[quagga-dev 1439] Re: Thoughts about vtysh

Paul Jakma paul at clubi.ie
Sat Aug 28 17:49:12 BST 2004


On Sat, 28 Aug 2004, Hasso Tepper wrote:

> I cleaned vtysh a little bit, walked through code and here are some more
> thoughts I would like to do with vtysh now:
>
> 1) Remove vtysh_user.c from compilation for now. There is no any point to
> authenticate users in vtysh at the moment. It may even give users false
> sense that it gives them some extra security. It doesn't - only permissions
> of files in localstatedir matter.

Well, it is mostly pointless yes. Though, note you could do something 
like run vtysh setgid to the quaggavty group. So only vtysh, not the 
user, would have access to the vty files and the user would have to 
authenticate beforehand - but there's no way of specifying which 
users may or may not have access. /etc/group and quaggavty is only 
way to do that.

so yeah, it's sort of pointless at moment.

What would be worthwhile is a general lib/aaa.{c,h} solution of some 
sort.

> 2) Bugzilla #104. Bring vty related commands into vtysh. It gives users the
> way to configure vty related stuff in all daemons at once (like other
> similar stuff in vtysh -log config etc). But does it make sense really?

No it doesnt.

> 3) Make enable node default in vtysh.

Yep.

> 4) Not really vtysh stuff, but all nodes have "write *" commands. No point
> IMHO and we have "do <enable_node_command>" for that. Cli commands in
> general needs cleaning anyway, this would be start.

No opinion.

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
While we are sleeping, two-thirds of the world is plotting to do us in.
 		-- Dean Rusk



More information about the Quagga-dev mailing list