the O&M Configuration tab, configure the parameters and click Save. The following table describes the parameters.

    Section

    Parameter

    Description

    O&M Token

    Validity Period of O&M Token

    The time period within which an O&M token can be repeatedly used after the token takes affect. After the time period elapses, you must renew the token or apply for a new token.

    Valid values: 1 to 480 minutes or 1 to 8 hours.

    Note
    • If O&M Approval is enabled, the validity period approved by the administrator for the O&M token takes effect. For information about how to disable O&M Approval, see Configure a control policy.

    • If the value of this parameter is changed, O&M engineers must apply for new O&M tokens for the change to take effect.

    O&M Token Renewal

    Specifies whether to allow O&M engineers to renew an O&M token and the number of times O&M engineers can renew the O&M token. Each renewal extends the validity period by 1 hour.

    Valid values: 1 to 20 times.

    Note
    • If the value of this parameter is changed, O&M engineers must apply for new O&M tokens for the change to take effect.

    • If O&M Approval is enabled, O&M engineers cannot renew O&M tokens. For information about how to disable O&M Approval, see Configure a control policy.

    Automatic Approval of O&M Tasks

    After you enable this option, the O&M tasks created by O&M engineers are automatically approved for execution. For more information about how to create automatic O&M tasks, see Automatic O&M.

    Timeout Period for O&M Approval

    The time period after which an O&M application that is not reviewed by the administrator is automatically rejected. The value 0 indicates that O&M applications are never automatically rejected.

    Special Asset Accounts

    Allow Access to Hosts by Using Bastionhost Account and Password

    Specifies whether users can access hosts by using the account and password of a bastion host.

    This option is suitable for scenarios in which the bastion host account is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) servers, the host is in the same domain as the bastion host, and the username and password of the server account are the same as those of the bastion host.

    Allow Access to Hosts by Using Unauthorized Host Accounts

    Specifies whether to allow password-free access from users to hosts on which the users do not have permissions. This option is selected by default.

    This option takes effect only when a user accesses hosts on which the user does not have permissions.

    • If you do not manage host accounts in the bastion host, you can select Unauthorized Asset Accounts Are Allowed in the Special Asset Accounts section. Then, the user can enter the username and password of the bastion host to access and perform O&M operations on the host.

    • If this option is cleared, the user cannot use the bastion host to access the hosts whose accounts are not managed in the bastion host.

    Special Host Configuration

    Allow Host Fingerprinting

    This option is selected by default.

    A host fingerprint is a unique identifier that Bastionhost uses to identify a Linux host. The fingerprint can be used to prevent unauthorized users from accessing hosts by redirecting traffic. We recommend that you select this option.

    Personalized Desktop Enabled

    This option is cleared by default.

    This option takes effect only for Windows hosts. If you select this option, users can use personalized desktops in Windows.

    Note

    Personalized desktops consume a large amount of bandwidth. Proceed with caution.

    Idle Timeout Interval

    The maximum duration of an idle O&M session. If the duration of an idle O&M session reaches the specified value, the session is automatically disconnected. This way, host resources are not consumed by idle O&M sessions.

    Valid values: 0 to 60. Unit: minutes. The value 0 indicates that the duration is not limited.

    Note

    In an idle O&M session, a user logs on to a host but does not perform O&M operations.

    Duration Limit

    Specifies the maximum total duration of O&M sessions. If the total duration reaches the specified value, ongoing sessions are automatically disconnected. Default value: 7 days.

    Valid values: 1 to 168 hours or 1 to 7 days.

    Note

    This parameter does not take effect if you perform O&M operations on databases.

    Duration to Lock Users Upon Session Blocking (Unit: Minutes)

    Specifies the period of time during which an O&M session can be interrupted by the administrator. During the specified period of time, users cannot perform O&M operations on all hosts.

    Valid values: 0 to 60. Unit: minutes. The value 0 indicates that the duration is not limited.