Specifications
MDS 05-6628A01, Rev. A MDS Orbit MCR-4G Technical Manual 15
One-Time Passwords: How They Work
One-time recovery passwords put control directly and exclusively in the user’s hands. They are similar to
spare keys for a lock. If you make a spare key, and put it away safely, you can take it out to quickly gain
entry when your primary key is lost. If you don’t make a spare, you are always at risk of locking yourself out.
A one-time recovery password is different from the one used to log into the unit on a routine basis. It is only
for use when the primary password is lost or forgotten. When a one-time password is used to log in, that
password is automatically revoked from the list of passwords created. (You may create up to five one-time
passwords at one time, and more can be created if some get used). A password cannot be used again for
log-in to the unit (hence the name one-time-password).
Creating a One-Time Password
To create a one-time recovery password, proceed as follows:
1. Upon successful log-in, enter the following command:
request system recovery one-time-passwords create function <selected function>
A one-time password is automatically generated and displayed on the screen. Copy this password and
save it in the desired location on your PC. There is no way to ever view it again from the command
line console, so be sure it is properly saved.
2. To create additional one-time passwords (up to a total of five), repeat the step above.
Logging in With a One-Time Password
To use the one-time password for log-in, proceed as follows:
1. At the username prompt, enter the word
recovery.
2. At the
password prompt, paste in the one-time-password saved earlier on your PC. Using a
one-time-password forces the unit to perform the “function” which was previously defined when the
password was created:
•
factory-reset—The unit resets its entire configuration to factory defaults
•
login—The unit allows logging in with “admin” privileges
Special case: If someone has disabled console access on the
COM port, the login prompt will still be present
on that console, but only one-time-passwords will be accepted. This is done to provide a way to recover the
unit in the case where the
COM port has been disabled and the unit cannot be accessed via TCP.
Deleting a One-Time Password
As noted earlier, a one-time password is automatically revoked when it is used for log-in. A revoked pass-
word may be replaced, but it must first be removed from the list so a new one can be generated. Any of the
five stored passwords may be removed on demand. As long as there is a free slot, an additional password
can be created, up to the maximum number of five. Logs are generated when the user creates, deletes or logs
in with a one-time-password. To remove an existing password from the list, proceed as follows:
Enter the command
request system recovery one-time-passwords delete identifier X, where X is a number 1
through 5.
The current list of passwords may be viewed by issuing the command
show system recovery one-time-pass-
words
. The following is an example output from that command. On the unit shown, only two passwords
have been stored. Password 1 or 2 can be deleted from this list.
DATE
IDENTIFIER FUNCTION STATUS DATE CREATED REVOKED USER
----------------------------------------------------------------------
1 login useable 2012-06-19T00:27:24+00:00
2 login useable 2012-06-19T00:27:25+00:00