diff options
| author | Guillaume Mazoyer <gmazoyer@gravitons.in> | 2018-01-30 11:34:40 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-01-30 11:34:40 +0100 |
| commit | 0ce8636c7a80590c84c5530e7b0ab8b53f753a7d (patch) | |
| tree | be913d38b9fd73f96e5811d1d9c1035fdb461dce | |
| parent | 0d26b4e70ee630eeffa83d30e09a2b6de4422722 (diff) | |
| parent | aaae55c1ef9d32a0e7a11e3670c8074e6bf9174c (diff) | |
Merge pull request #28 from pautiina/master-frr
Add documentation for FRR setup.
| -rw-r--r-- | docs/frr.md | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/docs/frr.md b/docs/frr.md new file mode 100644 index 0000000..b3e3ac4 --- /dev/null +++ b/docs/frr.md @@ -0,0 +1,79 @@ +# Looking Glass: FRRouting (FRR) configuration and tips. + +FRR has its roots in the Quagga project. In fact, it was started by many +long-time Quagga developers who combined their efforts to improve on +Quagga's well-established foundation in order to create the best routing +protocol stack available. We invite you to participate in the FRRouting +community and help shape the future of networking. + +## Instalation FRRouting + + * https://github.com/FRRouting/frr/tree/master/doc + +## Security and user access + +Looking Glass directly calls `vtysh -c "frr command"`. Thus, the `lg` user +only needs to run `vtysh`, `ping` and `traceroute`. To achieve this, we +recommend the use of `rbash` (restricted bash, see [1]), ssh key based authentication +and a bit of dark magic. + +## Configuration + +Rough steps ahead (maybe more doc later): + +``` +# create the "lg" unix user and add it to 'frr' and 'frrvty' group's. +root@frr-router ~# adduser lg +(boring questions) +root@frr-router ~# pw group mod frr -m lg +root@frr-router ~# pw group mod frrvty -m lg + +# log in as lg user +root@frr-router ~# su -l lg + +# create ssh userdir and authorized the looking glass RSA pubkey with limited access and features +lg@frr-router ~# mkdir ~/.ssh/ +lg@frr-router ~# echo 'from="lg.example.com,$IP4-OF-YOUR-LG",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa $RSA-PUBKEY-HERE lg@looking-glass' >| ~/.ssh/authorized_keys + +# truncate the profile dotfile +lg@frr-router ~# echo >| ~/.profile + +# set up a limited PATH +lg@frr-router ~# echo "export PATH=/opt/lg-bin" >| ~/.profile +lg@frr-router ~# exit + +# render the profile dotfile immutable, the lg user will not be able to truncate/edit it +root@frr-router ~# chattr +i ~lg/.profile + +# change lg user shell to restricted bash +root@frr-router ~# chsh -s /bin/rbash lg + +# set up the restricted PATH with the only necessary binaries simlinks +root@frr-router ~# mkdir -p /opt/lg-bin +root@frr-router ~# for cmd in vtysh ping traceroute; do ln -s $(which $cmd) /opt/lg-bin/; done +root@frr-router ~# +``` + +You can disable password authentication for the lg user in the sshd config: + +``` +Match user lg + PasswordAuthentication no +``` + +and reload sshd: + +`service ssh reload` + +## Debug + +Test the SSH connection from the server where the looking glass is installed: + +`ssh -i lg-user-id_rsa.key lg@frr-router.example.com` + +After successful login, verify that only built-in functions and `vtysh`, `ping` +and `traceroute` are available and functionnal. + +## References + + * [1] http://en.wikipedia.org/wiki/Restricted_shell |