Skip to content
Permalink
Browse files

Add feature to us sudo for OpenBGPD

* Add sudo and doas support for openbgpd

* Add documentation for OpenBSD routers

* Minor fix in docs
  • Loading branch information...
pep-un authored and respawner committed Apr 25, 2019
1 parent 854e425 commit df108aec78bc593aafc8d5ef978b2539dc190598
Showing with 134 additions and 4 deletions.
  1. +118 −0 docs/openbgpd.md
  2. +16 −4 routers/openbgpd.php
@@ -0,0 +1,118 @@
# Looking Glass: OpenBGPd configuration and tips.

OpenBGPd is the BGP router devlope and maintain by the OpenBSD team.
It's incude in the OpenBSD developpement tree and shifted with the OpenBSD base.

## OpenBGPd instalation and configuration

OpenBGPd in part of the OpenBSD base, no packages are nedded.
Usefull information for configuration can be found un man pages

* https://man.openbsd.org/bgpd.conf
* https://man.openbsd.org/bgpd
* https://man.openbsd.org/bgpctl

## Security and user access

Looking Glass call the `bgpctl` utility. This utility is only accessible via root user, we higly
recomand to use a restriction mecanisme like `sudo` or `doas` intead of a root user.

The `become_method` allow you to select witch tool you use to run your commande as root :
```
$config['routers']['xxxx']['type'] = 'openbgpd';
$config['routers']['xxxx']['user'] = 'lg';
$config['routers']['xxxx']['become_method'] = 'sudo';
```

Thus, the `lg` user only needs to run `bgpctl`, `ping` and `traceroute`. To achieve this, we
recommend the use of `rbash` (restricted bash, see [1]), ssh key based authentication
and a bit of dark magic.

## Configuration

To setup the access on a OpenBSD router, you can follow the following step:

### User creation and configuration
* create the "lg" unix user
```
root@openbgpd-router ~# adduser lg
(boring questions)
```

* log in as lg user
```
root@openbgpd-router ~# su -l lg
```

* create ssh userdir and authorized the looking glass RSA pubkey with limited access and features
```
lg@openbgpd-router ~# mkdir ~/.ssh/
lg@openbgpd-router ~# echo 'ssh-rsa $RSA-PUBKEY-HERE lg@looking-glass' >| ~/.ssh/authorized_keys
```

You can use funny options to limit access and feature, check https://man.openbsd.org/sshd_config.5

* truncate the profile dotfile
```
lg@openbgpd-router ~# echo >| ~/.profile
```

* set up a limited PATH
```
lg@openbgpd-router ~# echo "export PATH=/opt/lg-bin" >| ~/.profile
```

### Configure user restiction and security

* render the profile dotfile immutable, the lg user will not be able to truncate/edit it
```
root@openbgpd-router ~# chflags schg /home/lg/.profile
```

* create the rbash symlink
```
root@openbgpd-router ~# ln -s /usr/local/bin/bash /usr/local/bin/rbash
```

* change lg user shell to restricted bash
```
root@openbgpd-router ~# chsh -s '/usr/local/bin/rbash' lg
```

* set up the restricted PATH with the only necessary binaries simlinks
```
root@openbgpd-router ~# mkdir -p /opt/lg-bin
root@openbgpd-router ~# for cmd in bgpctl ping traceroute; do ln -s $(which $cmd) /opt/lg-bin/; done
```

* create the sudo configuration file for bgpctl
```
echo '# Cmnd alias specification
Cmnd_Alias LG_CMD=/usr/sbin/bgpctl show rib *
* User privilege specification
lg ALL=(ALL) NOPASSWD: LG_CMD' > /etc/sudo.d/lg
```

* You can disable password authentication for the lg user in the sshd config:
```
Match user lg
PasswordAuthentication no
```

and reload sshd:

`service ssh reload`

## Debug

Test the SSH connection from the server where the looking glass is installed:

`ssh -i lg-user-id_rsa.key lg@openbgpd-router.example.com`

After successful login, verify that only built-in functions and `bgpctl`, `ping`
and `traceroute` are available and functionnal.

## References

* [1] http://en.wikipedia.org/wiki/Restricted_shell
@@ -25,14 +25,26 @@
require_once('includes/utils.php');
final class OpenBGPD extends UNIX {
private static $wrapper = 'bgpctl';
public function __construct($global_config, $config, $id, $requester) {
parent::__construct($global_config, $config, $id, $requester);
// Check if we need sudo or dosu
if (isset($this->config['become_method']) && $this->config['become_method'] == 'doas') {
$this->wrapper = 'doas bgpctl';
} elseif (isset($this->config['become_method']) && $this->config['become_method'] == 'sudo') {
$this->wrapper = 'sudo bgpctl';
} else {
$this->wrapper = 'bgpctl';
}
}
protected function build_bgp($parameter) {
if (!is_valid_ip_address($parameter)) {
throw new Exception('The parameter is not an IP address.');
}
$cmd = new CommandBuilder(self::$wrapper, 'show rib');
$cmd = new CommandBuilder($this->wrapper, 'show rib');
if ($this->config['bgp_detail']) {
$cmd->add('detail');
}
@@ -46,7 +58,7 @@ protected function build_aspath_regexp($parameter) {
throw new Exception('The parameter is not an AS number - OpenBGPD does not support AS-Path regular expressions.');
}
$cmd = new CommandBuilder(self::$wrapper, 'show rib');
$cmd = new CommandBuilder($this->wrapper, 'show rib');
if ($this->config['bgp_detail']) {
$cmd->add('detail');
}
@@ -60,7 +72,7 @@ protected function build_as($parameter) {
throw new Exception('The parameter is not an AS number.');
}
$cmd = new CommandBuilder(self::$wrapper, 'show rib');
$cmd = new CommandBuilder($this->wrapper, 'show rib');
if ($this->config['bgp_detail']) {
$cmd->add('detail');
}

0 comments on commit df108ae

Please sign in to comment.
You can’t perform that action at this time.