# Bastion Hosts

Access for the `root` user can be limited to be only allowed from certain bastion hosts.

By default this is enabled except for a few networks, see [reponsible Puppet code](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/code/modules/profile/manifests/networking/params.pp) for details.

You may alternatively control the use of bastion hosts yourself by setting in Hiera the boolean value `aaa::user_bastions`.

The bastion hosts can be listed in the Hiera key `aaa:bastions`:

```
aaa::bastions:
- 'x05la-gw.psi.ch'
```

which then will override the default value
```
aaa::bastions:
  - 'wmgt01.psi.ch'
  - '129.129.190.25' # IP of wmgt01.psi.ch
  - 'wmgt02.psi.ch'
  - '129.129.190.104' # IP of wmgt02.psi.ch
```

**Caution**: an empty list will allow unrestricted login again!