22.2. CP LOGIN-MODE

A new parameter LOGIN-MODE: permits to choose between the former login method (LEGACY), the default, and a new one (USERS).

The LOGIN-MODE:LEGACY keeps unchanged the use of PWDU/PWDA/PWDS password for CP and independent passwords for TELNET/SSH access.

The LOGIN-MODE:USERS integrates CP with SSH and TELNET: the login to TELNET/SSH is made with individual user/password pair and is automatically inherited by CP. The CP passwords PWDU/PWDA/PWDS and TELNET/SSH passwords are not used and hidden in configuration. Access to CP also depends on the new parameter CP-LEVEL, please refer to Section 22.3.2, “LOGIN-MODE:USERS access levels”.

An Abilis user named 'super' is automatically created in the 8.9 configuration (see System Users for more details) and used just for CP 'SUPERUSER' purposes. It is forcedly activated when LOGIN-MODE:USERS and it is forcedly deactivated when LOGIN-MODE:LEGACY.

With LOGIN-MODE:LEGACY:

[12:52:46] ABILIS_CPX:d user

------------------------+-------------+----------------------------------------
USER             PWD ACT|CTIP CLUS    |CHAT LDAP PPP FTP HTTP MAIL IAX SIP VO
------------------------+-------------+----------------------------------------
admin                NO  #    #        NO   YES  YES YES YES  NO   NO  NO  NO
guest                NO  #    #        NO   NO   NO  NO  NO   NO   NO  NO  NO
super                NO  #    #        NO   NO   NO  NO  NO   NO   NO  NO  NO

With LOGIN-MODE:USERS:

[12:53:19] ABILIS_CPX:d user

------------------------+------------------------------------------------------
------------------------+-------------+----------------------------------------
USER             PWD ACT|CTIP CLUS    |CHAT LDAP PPP FTP HTTP MAIL IAX SIP VO
------------------------+-------------+----------------------------------------
admin                NO  #    #        NO   YES  YES YES YES  NO   NO  NO  NO
guest                NO  #    #        NO   NO   NO  NO  NO   NO   NO  NO  NO
super                YES #    #        NO   NO   NO  NO  NO   NO   NO  NO  NO

[12:53:23] ABILIS_CPX:d user:super

-------------------------------------------------------------------------------
Parameter:          | Value:
--------------------+----------------------------------------------------------
USER:                 super
REAL-NAME:            super         <Read Only>
ID:                   3             <Read Only>
PWD:
ACT:                  YES           <Read Only>
CP-LEVEL:             SUPER         <Read Only>
SSH-IP-PERMIT:        *
TELNET-IP-PERMIT:     *
-------------------------------------------------------------------------------
[Important]Important

When changing the LOGIN-MODE the passwords relevant to the new mode are cleared, don't forget to set with a proper value, e.g.:

LEGACY to USERS

[11:47:12] ABILIS_CPX:s p cp login-mode:users

WARNING: LOGIN-MODE changed from LEGACY to USERS.
WARNING: PWD of Abilis user 'super' has been cleared, please set new password.

[11:47:13] ABILIS_CPX:

USERS to LEGACY

[12:13:29] ABILIS_CPX:s p cp login-mode:legacy

WARNING: LOGIN-MODE changed from USERS to LEGACY.
WARNING: PWDU/PWDA/PWDS passwords have been cleared, please set new passwords.
WARNING: TELNET and SSH passwords have been cleared, please set new passwords.

[12:13:36] ABILIS_CPX:

22.2.1. Setting the password of user 'super' when LOGIN-MODE:USERS

The password of user 'super' can be set in two ways:

  • Entering the real password, as usual.

  • Entering the password hash previously copied from another Abilis where the real password was entered. The tool config.exe can be used to enter real password and read the hash.

The password hash let a person to configure the password of 'super' without knowing the real password, so that only the persons that know the real password can access such Abilis as 'super'.

For example person A can set the password (the tool config.exe can be used), distribute it's hash to person B and let him to set the password on another Abilis.

The result is that person B configured the password but only person A can access the Abilis as 'super' because only person A knows the real password.

For example:

  • Person A sets the password on an Abilis or with config.exe tool. He then copy the hash and distribute it to person B.

    [18:11:19] ABILIS_CPX:s user:super pwd:mypassword
    
    COMMAND EXECUTED
    
    [18:11:41] ABILIS_CPX:d user:super
    ...
    PWD:                  1ef94fa4af527f9208965b2eb413da8b434056f49bba961d9b38c4e2d175578c
    ...
    
  • Person B connects to the target Abilis with current 'super' credentials', set the password using the hash, save and exit.

    From this moment on only person A can access that Abilis as 'super' because only person A knows the real password.

    [18:22:31] ABILIS_CPX:d user:super
    ...
    PWD:
    ...
    [18:22:43] ABILIS_CPX:s user:super pwd:1ef94fa4af527f9208965b2eb413da8b434056f49bba961d9b38c4e2d175578c
    
    COMMAND EXECUTED
    
    [18:22:52] ABILIS_CPX:d user:super
    ...
    PWD:                  1ef94fa4af527f9208965b2eb413da8b434056f49bba961d9b38c4e2d175578c
    ...