Latest commit 0d53e4b Jun 22, 2014 @Cougar Suggest config file location change outside web root
Closes #5: CVE-2014-3929: Unsafe SSH keypairs path in default config

(cherry picked from commit 856cba2)



LG is a Looking Glass written in Perl as a CGI script. It can execute almost
all BGP-related commands and do ping and traceroute in routers or relay these
queries to other looking glasses. It supports both IPv4 and IPv6 commands,
and is tested with Cisco, Zebra and Juniper. It can connect to router using
either SSH, telnet or rsh protocol.

LG is released under GPL licence. Look at COPYING file.


It is suggested to move configuration file lg.conf outside of webserver
direcory. One suitable place for that could be /usr/local/etc. Just move
configuration to this directory and add full path to the $configfile
variable in the beginning of lg.cgi.

The default location of SSH configuration directory .ssh is initialized to
the same directory where CGI is running: /usr/local/httpd/htdocs/lg.
It is suggested to change $HOME enironment variable in the beginning
of lg.cgi script to some other directory accessible by webserver (wwwrun
for example) which is outside of default webserver root (in opensuse
/var/lib/wwwrun can be used). It is srongly suggested to change this in
case you are going to use key based authentication.


This example assumes that you use Apache webserver and LG will be installed
to /usr/local/httpd/htdocs/lg directory.

1. Create directory where you want to keep LG files

> mkdir /usr/local/httpd/htdocs/lg

2. Copy lg.cgi, lg.conf and favicon.ico to this directory, make CGI executable

> cp lg.cgi lg.conf favicon.ico /usr/local/httpd/htdocs/lg
> chmod 644 /usr/local/httpd/htdocs/lg/*
> chmod 755 /usr/local/httpd/htdocs/lg/lg.cgi

3. Add these lines to your webserver config (In SuSE it is located at
/etc/httpd/httpd.conf or /etc/httpd/suse_include.conf). The order of these

Alias /lg/favicon.ico /usr/local/httpd/htdocs/lg/favicon.ico
ScriptAlias /lg /usr/local/httpd/htdocs/lg/lg.cgi

4. Restart webserver

> killall -1 httpd

5. DONE!

6. Now you have time to set up AS num and community description files

Download as.txt, as-apnic.txt, as-arin.txt, as-ripe.txt, as-jpnic.txt,
as-lacnic.txt and communities.txt form .
Put all files to LG directory (/usr/local/httpd/htdocs/lg).

> wget
> wget
> wget
> wget
> wget
> wget
> wget

7. If you prefer use Berkeley DB (you should! :-) ), then set up a database
file. PS! you can't use community descriptions without using Berkeley DB.

7.1 Create db file yourself by running in LG directory:

> ./


7.2 Download as.db from

> wget

8. Make sure that all these files are readable for webrserver

> chmod a+r /usr/local/httpd/htdocs/lg/*.txt
> chmod a+r /usr/local/httpd/htdocs/lg/as.db

                            ADVANCED CONFIURATION

You can generate as-*.txt files yourself. Just run Perl script
and it creates these three files in your current directory. It is recommended
to update these files sometimes to get fresh information about new AS numbers.
Don't forget to run after that as well.

You can also edit as.txt file. These three autogenerated files are included
at the beginning of as.txt file. All lines below just overwrites previous
ones. This means that you can put any better names for AS numbers to this file
and will see it instead of these autogenerated names (which are quite hard to
understand some times).

Also you have to edit communities.txt file by hand. Don't forget to run after that again.

A little bit about lg.conf file. In this example all logins are replaced with
"login" and passwords with "password". These lines are also commented out, so
you can use this configuration file even without any modification.

You can set ASList as as.txt file or as.db database. With my 900 MHz Celeron
it takes about 4 sec to load as.txt (and all included files) while using DB
takes only 0.2 sec ;-) Use DB if possible!

As long as the configuration file is quite simple, I don't give here any help
how to configure LG. Just look at lg.conf, all possible ways how to configure
it, are shown in this file already ;-)

Default logfile is /var/log/lg.log, be sure that your webserver can write
it or use any other file (or don't use at all).


Don't try to use LG sites with newer DIGEX code as external LG sites. These
will check Referer and therefore deny all outside links.

There are also some LG sites which support only POST method and are also
unusable. LG can forward browsers to any other address but can't send POST
data with it. It is possible to act as proxy for these sites but this is not
implemented yet and I'm not sure it is necessary at all. At least at the
current moment ;-)

When using Zebra you can specify one port for bgpd and another for zebra
itself (ping and traceroute commands). All these syntaxes have the same

- telnet://pass@host		default ports (2601 and 2605)
- telnet://pass@host:2601,2605	user defined ports
- telnet://pass@host:2601,	user defined zebra port and default bgpd port
- telnet://pass@host:,2605	default zebra port and user defined bgpd port

but these don't work as you expect (the same port for bgpd and zebra):

- telnet://pass@host:2601
- telnet://pass@host:2605

"logical-system" works only with OSType="JunOS" and when using SSH.


You can get the latest source from

All new releases will be announced in Freshmeat (subscribe!)


Cougar <>