diff options
| -rw-r--r-- | docs/vyatta.md | 55 | ||||
| -rw-r--r-- | routers/router.php | 6 | ||||
| -rw-r--r-- | routers/vyatta.php | 168 |
3 files changed, 229 insertions, 0 deletions
diff --git a/docs/vyatta.md b/docs/vyatta.md new file mode 100644 index 0000000..21c4c28 --- /dev/null +++ b/docs/vyatta.md @@ -0,0 +1,55 @@ +# Looking Glass: Vyatta/VyOS/EdgeOS configuration and tips. + +## Security and user access + +Unfortunately starting with EdgeOS [v1.9.7+hotfix.3](https://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeRouter-software-security-release-v1-9-7-hotfix-3/ba-p/2054117) release the shell access to the router is no longer possible for the operator users. + +Here is a quote: +``` +[User account] WARNING! Disabled shell access for operator user. From now on operator +user will have only WebUI access If operator user will try to access shell (via SSH or telnet) +then error message "This account is currently not available" will be displayed and access +will be denied. We decided to decrease operator user privileges for security reasons. +``` + +This of course complicates the things, and basically translates to the need for admin level (super-user) access. + +Please make sure that you understand security implications of this. + +# Configuration: + +Firstly create a new user with the admin level privileges: + +``` +[edit] +set system login user <username> level admin +``` + +For security purpose, it is highly recommended to use an authentication mecanism based on SSH public keys. For that you can use one of the following commands: + +``` +[edit] +user@router# set system login user <username> authentication ssh-rsa "<key>" +[edit] +user@router# set system login user <username> authentication ssh-dsa "<key>" +[edit] +user@router# set system login user <username> authentication ssh-ecdsa "<key>" +``` + +However if for your own reasons you prefer to use a password based authentication (you should not) you can use the encrypted-password or plain-text-password argument of the authentication command. + +To commit your changes to the router use: + +``` +[edit] +user@router# show | compare +... +[edit] +user@router# commit +``` + +## Debug + +Test the SSH/Telnet connection from the server where the looking glass is +installed and you should see some outputs in your logs depending on your +configuration. diff --git a/routers/router.php b/routers/router.php index 5756c86..8bdd7c3 100644 --- a/routers/router.php +++ b/routers/router.php @@ -27,6 +27,7 @@ require_once('cisco_iosxr.php'); require_once('juniper.php'); require_once('openbgpd.php'); require_once('quagga.php'); +require_once('vyatta.php'); require_once('includes/utils.php'); require_once('auth/authentication.php'); @@ -187,6 +188,11 @@ abstract class Router { case 'zebra': return new Quagga($config, $router_config, $id, $requester); + case 'vyatta': + case 'vyos': + case 'edgeos': + return new Vyatta($config, $router_config, $id, $requester); + default: print('Unknown router type "'.$router_config['type'].'".'); return null; diff --git a/routers/vyatta.php b/routers/vyatta.php new file mode 100644 index 0000000..52cb318 --- /dev/null +++ b/routers/vyatta.php @@ -0,0 +1,168 @@ +<?php + +/* + * Looking Glass - An easy to deploy Looking Glass + * Copyright (C) 2014-2017 Guillaume Mazoyer <gmazoyer@gravitons.in> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +require_once('router.php'); +require_once('includes/utils.php'); + +final class Vyatta extends Router { + protected function build_ping($destination) { + $ping = null; + + if (match_hostname($destination)) { + $hostname = $destination; + $destination = hostname_to_ip_address($hostname, $this->config); + + if (!$destination) { + throw new Exception('No record found for '.$hostname); + } + } + + if (match_ipv6($destination)) { + $ping = 'ping6 '.$this->global_config['tools']['ping_options'].' '. + (isset($hostname) ? $hostname : $destination); + } else if (match_ipv4($destination)) { + $ping = 'ping '.$this->global_config['tools']['ping_options'].' '. + (isset($hostname) ? $hostname : $destination); + } else { + throw new Exception('The parameter does not resolve to an IP address.'); + } + + if (($ping != null) && $this->has_source_interface_id()) { + if (match_ipv6($destination) && + ($this->get_source_interface_id('ipv6') != null)) { + $ping .= ' '.$this->global_config['tools']['ping_source_option'].' '. + $this->get_source_interface_id('ipv6'); + } else if (match_ipv4($destination) && + ($this->get_source_interface_id('ipv4') != null)) { + $ping .= ' '.$this->global_config['tools']['ping_source_option'].' '. + $this->get_source_interface_id('ipv4'); + } + } + + return $ping; + } + + protected function build_traceroute($destination) { + $traceroute = null; + + if (match_hostname($destination)) { + $hostname = $destination; + $destination = hostname_to_ip_address($hostname, $this->config); + + if (!$destination) { + throw new Exception('No record found for '.$hostname); + } + } + + if (match_ipv6($destination)) { + $traceroute = $this->global_config['tools']['traceroute6'].' '. + (isset($hostname) ? $hostname : $destination); + } else if (match_ipv4($destination)) { + $traceroute = $this->global_config['tools']['traceroute4'].' '. + (isset($hostname) ? $hostname : $destination); + } else { + throw new Exception('The parameter does not resolve to an IP address.'); + } + + if (($traceroute != null) && $this->has_source_interface_id()) { + if (match_ipv6($destination) && + ($this->get_source_interface_id('ipv6') != null)) { + $traceroute .= ' '. + $this->global_config['tools']['traceroute_source_option'].' '. + $this->get_source_interface_id('ipv6'); + } else if (match_ipv4($destination) && + ($this->get_source_interface_id('ipv4') != null)) { + $traceroute .= ' '. + $this->global_config['tools']['traceroute_source_option'].' '. + $this->get_source_interface_id('ipv4'); + } + } + + return $traceroute; + } + + protected function build_commands($command, $parameter) { + $commands = array(); + + $wrapper = '/opt/vyatta/bin/vyatta-op-cmd-wrapper '; + + switch ($command) { + case 'bgp': + if (match_ipv6($parameter, false)) { + $commands[] = $wrapper.'show ipv6 bgp '.$parameter; + } else if (match_ipv4($parameter, false)) { + $commands[] = $wrapper.'show ip bgp '.$parameter; + } else { + throw new Exception('The parameter is not an IP address.'); + } + break; + + case 'as-path-regex': + if (match_aspath_regex($parameter)) { + if (!$this->config['disable_ipv6']) { + $commands[] = $wrapper.'show ipv6 bgp regexp '.$parameter; + } + if (!$this->config['disable_ipv4']) { + $commands[] = $wrapper.'show ip bgp regexp '.$parameter; + } + } else { + throw new Exception('The parameter is not an AS-Path regular expression.'); + } + break; + + case 'as': + if (match_as($parameter)) { + if (!$this->config['disable_ipv6']) { + $commands[] = $wrapper.'show ipv6 bgp regexp ^'.$parameter.'_'; + } + if (!$this->config['disable_ipv4']) { + $commands[] = $wrapper.'show ip bgp regexp ^'.$parameter.'_'; + } + } else { + throw new Exception('The parameter is not an AS number.'); + } + break; + + case 'ping': + try { + $commands[] = $this->build_ping($parameter); + } catch (Exception $e) { + throw $e; + } + break; + + case 'traceroute': + try { + $commands[] = $this->build_traceroute($parameter); + } catch (Exception $e) { + throw $e; + } + break; + + default: + throw new Exception('Command not supported.'); + } + + return $commands; + } +} + +// End of vyatta.php |