[quagga-dev 1752] Re: Permissions of /etc/quagga with/-out integrated config and multiuser vtysh
paul at clubi.ie
Mon Nov 1 03:01:01 GMT 2004
On Sun, 31 Oct 2004, Greg Troxel wrote:
> Yes, but they are linked, and having config management without
> adequate security properties is no good.
> Yes, and other people like it that such access is not possible. The
> only issue here is what the defaults are, and I am in favor of
> defaulting to secure rather than convenient (no IP/IPv6 CLI
I think most distros ship with telnet CLI limited to 127.1/::1.
> Telnet the protocol does, but I don't think the implementation in
> quagga does.
Krb5 support actually wouldnt be /that/ difficult to add in. However,
how many people have Krb5 KDCs setup to be able to make use of it?
> We could, but then we would have invented sshing (or telneting with
> krb5) into the system running quagga and invoking the
> AF_LOCAL-based vtysh, and we'd have far more code to maintain and
> more bugs.
Hmm, possibly yes. However, permissions on the local vtysh thingy are
difficult to get right too.
> But we are mingling two issues that probably shouldn't be mingled.
> vtysh right now serves two purposes. One is connecting from a
> command line, and the other is dispatching commands to appropriate
> daemons and I believe integrating them for a saved config.
> vtyd, which listens on an AF_LOCAL socket in /var/run/quagga (or
> whatever) by default, and can be configured to a) listen on
> localhost (127.0.0.1 and ::1 ---- a single '-A' option is awkward)
> or b) listen on some or all INET/INET6 addresses. Perhaps just
> passwords for IP, and access to the socket for AF_LOCAL is adequate.
> vtysh, which is a command-line program that just talks to vtyd over
> AF_LOCAL, and can run commands with -c.
That'd be the general idea. I'd like to see this "vtyd" use something
other than the current "CLI commands puked over AF_LOCAL, text puked
back terminated with \0\0\0<status byte> byte" vtysh "protocol"
> Then, writing config files will be done by vtyd, as quagga, vtysh
> still works much as it does now, and there is remote access to an
> integrated shell for those who want it.
Yep, just need to get there now :)
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
If a group of _N persons implements a COBOL compiler, there will be _N-1
passes. Someone in the group has to be the manager.
-- T. Cheatham
More information about the Quagga-dev