blob: bad905a498b428e29dea19231381a5fb22724dc9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
# Looking Glass: Cisco IOS XR configuration and tips.
Cisco IOS XR support is rather straightforward thanks to the tasks mecanism.
## Security and user access
As security by least privilege is quite efficient, using a restricted user to
execute the commands is advised.
A root-system access is not necessary, a read-only-tg user is not sufficient
though. So it is better to define a new group of users with access to
specific commands to restrict the looking glass user to what it actually needs
(no more, no less). This is done using **taskgroup** and **usergroup**.
## Configuration: Task and User Groups
Log in your Cisco router and type the following commands:
```
RP/0/0/CPU0:router#configure
RP/0/0/CPU0:router(config)# taskgroup looking-glass
RP/0/0/CPU0:router(config-tg)#description "Looking Glass required tasks"
RP/0/0/CPU0:router(config-tg)#task read bgp
RP/0/0/CPU0:router(config-tg)#task read basic-services
RP/0/0/CPU0:router(config-tg)#task write basic-services
RP/0/0/CPU0:router(config-tg)#task execute basic-services
RP/0/0/CPU0:router(config-tg)#exit
RP/0/0/CPU0:router(config)#usergroup looking-glass
RP/0/0/CPU0:router(config-ug)#description "Looking Glass users"
RP/0/0/CPU0:router(config-ug)#taskgroup looking-glass
RP/0/0/CPU0:router(config-ug)#exit
RP/0/0/CPU0:router(config)#username <username>
RP/0/0/CPU0:router(config-un)#group looking-glass
RP/0/0/CPU0:router(config-un)# password <password>
RP/0/0/CPU0:router(config-un)#exit
RP/0/0/CPU0:router(config)#commit
RP/0/0/CPU0:router(config)#exit
```
Here is the formal configuration for simple copy/paste.
```
taskgroup looking-glass
taskgroup looking-glass task read bgp
taskgroup looking-glass task read basic-services
taskgroup looking-glass task write basic-services
taskgroup looking-glass task execute basic-services
taskgroup looking-glass description "Looking Glass required tasks"
usergroup looking-glass
usergroup looking-glass taskgroup looking-glass
usergroup looking-glass description "Looking Glass users"
username <username>
username <username> group read-only-tg
username <username> group looking-glass
username <username> secret <password>
```
SSH pubkey based authentication is preferred too even if it is pretty boring
to setup with IOS XR.
The first thing to do is checking the size of the key to use. There are
limitations depending on the hardware. ASR router supports 1024 bit key size
or smaller contrary to what the manual says (supporting up to 2048 bit).
Supposing that the key is located in `~/.ssh/id_rsa.pub`, a binary base64 file
of the key must be created to be imported inside the router.
```
cut -d" " -f2 ~/.ssh/id_rsa.pub | base64 -d >| id_rsa.pub.b64
```
This file can be uploaded on the router in order to be imported. Here is how to do this :
```
RP/0/0/CPU0:router#admin
RP/0/0/CPU0:router(admin)#crypto key import authentication rsa username lg id_rsa.pub.b64
RP/0/0/CPU0:router(admin)#exit
```
And to check that the key has been imported properly:
```
RP/0/0/CPU0:router#admin
RP/0/0/CPU0:router(admin)#show crypto key authentication rsa username lg
Key label: lg
Type : RSA public key authentication
Size : 1024
Imported : 00:00:00 UTC Tue Oct 11 2016
Data :
...
```
And that should be enough.
## Debug
Test the SSH connection from the server where the looking glass is installed
and you should see some outputs in your logs. Be careful to potential SSH
connections rate limit if you do heavy testing.
## References
* [1] https://supportforums.cisco.com/document/61306/asr9000xr-using-task-groups-and-understanding-priv-levels-and-authorization
|
