diff options
| -rw-r--r-- | docs/cisco.md | 2 | ||||
| -rw-r--r-- | docs/quagga.md | 9 |
2 files changed, 6 insertions, 5 deletions
diff --git a/docs/cisco.md b/docs/cisco.md index 17d33ea..af13911 100644 --- a/docs/cisco.md +++ b/docs/cisco.md @@ -84,7 +84,7 @@ router(config)# end router# ``` -Test the ssh/telnet connexion from the server where the looking glass is installed. +Test the ssh/telnet connection from the server where the looking glass is installed. Display the resulting logs during your tests: diff --git a/docs/quagga.md b/docs/quagga.md index 946c9d5..1e835bd 100644 --- a/docs/quagga.md +++ b/docs/quagga.md @@ -1,7 +1,7 @@ # Looking Glass: Quagga/Zebra configuration and tips. Only Quagga on Debian GNU/Linux and how to (merely) secure an restricted ssh user will -be detailed. Other OS were not tested. +be detailed. Other OSes were not tested. Quagga is average concerning code and security QA, thus security will be mainly based on shell, path and ssh access restriction. Password authentication will @@ -17,7 +17,7 @@ not even be presented here, only key based authentication. Looking Glass directly calls `vtysh -c "quaggavty command"`. Thus, the `lg` user only needs to run `vtysh`, `ping` and `traceroute`. To achieve this, we -recommend the use of `rbash`[1] (restricted bash), ssh key based authentication +recommend the use of `rbash` (restricted bash, see [1]), ssh key based authentication and a bit of dark magic. ## Configuration @@ -34,7 +34,8 @@ root@quagga-router ~# root@quagga-router ~# su -l lg # create ssh userdir and authorized the looking glass RSA pubkey with limited access and features. -lg@quagga-router ~# mkdir ~/.ssh/ lg@quagga-router ~# echo 'from="lg.example.com,$IP4-OF-YOUR-LG",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa $RSA-PUBKEY-HERE lg@looking-glass' >| ~/.ssh/authorized_keys +lg@quagga-router ~# mkdir ~/.ssh/ +lg@quagga-router ~# echo 'from="lg.example.com,$IP4-OF-YOUR-LG",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa $RSA-PUBKEY-HERE lg@looking-glass' >| ~/.ssh/authorized_keys # truncate the profile dotfile lg@quagga-router ~# echo >| ~/.profile @@ -68,7 +69,7 @@ and reload sshd: ## Debug -Test the ssh connexion from the server where the looking glass is installed: +Test the ssh connection from the server where the looking glass is installed: `ssh -i lg-user-id_rsa.key lg@quagga-router.example.com` |