diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/bird.md | 75 |
1 files changed, 74 insertions, 1 deletions
diff --git a/docs/bird.md b/docs/bird.md index 068f645..27cf61e 100644 --- a/docs/bird.md +++ b/docs/bird.md @@ -1,9 +1,82 @@ # Looking Glass: BIRD configuration and tips. -Easy to deploy Looking Glass made in PHP. +Only BIRD on Debian GNU/Linux and how to (merely) secure an restricted ssh +user will be detailed. Other OSes were not tested. + +Security will be mainly based on shell, path and ssh access restriction. +Password authentication will not even be presented here, only key based +authentication. + +## Dependencies + + * Debian: `apt-get install traceroute bash iputils-ping` + * BIRD: a functionnal installation of BIRD, assuming group bird exists + (requires at least the Debian package from wheezy-backports) ## Security and user access +Looking Glass directly calls `birdc "bird command"` and +`birdc6 "bird command"`. Thus, the `lg` user only needs to run `birdc`, +`birdc6`, `ping` and `traceroute`. To achieve this, we recommend the use of +`rbash` (restricted bash, see [1]), ssh key based authentication and a bit of +dark magic. + ## Configuration +Rough steps ahead (maybe more doc later): + +``` +# create the "lg" unix user +root@bird-router ~# adduser lg +(boring questions) +root@bird-router ~# + +# log in as lg user +root@bird-router ~# su -l lg + +# create ssh userdir and authorized the looking glass RSA pubkey with limited access and features. +lg@bird-router ~# mkdir ~/.ssh/ +lg@bird-router ~# echo 'from="lg.example.com,$IP4-OF-YOUR-LG",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa $RSA-PUBKEY-HERE lg@looking-glass' >| ~/.ssh/authorized_keys + +# truncate the profile dotfile +lg@bird-router ~# echo >| ~/.profile + +# set up a limited PATH +lg@bird-router ~# echo "export PATH=/opt/lg-bin" >| ~/.profile +lg@bird-router ~# exit + +# render the profile dotfile immutable, the lg user will not be able to truncate/edit it +root@bird-router ~# chattr +i ~lg/.profile + +# change lg user shell to restricted bash +root@bird-router ~# chsh -s /bin/rbash lg + +# set up the restricted PATH with the only necessary binaries simlinks +root@bird-router ~# mkdir -p /opt/lg-bin +root@bird-router ~# for cmd in birdc birdc6 ping traceroute; do ln -s $(which $cmd) /opt/lg-bin/; done +root@bird-router ~# +``` + +You can disable password authentication for the lg user in the sshd config: + +``` +Match user lg + PasswordAuthentication no +``` + +and reload sshd: + +`service ssh reload` + ## Debug + +Test the ssh connection from the server where the looking glass is installed: + +`ssh -i lg-user-id_rsa.key lg@bird-router.example.com` + +After successful login, verify that only built-in functions and `birdc`, +`birdc6`, `ping` and `traceroute` are available and functionnal. + +## References + + * [1] http://en.wikipedia.org/wiki/Restricted_shell |