All Products
Search

This Product

    Bastionhost:Configure the parameters on the User Settings tab

    Document Center

    Bastionhost:Configure the parameters on the User Settings tab

    Last Updated:Nov 04, 2024

    To ensure system security, you can configure user logon settings, account lockout policies, and user status settings. You can configure user logon settings to allow users to use only key pairs for authentication when they log on to a bastion host in SSH mode. You can configure account lockout policies to protect your resources against brute-force attacks. You can also configure the parameters in the User Status Settings section to specify the validity period of passwords and mark accounts that are not used to log on to the system for a long period of time as Inactive.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, click System Settings.

    4. On the User Settings tab, configure the parameters and click Save. The following table describes the parameters.

      Parameter

      Description

      User Logon Settings

      Disable Password-based SSH Logon

      If you enable this feature, users can use only key pairs or O&M tokens for authentication when they log on to the bastion host to perform O&M operations based on the SSH protocol or over an SSH tunnel.

      Disable SSH Public Key Authentication

      If you enable this feature, users can use only passwords or O&M tokens for authentication when they log on to the bastion host to perform O&M operations on hosts by using an SSH-based O&M tool or perform O&M operations on databases over an SSH tunnel.

      Disable CAPTCHA for Private O&M Portal

      If you enable this feature for a user, a completely automated public Turing test to tell computers and humans apart (CAPTCHA) is not performed when the user logs on to the O&M portal of the bastion host by using the private endpoint. Upon user logons from the O&M portal, CAPTCHAs can be performed only over a public network. If a user cannot use the client to access the bastion host over the public endpoint, you must enable this feature to ensure that the user can log on to the bastion host from the private O&M portal.

      Account Lockout Policy

      Account Lockout Threshold

      The number of consecutive failed logon attempts that cause an account to be locked.

      Valid values: 0 to 999. Default value: 5. If you set this parameter to 0, the system never locks an account.

      Account Lockout Duration

      The duration within which a locked account cannot be used to log on to the system. Unit: minutes.

      Valid values: 0 to 10080. Default value: 30. If you set this parameter to 0, an account is locked until a Bastionhost administrator unlocks the account.

      Reset Account Lockout Counter After

      The period of time that must elapse from the time when a user fails to log on to the system before the failed logon attempt counter is reset to 0. This parameter takes effect when the number of failed logon attempts does not exceed the specified value of Account Lockout Threshold. Unit: minutes.

      For example, you set Account Lockout Threshold to 5 and Reset Account Lockout Counter After to 5. If you use an invalid password to attempt to log on to the system for the fourth time at 14:00:00 and you do not use an invalid password to attempt to log on to the system again from 14:00:00 to 14:05:00, the failed logon attempt counter is reset to 0 after 14:05:00 on the current day.

      Valid values: 0 to 10080. Default value: 5.

      User Password Security Settings

      Password Validity Period

      The validity period of a password. After the validity period elapses, password reset is required. This parameter takes effect only for local users.

      Valid values: 0 to 365. Default value: 0. Unit: days. If you set this parameter to 0, a password never expires.

      Password History Check

      The number of previous passwords a user cannot use when the user resets a password. Valid values: 0 to 30. Default value: 5. If this parameter is set to 0, no limits are imposed.

      User Status Settings

      Mark Inactive User Accounts

      The number of days after which an account is marked as Inactive. If an account is not used to log on to the system within the specified period of time, the account is marked as Inactive. Unit: days.

      Valid values: 0 to 365. Default value: 0. If you set this parameter to 0, an account is never marked as Inactive.

      Automatically Lock Inactive User Accounts

      After you turn on the switch, the system automatically locks users who have not logged on to the bastion host for a long period of time. The locked users can log on to the bastion host again only after a Bastionhost administrator unlocks the users.

      Automatic Synchronization of Status and Information About AD- and LDAP-authenticated Users

      The interval at which the configurations and status of the Active Directory (AD)-authenticated or Lightweight Directory Access Protocol (LDAP)-authenticated users imported into Bastionhost are automatically synchronized. Unit: minutes.

      Valid values: 15 to 14400. Default value: 240.