Bastionhost allows you to configure O&M settings in a fine-grained manner based on your business requirements. For example, you can configure Duration Limit, Idle Timeout Interval, and Duration to Lock Users Upon Session Blocking (Unit: Minutes). This avoids waste of host resources. This topic describes how to configure O&M settings.
Procedure
Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.
In the bastion host list, find the bastion host that you want to manage and click Manage.
In the left-side navigation pane, click System Settings.
On the O&M Configuration tab, configure the parameters and click Save. The following table describes the parameters.
Section
Parameter
Description
O&M Token
Validity Period of O&M Token
The time period within which an O&M token can be repeatedly used after the token takes affect. After the time period elapses, you must renew the token or apply for a new token.
Valid values: 1 to 480 minutes or 1 to 8 hours.
NoteIf O&M Approval is enabled, the validity period approved by the administrator for the O&M token takes effect. For information about how to disable O&M Approval, see Configure a control policy.
If the value of this parameter is changed, O&M engineers must apply for new O&M tokens for the change to take effect.
O&M Token Renewal
Specifies whether to allow O&M engineers to renew an O&M token and the number of times O&M engineers can renew the O&M token. Each renewal extends the validity period by 1 hour.
Valid values: 1 to 20 times.
NoteIf the value of this parameter is changed, O&M engineers must apply for new O&M tokens for the change to take effect.
If O&M Approval is enabled, O&M engineers cannot renew O&M tokens. For information about how to disable O&M Approval, see Configure a control policy.
Automatic Approval of O&M Tasks
After you enable this option, the O&M tasks created by O&M engineers are automatically approved for execution. For more information about how to create automatic O&M tasks, see Automatic O&M.
Timeout Period for O&M Approval
The time period after which an O&M application that is not reviewed by the administrator is automatically rejected. The value 0 indicates that O&M applications are never automatically rejected.
Special Asset Accounts
Allow Access to Hosts by Using Bastionhost Account and Password
Specifies whether users can access hosts by using the account and password of a bastion host.
This option is suitable for scenarios in which the bastion host account is imported from Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) servers, the host is in the same domain as the bastion host, and the username and password of the server account are the same as those of the bastion host.
Allow Access to Hosts by Using Unauthorized Host Accounts
Specifies whether to allow password-free access from users to hosts on which the users do not have permissions. This option is selected by default.
This option takes effect only when a user accesses hosts on which the user does not have permissions.
If you do not manage host accounts in the bastion host, you can select Unauthorized Asset Accounts Are Allowed in the Special Asset Accounts section. Then, the user can enter the username and password of the bastion host to access and perform O&M operations on the host.
If this option is cleared, the user cannot use the bastion host to access the hosts whose accounts are not managed in the bastion host.
Special Host Configuration
Allow Host Fingerprinting
This option is selected by default.
A host fingerprint is a unique identifier that Bastionhost uses to identify a Linux host. The fingerprint can be used to prevent unauthorized users from accessing hosts by redirecting traffic. We recommend that you select this option.
Personalized Desktop Enabled
This option is cleared by default.
This option takes effect only for Windows hosts. If you select this option, users can use personalized desktops in Windows.
NotePersonalized desktops consume a large amount of bandwidth. Proceed with caution.
Idle Timeout Interval
The maximum duration of an idle O&M session. If the duration of an idle O&M session reaches the specified value, the session is automatically disconnected. This way, host resources are not consumed by idle O&M sessions.
Valid values: 0 to 60. Unit: minutes. The value 0 indicates that the duration is not limited.
NoteIn an idle O&M session, a user logs on to a host but does not perform O&M operations.
Duration Limit
Specifies the maximum total duration of O&M sessions. If the total duration reaches the specified value, ongoing sessions are automatically disconnected. Default value: 7 days.
Valid values: 1 to 168 hours or 1 to 7 days.
NoteThis parameter does not take effect if you perform O&M operations on databases.
Duration to Lock Users Upon Session Blocking (Unit: Minutes)
Specifies the period of time during which an O&M session can be interrupted by the administrator. During the specified period of time, users cannot perform O&M operations on all hosts.
Valid values: 0 to 60. Unit: minutes. The value 0 indicates that the duration is not limited.