Installing and Configuring GTSecure(TM) Login

GTSecure Login protects the GTSecure router by requiring a challenge handshake before a user can access the router operating system. The challenge handshake uses a secret based on the RSA Data Security, Inc. MD5 Message-Digest Algorithm. The secret is never sent over the LAN or WAN.

GTSecure Login includes a utility for either Microsoft® Windows(TM) NT, Windows 95, or UNIX® platforms. The GTSecure Login utility calculates responses to GTSecure challenges.

This document provides instructions for installing and configuring GTSecure Login. It includes the following sections:

Installing and Compiling the GTSecure Login Utility

Configuring and Using GTSecure Login

User Account Configuration Commands

Installing and Compiling the GTSecure Login Utility

 There are two versions of the GTSecure Login utility available, one for UNIX platforms and one for Intel-based 386, or above, PCs.

UNIX Platforms

The UNIX version of the GTSecure Login utility comes compiled for SunOS(TM) version 4.1.x or greater. If you are using a different UNIX operating system, you must compile the GTSecure Login utility files.

Installing the GTSecure Login Utility on a UNIX Platform

The UNIX version of the GTSecure Login utility comes on a 3.5-inch disk in .tar format. To install the GTSecure Login utility on a UNIX platform, follow these steps:

1. Create a directory for the GTSecure Login utility and go to that directory.
2. Insert the 3.5-inch disk in the appropriate drive.
3. To copy the files to your directory, enter: 
tar xvf /dev/device-name
4. To extract the files, enter: 
tar xvf secure_login.tar
This generates two directories, src and obj, and places them in the directory you created. These directories contain the files necessary to compile and run the GTSecure Login utility.

Compiling the GTSecure Login Utility in UNIX

If you are using a UNIX operating system other than SunOS version 4.1.x or greater, you must compile the GTSecure Login utility files. To do so, you may be able to use any ANSI C compiler. OpenROUTE has tested the GNU compiler (version 2.5.6 or greater) and the SunOS compiler (cc).

To compile the GTSecure Login utility, change to the obj directory and enter the following command:

make seclogin
This creates a new executable file called seclogin and places the file in the obj directory.

PC Platforms

The PC version of the GTSecure Login utility is a DOS utility that runs on Intel-based 386, or above, PCs. You can run GTSecure Login from the DOS command prompt in Microsoft Windows NT or from the MS-DOS prompt in Windows 95.

Installing the GTSecure Login Utility on a PC

The PC version of the GTSecure Login utility comes in a self-extracting ZIP file on a 3.5-inch disk. To install it, follow these steps:

1. Create a directory for the GTSecure Login utility and go to that directory.
2. Insert the 3.5-inch disk in the appropriate drive and copy the secstart.exe file to your hard drive.
3. To extract the files, enter: 
secstart.exe

Configuring and Using GTSecure Login

 After you have installed the GTSecure Login utility, follow these steps to configure and use GTSecure Login.

1. On your GTSecure router, set up user accounts to control who can configure and monitor the router. The first account you set up should be for yourself as an administrative user. Use the add user command.

Assign a user name, set the type of authentication to Challenge, enter an MD5 secret text string, and assign a permission level. 

Config> add user
Enter user name: ? NewAdmin
Enter authentication type: (N)one, (P)assword, (C)hallenge, or (Q)uit [C]? c
Enter MD5 secret:
Enter MD5 secret again:
Enter permission: (A)dmin, (O)perations, (M)onitor, or (Q)uit [A]? a
User `NewAdmin' has been added
The console login is automatically enabled once you add an administrative user.

2. Create a technical support access account. This is optional. After you add the first user, the router prompts you for adding technical support access.

Do you want to add Technical Support access? (Y)es, (N)o, or (Q)uit [Y]? yes
When you enter yes, the router prompts for adding a new account, as in step 1. OpenROUTE personnel know the technical support password. Assign the Administrator permission level.

3. Restart the router for the console login to take effect. 
Config>Ctrl P
*restart
4. Run Telnet to the GTSecure router.
5. Enter a user name. GTSecure displays a challenge in brackets along with the password prompt. 
login: Admin
Password [kPn7SrFs]:
6. In the directory where the GTSecure Login utility resides, enter seclogin followed by the user name and secret that are configured on the GTSecure router and the challenge that GTSecure displayed. 
seclogin user-name secret router-challenge
For example:

seclogin Admin adminsecret kPn7SrFs
The GTSecure Login utility calculates and displays a response to the challenge.

cm1/0C02
7. Enter the response into the GTSecure Telnet session. 
Password [kPn7SrFs]:cm1/0C02
If the response is correct, GTSecure displays the * prompt.

User Account Configuration Commands

 This section describes the user account configuration commands. Enter these commands at the Config> prompt.

Note: You must have Administrator permission level to create a new user account, to change or display user accounts, or to enable the console login.

Table 1 User Account Configuration Commands

Command Function
Add User Creates a new user account, including type of authentication and permission level.

Change Password Changes a user's password or MD5 secret.

Change User Changes a user's authentication type, password, MD5 secret, or permission level.

Delete User Removes a user account from the router database.

Disable Console-login Disables the console login.

Enable Console-login Enables the console login.

List Users Displays a list of current user accounts and the assigned permission levels and authentication types. Also, shows whether the console login is currently enabled or disabled.

Add User

Adds a new user account to the router. You can create up to 50 user accounts and one technical support access account. User names, passwords, and secrets can be up to 250 characters and are case sensitive.

Table 2 describes the permission levels. You must assign one of these permission levels to each user account:

Table 2 Access Permission Levels

Permission Access Level
Administrator (A)

 Sets up, changes, and views user accounts. The administrator can perform all operations, including router configuration.

Operator (O)

 Modifies operations of the router from the + monitoring prompt but cannot configure the router. Views router configuration and statistics, runs potentially disruptive tests, dynamically changes router operation, and restarts the router. All operator actions are undone with a system restart. Operators cannot view user accounts. Operators can change their own current password.

Monitor (M)

 Views router configuration and statistics but cannot modify or disrupt the operation of the router. Monitors cannot view user accounts. Monitors can change their own current password.

Tech Support

Allows a Technical Support engineer to gain access to the router if a user forgets a password. You cannot assign this permission level to users.

Syntax: add user

Example: add user

Enter user name: ? NewAdmin
Enter authentication type: (N)one, (P)assword, (C)hallenge, or (Q)uit  [C]? c
Enter MD5 secret:
Enter MD5 secret again:
Enter permission: (A)dmin, (O)perations, (M)onitor, or (Q)uit  [A]? a
User `NewAdmin' has been added
Enter user name

 The name that identifies the user.

Enter authentication type

 The type of authentication for the user:
N (None), P (Password), or C (Challenge).

Enter MD5 secret

 If the authentication type is Challenge, prompts for the MD5 secret for the user.

Enter MD5 secret again

 If the authentication type is Challenge, confirms the MD5 secret.

Enter password

 If the authentication type is Password, prompts for the user's password. The password is case sensitive.

Enter password again

 If the authentication type is Password, confirms the password.

Enter permission

 The category of access privilege for the user:
A (Administrator), O (Operator), or M (Monitor).
(See Table 2 above.)

Change Password

Changes the current user's password or MD5 secret. Any currently logged in user, with any permission level, can change the password or MD5 secret for their own account.

Syntax: change password

Example: change password

Enter current MD5 secret:
Enter new MD5 secret: 
Enter new MD5 secret again: 
Current user's MD5 secret has been changed

Change User

Changes a user account that you previously added.

Syntax: change user

Example: change user

Enter user name: ? NewAdmin
Change authentication type? (Y)es, (N)o, or (Q)uit [N]? y
Enter authentication type: (N)one, (P)assword, (C)hallenge, or (Q)uit [P]? c
Enter MD5 secret: 
Enter MD5 secret again: 
Change permission? (Y)es, (N)o, or (Q)uit [N]? n
User `NewAdmin' has been changed

Delete User

Removes a user account from the router database.

Syntax: delete user

Example: delete user

Enter user name: ? NewAdmin
Delete user `NewAdmin'? (Y)es, (N)o, or (Q)uit [N]? y
User `NewAdmin' has been deleted

Disable Console-login

Turns off prompts for logging in of user name and password. Creating an administrative user account automatically enables console login.

Syntax: disable console-login

Example: disable console-login

Enable Console-login

Enables prompts for logging in of user name and password. You must have defined at least one administrator for this command to take effect. Until you add an administrator, at each startup the system displays a message that console login is not activated. Creating an administrator account automatically enables console login. You need to use the enable console-login command only if you previously disabled it.

Syntax: enable console-login

Example: enable console-login

List Users

Displays a list of all user accounts, showing the permission level, authentication type, and user name of each account. Also shows whether console-login is enabled or disabled.

Syntax: list users

Example: list users

PERMISSION    AUTHENTICATION      USER
Admin         None                nadmin
Tech Support  Challenge/Response  Proteon
Monitor       None                xx
Monitor       Challenge/Response  cmon
Monitor       Password            pmon
Admin         Challenge/Response  NewAdmin

Console login is enabled


docs@openroute.com
Copyright © 1998, OpenROUTE Networks, Inc. All rights reserved.