1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
# Looking Glass: FRRouting (FRR) configuration and tips.
FRR has its roots in the Quagga project. In fact, it was started by many
long-time Quagga developers who combined their efforts to improve on
Quagga's well-established foundation in order to create the best routing
protocol stack available. We invite you to participate in the FRRouting
community and help shape the future of networking.
## Instalation FRRouting
* https://github.com/FRRouting/frr/tree/master/doc
## Security and user access
Looking Glass directly calls `vtysh -c "frr command"`. Thus, the `lg` user
only needs to run `vtysh`, `ping` and `traceroute`. To achieve this, we
recommend the use of `rbash` (restricted bash, see [1]), ssh key based authentication
and a bit of dark magic.
## Configuration
Rough steps ahead (maybe more doc later):
```
# create the "lg" unix user and add it to 'frr' and 'frrvty' group's.
root@frr-router ~# adduser lg
(boring questions)
root@frr-router ~# pw group mod frr -m lg
root@frr-router ~# pw group mod frrvty -m lg
# log in as lg user
root@frr-router ~# su -l lg
# create ssh userdir and authorized the looking glass RSA pubkey with limited access and features
lg@frr-router ~# mkdir ~/.ssh/
lg@frr-router ~# echo 'from="lg.example.com,$IP4-OF-YOUR-LG",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa $RSA-PUBKEY-HERE lg@looking-glass' >| ~/.ssh/authorized_keys
# truncate the profile dotfile
lg@frr-router ~# echo >| ~/.profile
# set up a limited PATH
lg@frr-router ~# echo "export PATH=/opt/lg-bin" >| ~/.profile
lg@frr-router ~# exit
# render the profile dotfile immutable, the lg user will not be able to truncate/edit it
root@frr-router ~# chattr +i ~lg/.profile
# change lg user shell to restricted bash
root@frr-router ~# chsh -s /bin/rbash lg
# set up the restricted PATH with the only necessary binaries simlinks
root@frr-router ~# mkdir -p /opt/lg-bin
root@frr-router ~# for cmd in vtysh ping traceroute; do ln -s $(which $cmd) /opt/lg-bin/; done
root@frr-router ~#
```
You can disable password authentication for the lg user in the sshd config:
```
Match user lg
PasswordAuthentication no
```
and reload sshd:
`service ssh reload`
## Debug
Test the SSH connection from the server where the looking glass is installed:
`ssh -i lg-user-id_rsa.key lg@frr-router.example.com`
After successful login, verify that only built-in functions and `vtysh`, `ping`
and `traceroute` are available and functionnal.
## References
* [1] http://en.wikipedia.org/wiki/Restricted_shell
|
