Help Center/ Cloud Bastion Host/ Getting Started/ Step 1: Log In to a CBH System
Updated on 2024-11-05 GMT+08:00
View PDF
Share

Step 1: Log In to a CBH System

Scenarios

You can log in to your bastion host through a web browser, MSTSC client, or SSH client.

  • Web browser login: In this method, you can use the system management and resource O&M modules in CBH. This method is recommended for system user admin or administrators to manage the CBH system and audit authorization.
  • SSH client login: You can use an SSH client to directly log in to the authorized resources for O&M without changing your original login methods.
  • MSTSC client login: With CBH, your current MSTSC-based O&M experience is still useful. You can use an MSTSC client to directly log in to the CBH system for resource O&M.

Prerequisites

  • You have purchased a CBH instance. If you want to access the CBH instance over the public network, bound an EIP to it. For details, see Purchasing a CBH Instance.
  • The CBH instance is in the Running state, and the CBH system is within the authorization period.
  • You have obtained the address and credentials for logging in to the CBH system.

Using a Web Browser to Log In to a Bastion Host

  1. Enter the IP address of the CBH system in the address box of your browser to access the login page.

    URL: https:// EIP or private IP address of your bastion host, for example, https://10.10.10.10.

    • If no EIP is bound to your CBH instance, use the private network IP address to log in to the CBH system. Ensure that your local network and the private network of the CBH system are connected.
    • If a browser incompatible with the CBH system is used, the login verification message may fail to be sent to you, or exceptions may occur after the login. For recommended browsers, see Restrictions on Using CBH.

  2. Select a login authentication method.

    Figure 1 Bastion host login page
    • Multi-factor Authentication (MFA) can be enabled for all CBH users. CBH supports SMS, OTP, USBKey, and OTP Token. For details, see Configuring Multifactor Verification.
    • After multi-factor authentication is configured, Password authentication becomes invalid.
      Table 1 Web browser login authentication

      Authentication Method

      How to Log In

      Configuration Description

      Password

      Enter the username and password of your bastion host account.

      Default login method.

      The login passwords in the AD, RADIUS, LDAP, or Azure AD authentication are the passwords of users on the remote server. For details, see System Configuration Overview.

      SMS

      Enter the username and password of your bastion host account, click Send code, and enter the SMS verification code you will receive.

      A valid phone number has been configured for the account.

      OTP

      Enter the username and password of your bastion host account and enter the mobile phone one-time password (OTP), which changes periodically.

      NOTE:

      Ensure that the CBH system time is the same as the mobile phone time (accurate to the second). Otherwise, a message indicating that the verification code is incorrect will be reported.

      Bind your system user account to a mobile OTP and contact the administrator to configure multi-factor authentication for this account. For details, see Mobile OTP.

      USBKey

      Insert and select an issued USB key and enter the corresponding PIN.

      A USB key has been issued to the user. For details, see Issuing a USB Key.

      OTP token

      Enter the username and password of your bastion host account, and enter the dynamic password of the OTP device, which changes periodically.

      An OTP token has been issued to the user. For details, see Issuing an OTP Token.

  3. Click Login to log in to your bastion host for O&M.

    • The admin user is a system administrator account that is used to log in to the CBH system for the first time. The admin account has the highest level of authority. Permissions for the admin account cannot be modified. Keep the account information secure.
    • After you log in to the CBH system for the first time, change the passwords and configure the phone number as prompted. Otherwise, the system cannot be further loaded. The phone number can be changed on the profile page in the Dashboard module.

Using an SSH Client to Log In to Your Bastion Host

CBH allows you to use an SSH client to log in to your CBH system for authorized resource O&M.

  • Only host resources configured with the SSH, Telnet, or Rlogin protocols can be logged in through an SSH client.
  • SecureCRT 8.0 or later and Xshell 5 or later are recommended.
  1. Start the local SSH client tool and choose File > New to create a user session.
  2. Configure user session connection.

    • Method 1

      In the displayed dialog box, select a protocol type, enter the EIP address and port number (2222) of the CBH instance, and click OK. Enter the login name of your CBH system account and click Connect.

    • Method 2
      • In the newly opened blank session window, run a command in the following format: Protocol type User login name@System login IP address Port number, for example, ssh admin@10.10.10.10 2222. After the login, select the target server.
      • In a newly opened blank session window, run a login command: {Protocol type} {Bastion host user login name}@{Host account username}@{Linux host IP address}@{Bastion host IP address} {Port}. For example, you can run ssh admin@10.10.10.10@10.10.10.101 2222 to log in to the target server.
    • Method 3
      • In a newly opened blank session window, run a login command: {Protocol type} {User login name}@{System login IP address} -p {Port number}, for example, ssh admin@10.10.10.10 2222. After the login, select the target server.
      • In a newly opened blank session window, run a login command: {Protocol type} {Bastion host user login name}@{Host account username}@{Linux host IP address}@{Bastion host IP address} -p {Port}. For example, you can run ssh admin@10.10.10.10@10.10.10.101 -p 2222 to log in to the target server.

    system login IP address indicates the private IP address or EIP of your bastion host. Make sure the network connection between the local PC and the IP address is normal.

  3. Authenticate user identities.

    Enter your identity credentials as prompted.

    When an SSH client is used for establishing connections, you can use the Password, SSH Pubkey, SMS, Mobile OTP, and/or OTP Token authentication. To use SMS, Mobile OTP, and OTP token, configure multifactor verification. For details, see Configuring Multifactor Verification.
    Table 2 SSH client login authentication

    Authentication Method

    Login Description

    Configuration Description

    Password

    Enter the username and password of your bastion host account.

    Default login mode.

    The login passwords in the AD, RADIUS, LDAP, or Azure AD authentication are the passwords of users on the remote server. For details, see Remote Authentication Management.

    SSH Pubkey

    Enter the private key and private key password for login authentication. After the login authentication is successful, next time the user can log in to the system over the SSH client without entering the password.

    You need to generate a public and private key pair for login verification and add the SSH public key to your bastion host in the Profile center. For details, see Adding an SSH Public Key.

    SMS

    In SMS authentication, enter the Password or SSH Pubkey and the SMS verification code you will receive to complete the login authentication.

    An available phone number has been configured for the account.

    Mobile OTP

    In Mobile OTP authentication, enter the Password or SSH Pubkey and the OTP token to complete the login authentication.

    NOTE:

    Ensure that the CBH system time is the same as the mobile phone time (accurate to the second). Otherwise, a message indicating that the verification code is incorrect will be reported.

    Bind your system user account to a mobile OTP and contact the administrator to configure multi-factor authentication for this account. For details, see Mobile OTP.

    OTP token

    After the Password or SSH Pubkey login is authenticated, select OTP token and enter the verification code.

    An OTP token has been issued to the user. For details, see Issuing an OTP Token.

  4. After logging in to your bastion host, you can view system information and start O&M operations.

    You can also use APIs to log in to resources managed by a bastion host. To do so, you need to obtain the specific URL.

Accessing Your Bastion Host through MSTSC

CBH allows you to use a Microsoft Terminal Services Client (MSTSC) client to log in to authorized resources for O&M.

  1. Open the MSTSC dialog box.
  2. In the displayed dialog box, enter your bastion host information in the Computer text box in the format of Bastion host IP address: 53389.

    Figure 2 Configuring the computer

  3. Click Connect and provide the following information to complete the login:

    • Username: Enter Login Name of the CBH user@Windows host resource account@Windows host resource IP address:Windows remote port (3389 by default), for example, admin@Administrator@192.168.1.1:3389.

      The Windows host resource account must be a resource account that has been added to CBH and the login mode must be automatic login, or the resource account cannot be identified and O&M audit files cannot be generated. Real-time session O&M is not supported.

    • Password: Enter the password of the CBH user.