Help Center/ Cloud Bastion Host/ User Guide/ Login Security Configuration/ Configuring Web Login Timeout and Authentication
Updated on 2025-07-18 GMT+08:00
View PDF
Share

Configuring Web Login Timeout and Authentication

This topic describes how to configure the timeout and authentication settings for logins through web browsers, including login timeout duration, SMS verification code validity period, graphic verification code, SSH public key login, and SSH password login.

Prerequisites

You have the management permissions for the System module.

Configuring Web Login Requirements

  1. Log in to your bastion host.
  2. Choose System > System Config > Security.
  3. In the Web Login Config area, click Edit.

    Complete configurations as prompted.

    Table 1 Parameters for configuring web login

    Parameter

    Description

    Idle timeout

    Duration to wait before an inactive user is logged out.

    After a system user logs in to a bastion host through a web browser, if they have no operations for a period longer than the configured idle timeout, they will be logged out.

    • Default value: 30 minutes
    • Value range: 1 to 1,440, in minutes

    SMS duration

    SMS verification code validity period.

    • Default value: 60 seconds
    • Value range: 60 to 3,600, in seconds
    • If the value is 0, the SMS verification code never expires.

    Captcha

    Whether to use the CAPTCHA technology for graphic verification. The options are Enable, Disable, and Auto.

    • Enable: A graphic verification code is required for every login.
    • Disable: No graphic verification code is required for logins.
    • Auto: A graphic verification code is required when the number of consecutive failed password attempts exceeds the configured login attempts.

    Login attempts

    If the number of consecutive failed password attempts exceeds the login attempts, the graphic verification is automatically enabled.

    • This parameter is mandatory if Captcha is set to Auto.
    • Default value: 3
    • Value range: 1 to 30

    Captcha duration

    Validity period of a CAPTCHA.

    • Default value: 60 seconds
    • Value range: 15 to 3600, in seconds
    • If the value is 0, the graphic verification code never expires.

    Domain Check

    Whether to check domain. This option is disabled by default ().

    • : enabled. If you select the AD domain authentication, you are required to download an SSO client and use the same login name as that registered with the AD domain server for logins.
    • : disabled

    Source IP Check

    Whether to check source IP address. The default status is .

    • : The Source IP Check is enabled. If this function is enabled, your bastion host obtains the source IP address of the access request from the TCP connection details. When the system finds that the source IP address changes, it disconnects the current session and requires the user to log in again.
    • : The Source IP Check is disabled. If this function is disabled, the session is not disconnected when the source IP address changes.
      NOTE:
      • A bastion host will record every source IP address no matter whether Source IP Check is enabled.
      • If you are logged out over and over again due to IP address changes after enabling Source IP Check, you can disable it. There are no impacts on your using of the bastion host.
      • Only V3.3.44.0-S and later versions support this function.

    Not Allow Multipoint Login

    After this function is enabled, the same bastion host does not allow login from multiple addresses or devices.

    Keep Client Session

    To enable or disable this function, you need to enable Not Allow Multipoint Login first.

    • Disabled: When system users access the bastion host through the web page, the sessions of the logged-in clients are forcibly disconnected. If they log in to the bastion host through the same client, the sessions of the logged-in clients cannot be forcibly disconnected.
    • Enabled: After this function is enabled, when system users access the bastion host through the web page, the client session that has been logged in to is not forcibly disconnected. The client session is retained, and logins through web page is disabled.

    Enforce Multifactor Login

    If this function is enabled, the system forcibly uses multi-factor authentication for logins. If multi-factor authentication is not configured for the account, contact the administrator to configure it. Otherwise, disable this function.

  4. Click OK. You can then check the web login configuration of the current system on the Security tab.

Configuring Login Using a Client

  1. Log in to your bastion host.
  2. Choose System > System Config > Security.
  3. In the Client Login Config area, click Edit.

    Complete configurations as prompted.
    Table 2 Parameters for configuring client login

    Parameter

    Description

    Idle timeout

    Duration to wait before an inactive user is logged out of the bastion host SSH client.

    • Default value: 30 minutes
    • Value range: 1 to 43200, in minutes

    Logon with SSH key

    Whether to enable SSH key login authentication (Default: ).

    • : enabled. If you have configured an SSH public key, you can log in to the system using the SSH client without providing passwords.
    • : disabled.

    Logon with password

    Whether to enable SSH password login authentication (Default: ).

    • : enabled
    • : disabled
    • If both Logon with SSH key and Logon with password are enabled, the SSH key login authentication is preferentially performed.

  4. Click OK. You can then check the client login configuration of the current system on the Security tab.