Updated on 2024-12-11 GMT+08:00

Overview

You can log in to a bastion host remotely, using a browser, or using a client.

During remote logins, you can select local, IAM, or admin login mode. In local or IAM login mode, use the accounts as required. In admin login mode, you can log in to a bastion host as user admin without entering passwords.

Accounts or keys are required for local logins, client logins, and browser logins.

If you have logged in to your bastion host using the current browser, you need to log out of the current account before logging in to the instance using another account.

Port Requirements

To use a bastion host for resource management, ensure that the communication between the the bastion host and the managed resources is enabled. Before you start, check whether your network ACL configuration allows access to the bastion host and configure the security group of the bastion host by referring to Table 1.

  • During cross-version upgrade, ports 80, 8080, 443, and 2222 are automatically enabled for the instance. If you do not need to use these ports, disable them immediately after the upgrade.
  • During cross-version upgrade, ports 22, 31036, 31679, and 31873 are automatically enabled for the instance. After the upgrade, keep port 31679 enabled and disable other ports immediately if you do not need to use them.
Table 1 Inbound and outbound rule configuration reference

Scenario Description

Direction

Protocol/Application

Port

Accessing a bastion host through a web browser (HTTP and HTTPS)

Inbound

TCP

80, 443, and 8080

Accessing a bastion host through Microsoft Terminal Services Client (MSTSC)

Inbound

TCP

53389

Accessing a bastion host through an SSH client

Inbound

TCP

2222

Accessing a bastion host through FTP clients

Inbound

TCP

20~21

Remotely accessing Linux ECSs of a bastion host over SSH clients

Outbound

TCP

22

Remotely accessing Windows ECSs of a bastion host over the RDP Protocol

Outbound

TCP

3389

Accessing Oracle databases through a bastion host

Inbound

TCP

1521

Accessing Oracle databases through a bastion host

Outbound

TCP

1521

Accessing MySQL databases through a bastion host

Inbound

TCP

33306

Accessing MySQL databases through a bastion host

Outbound

TCP

3306

Accessing SQL Server databases through a bastion host

Inbound

TCP

1433

Accessing SQL Server databases through a bastion host

Outbound

TCP

1433

Accessing DB databases through a bastion host

Inbound

TCP

50000

Accessing DB databases through a bastion host

Outbound

TCP

50000

Accessing GaussDB databases through a bastion host

Inbound

TCP

18000

Accessing GaussDB databases through a bastion host

Outbound

TCP

18000

License servers

Outbound

TCP

9443

Cloud services

Outbound

TCP

443

Accessing a bastion host system through the SSH client in the same security group

Outbound

TCP

2222

SMS service

Outbound

TCP

10743 and 443

Domain name resolution service

Outbound

UDP

53

Accessing PGSQL databases through a bastion host

Inbound

TCP

15432

Accessing PGSQL databases through a bastion host

Outbound

TCP

5432

Logon Type

Different login methods require different credentials. If multifactor verification is enabled, the static password login method becomes invalid.

Table 2 Login method description

Logon Type

Login Description

Password

Enter the username and password of your bastion host.

Mobile SMS Authentication

Enter the username and password of your bastion host, click Send Code, and enter the SMS verification code you will receive.

Mobile OTP

Enter the username and password first, and then enter the mobile one-time password (OTP).

USBKey

Insert your USB key into your terminal device, select the issued USB key, and enter the corresponding personal identification number (PIN).

One-time Passwords (OTPs)

Enter the username and password first, and then enter the verification code displayed on your OTP token device.

Verification Type

You can use remote Active Directory (AD), Remote Authentication Dial In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), Security Assertion Markup Language (SAML), and Azure AD authentication methods. You can use existing user passwords on any of those remote servers for identity verification.

Table 3 Authentication methods

Verification Type

Authentication Description

Local Authentication

Static passwords configured for the system are used for identity verification.

  • Multifactor verification can be configured for users authenticated by static password.
  • You can reset or change the static passwords. If you forgot this password, you can find it back through email.

AD domain authentication

The passwords of users on the AD server are used for identity verification.

  • Multifactor verification can be configured for users authenticated by static password.
  • Passwords cannot be changed through the bastion host.

RADIUS Authentication

The passwords of users on the RADIUS server are used for identity verification.

  • Multifactor verification can be configured for users authenticated by static password.
  • Passwords cannot be changed through the bastion host.

LDAP Authentication

The passwords of users on the LDAP server are used for identity verification.

  • Multifactor verification can be configured for users authenticated by static password.
  • Passwords cannot be changed through the bastion host.

Azure AD authentication

The passwords of Microsoft accounts are used for identity verification.

The login page is redirected to the Microsoft Azure login page for you to provide credentials.

  • Multifactor verification cannot be configured for users authenticated by the Azure AD server.
  • Passwords cannot be changed through the bastion host.

SAML authentication

The passwords of users on the SAML server are used for identity verification.

  • Multifactor verification can be configured for users authenticated by static password.
  • Passwords cannot be changed through the bastion host.