Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
79 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| # Looking Glass: FRRouting (FRR) configuration and tips. | ||
|
|
||
| FRR has its roots in the Quagga project. In fact, it was started by many | ||
| long-time Quagga developers who combined their efforts to improve on | ||
| Quagga's well-established foundation in order to create the best routing | ||
| protocol stack available. We invite you to participate in the FRRouting | ||
| community and help shape the future of networking. | ||
|
|
||
| ## Instalation FRRouting | ||
|
|
||
| * https://github.com/FRRouting/frr/tree/master/doc | ||
|
|
||
| ## Security and user access | ||
|
|
||
| Looking Glass directly calls `vtysh -c "frr command"`. Thus, the `lg` user | ||
| only needs to run `vtysh`, `ping` and `traceroute`. To achieve this, we | ||
| recommend the use of `rbash` (restricted bash, see [1]), ssh key based authentication | ||
| and a bit of dark magic. | ||
|
|
||
| ## Configuration | ||
|
|
||
| Rough steps ahead (maybe more doc later): | ||
|
|
||
| ``` | ||
| # create the "lg" unix user and add it to 'frr' and 'frrvty' group's. | ||
| root@frr-router ~# adduser lg | ||
| (boring questions) | ||
| root@frr-router ~# pw group mod frr -m lg | ||
| root@frr-router ~# pw group mod frrvty -m lg | ||
| # log in as lg user | ||
| root@frr-router ~# su -l lg | ||
| # create ssh userdir and authorized the looking glass RSA pubkey with limited access and features | ||
| lg@frr-router ~# mkdir ~/.ssh/ | ||
| lg@frr-router ~# echo 'from="lg.example.com,$IP4-OF-YOUR-LG",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa $RSA-PUBKEY-HERE lg@looking-glass' >| ~/.ssh/authorized_keys | ||
| # truncate the profile dotfile | ||
| lg@frr-router ~# echo >| ~/.profile | ||
| # set up a limited PATH | ||
| lg@frr-router ~# echo "export PATH=/opt/lg-bin" >| ~/.profile | ||
| lg@frr-router ~# exit | ||
| # render the profile dotfile immutable, the lg user will not be able to truncate/edit it | ||
| root@frr-router ~# chattr +i ~lg/.profile | ||
| # change lg user shell to restricted bash | ||
| root@frr-router ~# chsh -s /bin/rbash lg | ||
| # set up the restricted PATH with the only necessary binaries simlinks | ||
| root@frr-router ~# mkdir -p /opt/lg-bin | ||
| root@frr-router ~# for cmd in vtysh ping traceroute; do ln -s $(which $cmd) /opt/lg-bin/; done | ||
| root@frr-router ~# | ||
| ``` | ||
|
|
||
| You can disable password authentication for the lg user in the sshd config: | ||
|
|
||
| ``` | ||
| Match user lg | ||
| PasswordAuthentication no | ||
| ``` | ||
|
|
||
| and reload sshd: | ||
|
|
||
| `service ssh reload` | ||
|
|
||
| ## Debug | ||
|
|
||
| Test the SSH connection from the server where the looking glass is installed: | ||
|
|
||
| `ssh -i lg-user-id_rsa.key lg@frr-router.example.com` | ||
|
|
||
| After successful login, verify that only built-in functions and `vtysh`, `ping` | ||
| and `traceroute` are available and functionnal. | ||
|
|
||
| ## References | ||
|
|
||
| * [1] http://en.wikipedia.org/wiki/Restricted_shell |