1. Maintenance and Troubleshooting Guide
  2. System Management
  3. User Privilege Levels and Passwords Without Data Storage Security

User Privilege Levels and Passwords Without Data Storage Security

User and Superuser Modes

There are two modes available in the ACLI: User mode and Superuser mode. User mode provides only limited system access and allows no system configuration. It simply enables you to view configuration files, logs, and all show commands. Superuser mode provides more complete system access and it allows you to configure your Oracle Communications Session Border Controller.

When you log in to a SBC from the console you are initially in User mode. To indicate this, the system uses a > as the final character of the ACLI prompt. To enter Superuser mode, you type enable followed by Enter at the ACLI prompt. The system prompts you to enter the Superuser password. After you enter the correct password, the prompt changes to a # to indicate Superuser mode. 

User Access Verification
Password:
ORACLE> enable
Password:
ORACLE#

To exit to User mode from Superuser mode, type exit at the top-level ACLI prompt. 

ORACLE# exit
ORACLE>

All local accounts in the user class have > as the final character in the prompt, while all local accounts in the admin class have # as the final character in the prompt.

Setting Passwords

The Oracle Communications Session Border Controller forces you to set a new password when you first login. However, you may also change the password with the secret command.

To set new ACLI passwords:

  1. Type secret login and press Enter to set the User password.
    ORACLE# secret login
Enter new password  :

    If you do not enter a password in the required format, the following error message appears:

    % Password must be 6-8 characters with at least one non-alpha
  2. Type secret enable to set the Superuser password.
    ORACLE# secret enable
Enter new password  :
  3. To change the password of a local account, see the "Manage Local Accounts" section in the Getting Started chapter of the ACLI Configuration Guide.

SSH RADIUS Authentication VSA Support

The SBC supports the use of the Cisco Systems Inc.™ Cisco-AVPair vendor specific attribute (VSA). This attribute allows for successful administrator login to servers that do not support the Oracle authorization VSA. While using RADIUS-based authentication, the SBC authorizes you to enter Superuser mode locally even when your RADIUS server does not return the lowercase ACME_USER_CLASS VSA (admin or user) or the Cisco-AVPair VSA.

For this VSA, the Vendor-ID is 1 and the Vendor-Type is 9. The list below shows the values this attribute can return, and the result of each:

  • shell:priv-lvl=15—User automatically logged in as an administrator
  • shell:priv-lvl=1—User logged in at the user level, and not allowed to become an administrator
  • Any other value—User rejected

Expanded Privileges

Commands available to the User level user now include:

  • All show commands
  • All display commands
  • All monitor commands

See the Oracle Communications Session Border Controller ACLI Reference Guide Command Summary Chapter for a list of privileges for each ACLI command.

User Sessions

The Oracle Communications Session Border Controller provides a way to manually terminate an existing user session on your system. Sessions are terminated by issuing the kill command to a specifically chosen session. You first identify the session you wish to kill and then issue the command.

  1. Display the current user sessions with the show users command. 
    ORACLE# show users
Index     remote-address           IdNum  duration  type         state        User
------------------------------------------------------------------------------------
    1 10.0.0.7:53581                3386  00:00:25      ssh       priv *       admin
    0 127.0.0.1                     2777  00:42:10  console      login          user
    1 10.0.0.8:53586                3393  00:00:05     sftp      admin         admin
ORACLE#

    The current session is noted by the asterisk to the right of the entry in the state column. In the above example, the current session has an index number of 1.

    Identify the session you wish to kill by the IPv4 address listed in the remote-address column of the show users display.

  2. Kill the user session. The kill command has two arguments: the session type and the index number. The index number is listed when you issue the show users command.
    The kill command syntax:
    kill <ssh | sftp | web> <index>
    For example:
    ORACLE# kill sftp 1
Killing sftp session [1]
Successfully killed session [sftp-admin@10.0.0.8] at index[1]

    Note:

    You must be in Superuser mode to issue the kill command, but you only need to be in User mode to issue the show users command .

Concurrent Sessions

The Oracle Communications Session Border Controller allows a maximum number of 5 concurrent SSH sessions. The SSH allowance is shared between SSH and SFTP sessions.