[quagga-dev 1749] Re: Permissions of /etc/quagga with/-out integrated config and multiuser vtysh

Greg Troxel gdt at ir.bbn.com
Mon Nov 1 00:21:30 GMT 2004


  Oh, we're mingling two discussions here I think:

  - management of config

  - secure command/control access

Yes, but they are linked, and having config management without
adequate security properties is no good.

  However, people do like the ability to remotely access their router's 
  CLI.

Yes, and other people like it that such access is not possible.
The only issue here is what the defaults are, and I am in favor of
defaulting to secure rather than convenient (no IP/IPv6 CLI access).

  telnet supports non-clear-text authentication mechanisms btw. (I use 
  telnet with krb5).

Telnet the protocol does, but I don't think the implementation in
quagga does.

  We could also tunnel the telnet interface inside some layer of 
  encryption, if we provided our own client.

We could, but then we would have invented sshing (or telneting with
krb5) into the system running quagga and invoking the AF_LOCAL-based
vtysh, and we'd have far more code to maintain and more bugs.


But we are mingling two issues that probably shouldn't be mingled.
vtysh right now serves two purposes.  One is connecting from a command
line, and the other is dispatching commands to appropriate daemons and
I believe integrating them for a saved config.

So, as others have suggested, if we add

  vtyd, which listens on an AF_LOCAL socket in /var/run/quagga (or
  whatever) by default, and can be configured to a) listen on
  localhost (127.0.0.1 and ::1 ---- a single '-A' option is awkward)
  or b) listen on some or all INET/INET6 addresses.  Perhaps just
  passwords for IP, and access to the socket for AF_LOCAL is adequate.

  vtysh, which is a command-line program that just talks to vtyd over
  AF_LOCAL, and can run commands with -c.

and remove the telnet port from all the other daemons.

Then, writing config files will be done by vtyd, as quagga, vtysh
still works much as it does now, and there is remote access to an
integrated shell for those who want it.



More information about the Quagga-dev mailing list