User Privilege Levels and Passwords: Without Data Storage Security

User and Superuser Modes

There are two modes available in the ACLI: User mode and Superuser mode. User mode provides only limited system access and allows no system configuration. It simply enables you to view configuration files, logs, and all show commands. Superuser mode provides more complete system access and it allows you to configure your Oracle Communications Session Border Controller.

When you log in to a Oracle Communications Session Border Controller you are initially in User mode. To indicate this, the system uses a ">" (close-angle-bracket) as the final character of the ACLI prompt. To enter Superuser mode, you type enable followed by Enter at the ACLI prompt. The system prompts you to enter the Superuser password. After you enter the correct password, the prompt changes to a # (pound sign) to indicate Superuser mode.

User Access Verification
Password:
ORACLE> enable
Password:
ORACLE#

To exit to User mode from Superuser mode, type exit at the top-level ACLI prompt.

ORACLE# exit
ORACLE>

Setting Passwords

Acme Packet recommends that you change the preset passwords for ACLI User and Superuser modes. You can change the passwords from Superuser mode only.

To set new ACLI passwords:

Use the secret command to change passwords.
Type secret login and press Enter to set the User password. The Oracle Communications Session Border Controller asks for a new password, which must be between six and eight characters with at least one non-alphabetic character. For example:
```
ORACLE# secret login
Enter new password  :
```
If you do not enter a password in the required format, the following error message appears:
```
% Password must be 6-8 characters with at least one non-alpha
```
Type secret enable to set the Superuser password. Again, the Oracle Communications Session Border Controller asks for a new password that must be between six and eight characters with at least one non-alphabetic character. For example:
```
ORACLE# secret enable
Enter new password  :
```
Use your new passwords when prompted for them.

SSH Remote Connections

For increased security, you can also connect to your system using SSH (secure shell). SSH requires that you have an SSH client. The system supports five concurrent SSH and/or SFTP sessions.

To initiate an SSH connection to the system without specifying users and SSH user passwords:

Open your SSH client (Windows, an open source client, etc.).
At the prompt in the SSH client, type the ssh command, a Space, the IPv4, IPv6 address or hostname of your system, and then press Enter. You will be prompted for a password. Enter the system’s User mode password. After it is authenticated, an SSH session is initiated and you can continue with tasks in User mode or enable Superuser mode.
```
ssh sd.acme.com
Password:
ORACLE>
```
You can explicitly use the default username and password pair (user/packet) by specifying you are logging in with the user account.
```
ssh -l user sd.user acme.com
Password: <ACLI-user-password>
ORACLE>
```

Create SSH User and Password

To create an SSH user and password pair on your system:

In the ACLI at the Superuser prompt, use the ssh-password command and press Enter. Enter the name of the user you want to establish. Then enter a password for that user when prompted. Passwords are not displayed on the screen.
```
ORACLE# ssh-password
SSH username [saved]: MJones
Enter new password:
```
If you do not enter a password in the required format, the following error message appears:
```
% Password must be 6-8 characters with at least one non-alpha
Enter new password again:
```
Once you have entered a valid password, you must enter your password a second time for confirmation.

After your SSH username and password is set, you can SSH into your Oracle Communications Session Border Controller. Once you provide a valid username and password pair, you need to log in to the ACLI with the previously configured ACLI username and password.

You can SSH into the Oracle Communications Session Border Controller for the first time with the default username and superuser password.
```
ssh -l user net-net-sd.company.com
```

SSH RADIUS Authentication VSA Support

The Oracle Communications Session Border Controller supports the use of the Cisco Systems Inc.™ Cisco-AVPair vendor specific attribute (VSA). This attribute allows for successful administrator login to servers that do not support the Acme Packet authorization VSA. While using RADIUS-based authentication, the Oracle Communications Session Border Controller authorizes you to enter Superuser mode locally even when your RADIUS server does not return the ACME_USER_CLASS VSA or the Cisco-AVPair VSA.

For this VSA, the Vendor-ID is 1 and the Vendor-Type is 9. The list below shows the values this attribute can return, and the result of each:

shell:priv-lvl=15—User automatically logged in as an administrator
shell:priv-lvl=1—User logged in at the user level, and not allowed to become an administrator
Any other value—User rejected

SSHv2 Public Key Authentication

The Oracle Communications Session Border Controller supports viewing, importing, and deleting public keys used for authentication of SSHv2 sessions from administrative remote users.

Viewing SSH Public Key Data

This section explains how to use the ACLI show security ssh-pub-key commands that show you the following information in either brief or detailed displays:

Login name
Fingerprint
Fingerprint raw
Comment (detailed view only)
Public key (detailed view only)

You use the login name information from these displays to import or delete SSHv2 public keys.

To view information for public keys in brief format:

In Superuser mode, type show security ssh-pub-key brief, and the log-in name for the public key you want to see. Then press Enter.

ORACLE# show security ssh-pub-key brief jdoe

Your display will resemble the following example:

login-name:
    jdoe
finger-print:
    c4:a0:eb:79:5b:19:01:f1:9c:50:b3:6a:6a:7c:63:d5
finger-print-raw:
    ac:27:58:14:a9:7e:83:fd:61:c0:5c:c8:ef:78:e0:9c

In Superuser mode, type show security pub-key detail, and the log-in name for the public key you want to see. Then press Enter.

ORACLE# show security ssh-pub-key detail msmith
login-name:
    msmith
comment:
    1024-bit rsa, created by me@example.com Mon Jan 15 08:31:24 2001
finger-print:
    61:f8:12:27:13:51:ef:c2:3e:b3:29:32:d7:3a:f2:fc
finger-print-raw:
    3f:a2:ee:de:b5:de:53:c3:aa:2f:9c:45:24:4c:47:7b
pub-key:  AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=
    Modulus (1024 bit):
        00:88:f5:b1:e9:63:38:96:11:cd:79:d1:9f:06:93:
        c9:34:fa:59:ef:22:ae:f9:d9:e7:d5:22:5e:8e:0b:
        78:e7:de:a4:e9:88:f3:18:6a:61:1f:64:d4:c7:02:
        b3:c5:c2:83:28:a7:b3:c2:4a:5f:9f:13:e4:48:c9:
        2e:12:ca:46:46:df:da:65:9f:70:6b:ef:8e:8b:b4:
        24:af:ca:6b:80:77:38:b2:85:ba:35:49:5f:0f:3a:
        6f:64:ad:87:e4:4e:de:41:a4:9e:3f:74:80:c0:69:
        90:29:41:47:09:d7:4d:68:fd:0b:fa:13:3b:ce:11:
        4d:ce:31:6f:a5:a3:20:27:0d
    Exponent: 37 (0x25)

Importing a Public Key Record

This section shows you how to import a public key record. Note that the processes requires you to save and activate your configuration for changes to take effect.

To import an SSHv2 public key record:

In Superuser mode, type the command ssh-public-key import, then a Space and the login-name (found in both brief and detail show security public-key commands) corresponding to the public key you want to import.

The Oracle Communications Session Border Controller confirms you have successfully imported the key, and then reminds you to save your configuration.

After you complete this procedure, you can confirm the public key has been imported by using either of the show security ssh-pub-key commands.

ORACLE# ssh-pub-key import jdoe
IMPORTANT:
        Please paste ssh public key in the format defined in rfc4617.
        Terminate the certificate with ";" to exit.......
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted from OpenSSH by jdoe@acme54"
AAAAB3NzaC1yc2EAAAABIwAAAQEA7OBf08jJe7MSMgerjDTgZpbPblrX4n17LQJgPC7clL
cDGEtKSiVt5MjcSav3v6AEN2pYZihOxd2Zzismpoo019kkJ56s/IjGstEzqXMKHKUr9mBV
qvqIEOTqbowEi5sz2AP31GUjQTCKZRF1XOQx8A44vHZCum93/jfNRsnWQ1mhHmaZMmT2LS
hOr4J/Nlp+vpsvpdrolV6Ftz5eiVfgocxrDrjNcVtsAMyLBpDdL6e9XebQzGSS92TPuKP/
yqzLJ2G5NVFhxdw5i+FvdHz1vBdvB505y2QPj/iz1u3TA/3O7tyntBOb7beDyIrg64Azc8
G7E3AGiH49LnBtlQf/aw==
---- END SSH2 PUBLIC KEY ----
;
SSH public key imported successfully....
WARNING: Configuration changed, run "save-config" command to save it and run activate-config to activate the changes.

Save and activate your configuration.

Deleting a Public Key Record

To delete an SSHv2 public key record:

In Superuser mode, type the command ssh-public-key delete, then a Space and the login-name (found in both brief and detail show security public-key commands) corresponding to the public key you want to import.
The Oracle Communications Session Border Controller confirms you have successfully imported the key, and then reminds you to save your configuration.

After you complete this procedure, you can confirm the public key has been imported by using either of the show security ssh-pub-key commands.
```
ORACLE# ssh-pub-key delete jdoe
SSH public key deleted successfully....
WARNING: Configuration changed, run "save-config" command.
ORACLE# ssh-pub-key delete jdoe
record (jdoe) does not exist
```
Save and activate your configuration.

Expanded Privileges

Commands available to the User level user now include:

All show commands
All display commands
All monitor commands

See the Oracle Communications Session Border Controller ACLI Reference Guide Command Summary Chapter for a list of privileges for each ACLI command.

User Sessions

The Oracle Communications Session Border Controller provides a way to manually terminate an existing SSH session on your system. Sessions are terminated by issuing the kill command to a specifically chosen session. You first identify the session you wish to kill and then issue the command.

At the User or Superuser prompt, type show users followed by <enter>. This will display the current sessions on the Oracle Communications Session Border Controller.
```
ORACLE# show users
Index task-id    remote-address        IdNum duration type    state
----- ---------- --------------------- ----- -------- ------- ------
    0 0x0225c400                           0 00:00:44 console  priv
    1 0x0219c720      10.0.200.40:4938   100 00:00:08     ssh  priv *
ORACLE#
```
The current session is noted by the asterisk to the right of the entry in the state column. In the above example, the current session has an IdNum of 1.

Identify the session you wish to kill by the IPv4 address listed in the remote-address column of the show users display.

Issue the kill command followed by the IdNum of the session you wish to kill. The IdNum is listed when you issue the show users command.

ORACLE# kill 2
Killing ssh session at Index 2
ORACLE# show users
Index task-id    remote-address        IdNum duration type    state
----- ---------- --------------------- ----- -------- ------- ------
    0 0x0225c400                           0 00:03:42 console  priv
    1 0x0225e260      10.0.200.40:4922     1 00:03:24  SSH  priv *
ORACLE#

Note:

You must be in Superuser mode o issue the kill command, but you only need to be in User mode to issue the show users command .

Concurrent Sessions

The Oracle Communications Session Border Controller allows a maximum number of 5 concurrent SSH sessions. The SSH allowance is shared between SSH and SFTP sessions.