[quagga-dev 1752] Re: Permissions of /etc/quagga with/-out integrated config and multiuser vtysh

Paul Jakma paul at clubi.ie
Mon Nov 1 03:01:01 GMT 2004


On Sun, 31 Oct 2004, Greg Troxel wrote:

> Yes, but they are linked, and having config management without 
> adequate security properties is no good.

Yes.

> Yes, and other people like it that such access is not possible. The 
> only issue here is what the defaults are, and I am in favor of 
> defaulting to secure rather than convenient (no IP/IPv6 CLI 
> access).

I think most distros ship with telnet CLI limited to 127.1/::1.

> Telnet the protocol does, but I don't think the implementation in 
> quagga does.

Krb5 support actually wouldnt be /that/ difficult to add in. However, 
how many people have Krb5 KDCs setup to be able to make use of it?

> We could, but then we would have invented sshing (or telneting with 
> krb5) into the system running quagga and invoking the 
> AF_LOCAL-based vtysh, and we'd have far more code to maintain and 
> more bugs.

Hmm, possibly yes. However, permissions on the local vtysh thingy are 
difficult to get right too.

> But we are mingling two issues that probably shouldn't be mingled. 
> vtysh right now serves two purposes.  One is connecting from a 
> command line, and the other is dispatching commands to appropriate 
> daemons and I believe integrating them for a saved config.

Yes.

>  vtyd, which listens on an AF_LOCAL socket in /var/run/quagga (or
>  whatever) by default, and can be configured to a) listen on
>  localhost (127.0.0.1 and ::1 ---- a single '-A' option is awkward)
>  or b) listen on some or all INET/INET6 addresses.  Perhaps just
>  passwords for IP, and access to the socket for AF_LOCAL is adequate.
>
>  vtysh, which is a command-line program that just talks to vtyd over
>  AF_LOCAL, and can run commands with -c.

That'd be the general idea. I'd like to see this "vtyd" use something 
other than the current "CLI commands puked over AF_LOCAL, text puked 
back terminated with \0\0\0<status byte> byte" vtysh "protocol" 
though.

> Then, writing config files will be done by vtyd, as quagga, vtysh 
> still works much as it does now, and there is remote access to an 
> integrated shell for those who want it.

Yep, just need to get there now :)

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
If a group of _N persons implements a COBOL compiler, there will be _N-1
passes.  Someone in the group has to be the manager.
 		-- T. Cheatham



More information about the Quagga-dev mailing list