All Products
Search

This Product

    Bastionhost:Manage users

    Document Center

    Bastionhost:Manage users

    Last Updated:Aug 09, 2024

    After you add a user to the console of a bastion host, an O&M engineer can log on to the bastion host as the user and perform O&M operations on the hosts or databases on which the user has permissions.

    User types

    In the console of a bastion host, you can import Alibaba Cloud Resource Access Management (RAM) users, create local users, and import Active Directory (AD)-authenticated, Lightweight Directory Access Protocol (LDAP)-authenticated, or Identity as a Service (IDaaS)-authenticated users. Then, O&M engineers can log on to the bastion host as the preceding users.

    Important

    An IDaaS-authenticated user cannot log on to a bastion host for asset O&M by passing the password-based authentication on a client. To use a bastion host, an IDaaS-authenticated user must pass the O&M token-based authentication on a client or use the O&M portal. For more information, see O&M manual.

    User type

    Description

    RAM user

    After a RAM user is created in the RAM console, you can click Import RAM Users in the console of a bastion host to import the RAM user.

    Local user

    You can create a single user or import multiple users from a file to create local users.

    AD- or LDAP-authenticated user

    You can configure AD or LDAP authentication on the bastion host and import AD- or LDAP-authenticated users to the bastion host.

    Note

    Before you import AD- or LDAP-authenticated users, make sure that AD or LDAP authentication is configured. For more information, see Configure AD authentication or LDAP authentication.

    IDaaS-authenticated user

    You can configure IDaaS authentication on the bastion host and import IDaaS-authenticated users to the bastion host.

    Note

    Before you import IDaaS-authenticated users, make sure that IDaaS authentication is configured. For more information, see Manage IDaaS authentication.

    User list description

    The following table describes the columns in the user list.

    Column

    Description

    Username

    The username of an account that is used to log on to the bastion host.

    • RAM user: the logon name that you specify when you create a RAM user. For more information about how to change the username, see Modify the basic information about a RAM user.

    • Local user: the username that you specify when you create the local user. You cannot change the username.

    • AD- or LDAP-authenticated user: the username that is synchronized from the AD or LDAP server. If you want to change the username, change it on the AD or LDAP server.

    • IDaaS-authenticated user: the username that is synchronized from Alibaba Cloud IDaaS Enterprise Identity Access Management (EIAM). You cannot change the username.

    Authentication Source

    The type of a user. For example, Local Authentication is displayed for a local user.

    Two-factor Authentication Methods

    When a user logs on to the console of the bastion host by using the username-password logon method, two-factor authentication is required for the user. The user must enter a dynamic verification code that is sent by text message, email, or DingTalk notification. This reduces security risks.

    • RAM user: RAM-based Authentication. To configure a two-factor authentication method for RAM users, log on to the RAM console. For more information, see Bind an MFA device to a RAM user.

    • IDaaS-authenticated user: IDaaS-based Authentication. To configure a two-factor authentication method for IDaaS-authenticated users, log on to the IDaaS console. For more information, see Two-factor authentication.

    • Local user or AD- or LDAP-authenticated user:

      • For more information about how to configure a two-factor authentication method for all local users, AD-authenticated users, and LDAP-authenticated users, see Enable two-factor authentication.

      • For more information about how to configure a two-factor authentication method for a single local user, AD-authenticated user, or LDAP-authenticated user, see the Create users section of this topic.

    OTP App

    Indicates whether the current user is bound to a time-based one-time password (TOTP). For more information about how to bind a TOTP, see the Create users section of this topic.

    Note

    TOTPs do not apply to RAM users and IDaaS-authenticated users.

    Status

    The status of a user. For more information about user status, see Configure the parameters on the User Settings tab.

    • Inactive: If the user does not log on to the bastion host within the specified period of time, the user is marked as Inactive.

    • Password Expired: After the validity period of the password elapses, the user is marked as Password Expired.

    • Locked:

      • If a user enters invalid passwords for the specified consecutive times when the user logs on to the bastion host or a user is locked by the administrator, the user is marked as Locked.

      • If you turn on Automatically Lock Inactive User Accounts on the System Settings page, the system automatically locks users who have not logged on to the bastion host for a long period of time. The users are marked as Locked.

    • The source from which the user is imported is deleted: If a user cannot be found in the authentication source by username, the user is marked as The source from which the user is imported is deleted. This status can be used to filter only AD-, LDAP-, or IDaaS-authenticated users.

    • Update Available: If the base distinguished name (base DN) of a user on the AD or LDAP server is inconsistent with the base DN that is configured for the user on the bastion host, the user is marked as Update Available.

    Actions

    The operations that an administrator can perform to grant permissions to users. For more information, see Authorize users or user groups to manage assets and asset accounts or Grant permissions on asset groups.

    Create users

    You can create or import users to a bastion host based on your business requirements. Then, O&M engineers can log on to the bastion host as the users.

    Import RAM users

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, click Import RAM Users.

    5. Optional. If no RAM user is created, click Create RAM User in the Import RAM Users dialog box and create a RAM user as prompted.

      For more information, see Create a RAM user.

    6. In the Import RAM Users dialog box, click Import in the Actions column of the RAM user that you want to import. If you want to import multiple RAM users at a time, select the RAM users and click Import below the list.

      Note

      To enable two-factor authentication for a RAM user, log on to the RAM console and enable multi-factor authentication (MFA). For more information, see Bind an MFA device to an Alibaba Cloud account.

    Create local users

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, create a single local user or import multiple local users from a file based on the steps described in the following table.

      Scenario

      Procedure

      Create a single local user

      1. Choose Import Other Users > Create User.

      2. In the Create User panel, configure the user information and click Create.

        When you configure the user information, you must set Authentication Method to Local Authentication. In addition to configuring basic information, you can configure the following settings:

        • Select Users must reset the password at next logon.: If you select this parameter, the local user must reset the password upon the next logon. This parameter is valid only for local users.

        • Specify Validity Period: After the validity period that you specify for a local user elapses, the value in the Status column of the local user is changed to Expired. O&M engineers cannot use the local user to log on to the bastion host.

        • Configure Two-factor Authentication Methods: If you enable Two-factor Authentication Methods, the local user must enter a dynamic verification code that is sent by text message, email, or DingTalk after the local user enters the valid password. This helps reduce security risks.

          Note

          • If you enable Two-factor Authentication Methods for a local user, the local user must enter a dynamic verification code that is sent by text message or email when the local user attempts to log on to the bastion host. Make sure that you enter the valid mobile phone number or email address of the local user. For more information about the countries and areas where text message-based two-factor authentication is supported, see Supported countries and areas.

          • The mobile phone number and email address that you entered are used only to receive verification codes or alert notifications.

          Valid values of Two-factor Authentication Methods:

          • For All Users: indicates that the global two-factor authentication method that you configure on the System Settings page is used. For more information, see Enable two-factor authentication.

          • For Single User: indicates that you must configure a specific two-factor authentication method for the local user. Bastionhost supports the following two-factor authentication methods:

            • Disable: Two-factor authentication is disabled.

            • Text Message: Two-factor authentication is implemented by using text messages. If you select this method, you must specify the mobile phone number of the local user.

            • Email: Two-factor authentication is implemented by using emails. If you select this method, you must specify the email address of the local user.

            • DingTalk: Two-factor authentication is implemented by using DingTalk notifications. If you select this method, you must specify the mobile phone number of the local user.

              Note

              If you select DingTalk when you enable two-factor authentication, make sure that the following requirements are met:

              • The mobile phone number of the user who performs O&M operations is specified. For more information, see Modify the basic information about a local user.

              • An internal enterprise application is created by the DingTalk administrator, and the operation that is used to obtain member information based on the mobile phone numbers and names of the members is activated for the application.

              • The values of AppKey, AppSecret, and AgentId of the internal enterprise application are obtained.

            • OTP App: Two-factor authentication is implemented by using the mobile OTP token of the current user. The user must bind the OTP token first.

              Note

              If you select this method, you must download a standard TOTP authentication app, such as the Alibaba Cloud app. Then, log on to the Bastionhost O&M portal by using a public endpoint. In the left-side navigation pane, click Security Settings. On the Enable OTP tab, click Bind OTP App, and then scan the quick response (QR) code to bind the OTP token for authentication. For more information about how to obtain the O&M addresses of a bastion host, see the Overview page.

          • Configure Two-factor Notification Sending Language:

            • If you select For All Users, the current user uses the two-factor notification sending language that is configured on the System Settings page. For more information, see Enable two-factor authentication.

            • If you select For Single User, you can select Simplified Chinese or English as the two-factor notification sending language.

      Import multiple local users from a file

      1. Select Import Users from File from the Import Other Users drop-down list.

      2. Click Download User Template, download the user template package to your computer, and decompress the package. Then, enter the information about the local users that you want to import in a user template file, and save the information.

      3. In the Import Local Users panel, click Upload to upload the user template file that you edited.

      4. In the Preview dialog box, select the local users that you want to import and click Import.

      5. In the Import Local Users panel, confirm the information about the local users and click Import Local Users.

        If you select Users must reset the password at next logon., all imported local users must reset their passwords upon the next logon.

      Note

      The local users that you want to import are displayed in a table. If some local users, for example, the first user, the third user, and the fifth user, share the same username, the bastion host imports only the fifth user. If a local user that you want to import shares the same username with an existing user in the bastion host, the information about the local user is not imported. You can click Details in the Import Local Users panel to view the information about the users that are not imported.

    5. Optional. If you want the bastion host to notify users of the O&M address, you must specify the mobile phone number or email address of the local users, and select Send O&M Addresses to User.

    Import AD- or LDAP-authenticated users

    Before you import AD- or LDAP-authenticated users, make sure that AD or LDAP authentication is configured. For more information, see Configure AD authentication or LDAP authentication.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Choose Import Other Users > Import AD Users or Import LDAP Users.

    5. In the Import AD Users or Import LDAP Users dialog box, click Import in the Actions column of the AD- or LDAP-authenticated user that you want to import.

      You can also import multiple AD- or LDAP-authenticated users at a time.

    Import IDaaS-authenticated users

    Before you import IDaaS-authenticated users, make sure that IDaaS authentication is configured. For more information, see Manage IDaaS authentication.

    Important

    An IDaaS-authenticated user cannot log on to a bastion host for asset O&M by passing the password-based authentication on a client. To use a bastion host, an IDaaS-authenticated user must pass the O&M token-based authentication on a client or use the O&M portal. For more information, see O&M manual.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Choose Import Other Users > Import IDaaS User.

    5. In the Import IDaaS User dialog box, click Import in the Actions column of the IDaaS-authenticated user that you want to import.

      You can also import multiple AD- or LDAP-authenticated users at a time. If no IDaaS-authenticated users are displayed in the dialog box, click Synchronize.

    User logon limits

    You can specify approved source IP addresses and time periods for logon to control access to bastion hosts based on your business requirements.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, click the username of the user that you want to manage.

    5. On the User Logon Restrictions tab, specify the limits on source IP addresses and time periods for logon and click Update.

      • (Whitelist) Only Listed IP Addresses Are Allowed: Only source IP addresses in the whitelist can be used to log on to the bastion host within the specified time periods.

      • (Blacklist) Listed IP Addresses Are Not Allowed: Source IP addresses in the blacklist cannot be used to log on to the bastion host. Source IP addresses that are not in the blacklist can be used to log on to the bastion host only within the specified time periods.

    Export users

    After you export users, you can view the users in a local CSV file.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, click Export Users in the upper-right corner.

    Modify the basic information about a local user

    Note

    To modify the basic information about AD-authenticated users, LDAP-authenticated users, RAM users, or IDaaS-authenticated users, go to the console of each authentication source.

    If the information about a user, such as the mobile phone number or email address, is changed, you must go to the console of the bastion host to which the user is imported to update the information at the earliest opportunity. Otherwise, the user may not receive verification codes and cannot log on to the bastion host. If the mobile phone number of the user is changed and is not updated in the bastion host in a timely manner, the user cannot log on to the bastion host because verification codes are sent to the previous mobile phone number.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. Find the user whose information you want to modify and click the username.

    5. On the Basic Info tab, modify the user information and click Update.

    Lock or unlock a user

    If a user no longer needs a bastion host to perform O&M operations within a specific period of time, you can manually lock the user or configure a trigger condition to automatically lock the user. If a locked user needs to perform O&M operations, you can unlock the user.

    Automatically lock a user

    By default, Bastionhost provides a feature to automatically lock a user. When a user enters invalid passwords more than five times in a row, Bastionhost locks the user. A Bastionhost administrator can specify Account Lockout Threshold. For more information, see Configure the parameters on the User Settings tab.

    Manually lock or unlock a user

    Important

    Manual user locking or unlocking immediately takes effect. If a user is manually locked, the user cannot log on to the server to perform O&M operations. Proceed with caution.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, select the user that you want to lock or unlock. Below the user list, choose Batch > Locked or Batch > Unlock.

      • Locked: After you lock a user, you receive the The user is locked. message. The value in the Status column of the locked user changes from Normal to Locked. After you lock a user, you can still modify the basic information about the user and authorize the user to manage hosts and asset groups.

      • Unlock: After you unlock a user, you receive the The user is unlocked. message. The user can log on to the bastion host and perform O&M operations on the hosts on which the user has permissions.

    Host the public key of a user

    You can configure a public key for a user and host the public key on a bastion host. Then, the user can use a private key to log on to the bastion host from an O&M client. For more information, see Perform SSH-based O&M.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, click the username of the user for whom you want to configure a public key. On the user details page, click the User Public Key tab and click Add SSH Public Key.

    5. In the Add SSH Public Key panel, configure the public key name and content. Then, click Add SSH Public Key.

      After you configure the public key, the public key is hosted on the bastion host. You can view the public key in the public key list.

    Delete a user

    If a user no longer needs to perform O&M operations on hosts by using a bastion host, you can delete the user to reduce security risks.

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. In the user list, select the user that you want to delete and click Delete below the user list.

    Change the configuration of password reset requirement upon the next logon for local users

    If you want to enable or disable Users must reset the password at next logon. for a local user after the user is created, perform the following steps:

    1. Log on to the Bastionhost console. In the top navigation bar, select the region in which your bastion host resides.

    2. In the bastion host list, find the bastion host that you want to manage and click Manage.

    3. In the left-side navigation pane, choose Users > Users.

    4. On the Users page, select the users that you want to manage and choose Batch > Change Configuration of Local Users Must Reset Passwords at Next Logons below the user list.

    5. In the dialog box that appears, select Enable or Disable from the drop-down list and click OK.