From 62687ff1cd3d4460cdbd4b0fbf1e3298fe277ad2 Mon Sep 17 00:00:00 2001 From: Paul Jakma Date: Sat, 23 Aug 2008 14:27:06 +0100 Subject: [vty] Add support for a 'restricted mode' with anonymous vty connections * lib/command.h: Add a RESTRICTED_NODE, intended for use with anonymous, 'no login' vtys, to provide a subset of 'view' mode commands. * lib/command.c: Add RESTRICTED_NODE bits, nothing special, just following VIEW_NODE. * lib/vty.c: (vty_auth) enable authentication should fall back to restricted/view node as appropriate. (vty_create) init vty's to restricted/view node as appropriate, for the 'no login' case. (vty_{no_,}restricted_mode_cmd) config commands to enable 'anonymous restricted' in vty configuration. (vty_config_write) 'anonymous restricted' config. (vty_init) Install some commands to restricted mode, and the 'anonymous restricted' config commands into VTY_NODE. * bgpd/*.c: Install some of the safe(r) BGP commands into 'restricted mode', i.e. lookup commands of non-sensitive data. Useful with looking-glass route-servers. --- bgpd/bgp_nexthop.c | 1 + bgpd/bgp_route.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ bgpd/bgp_vty.c | 30 +++++++++++++++++++++++++ lib/command.c | 20 +++++++++++++++++ lib/command.h | 3 ++- lib/memory.c | 10 +++++++++ lib/vty.c | 46 +++++++++++++++++++++++++++++++++++--- 7 files changed, 171 insertions(+), 4 deletions(-) diff --git a/bgpd/bgp_nexthop.c b/bgpd/bgp_nexthop.c index 4dd5d946..22e48db0 100644 --- a/bgpd/bgp_nexthop.c +++ b/bgpd/bgp_nexthop.c @@ -1319,5 +1319,6 @@ bgp_scan_init () install_element (BGP_NODE, &no_bgp_scan_time_cmd); install_element (BGP_NODE, &no_bgp_scan_time_val_cmd); install_element (VIEW_NODE, &show_ip_bgp_scan_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_scan_cmd); install_element (ENABLE_NODE, &show_ip_bgp_scan_cmd); } diff --git a/bgpd/bgp_route.c b/bgpd/bgp_route.c index 4a642e34..9ff64654 100644 --- a/bgpd/bgp_route.c +++ b/bgpd/bgp_route.c @@ -11787,6 +11787,37 @@ bgp_route_init () install_element (VIEW_NODE, &show_ip_bgp_view_rsclient_cmd); install_element (VIEW_NODE, &show_ip_bgp_view_rsclient_route_cmd); install_element (VIEW_NODE, &show_ip_bgp_view_rsclient_prefix_cmd); + + /* Restricted node: VIEW_NODE - (set of dangerous commands) */ + install_element (RESTRICTED_NODE, &show_ip_bgp_route_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_route_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_vpnv4_rd_route_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_prefix_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_prefix_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_vpnv4_all_prefix_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_vpnv4_rd_prefix_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_view_route_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_view_prefix_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_community_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_community2_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_community3_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_community4_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_community_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_community2_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_community3_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_community4_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_community_exact_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_community2_exact_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_community3_exact_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_community4_exact_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_community_exact_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_community2_exact_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_community3_exact_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_community4_exact_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_rsclient_route_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_rsclient_prefix_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_view_rsclient_route_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_view_rsclient_prefix_cmd); install_element (ENABLE_NODE, &show_ip_bgp_cmd); install_element (ENABLE_NODE, &show_ip_bgp_ipv4_cmd); @@ -11971,6 +12002,40 @@ bgp_route_init () install_element (VIEW_NODE, &show_bgp_view_rsclient_cmd); install_element (VIEW_NODE, &show_bgp_view_rsclient_route_cmd); install_element (VIEW_NODE, &show_bgp_view_rsclient_prefix_cmd); + + /* Restricted: + * VIEW_NODE - (set of dangerous commands) - (commands dependent on prev) + */ + install_element (RESTRICTED_NODE, &show_bgp_route_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_route_cmd); + install_element (RESTRICTED_NODE, &show_bgp_prefix_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_prefix_cmd); + install_element (RESTRICTED_NODE, &show_bgp_community_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_community_cmd); + install_element (RESTRICTED_NODE, &show_bgp_community2_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_community2_cmd); + install_element (RESTRICTED_NODE, &show_bgp_community3_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_community3_cmd); + install_element (RESTRICTED_NODE, &show_bgp_community4_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_community4_cmd); + install_element (RESTRICTED_NODE, &show_bgp_community_exact_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_community_exact_cmd); + install_element (RESTRICTED_NODE, &show_bgp_community2_exact_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_community2_exact_cmd); + install_element (RESTRICTED_NODE, &show_bgp_community3_exact_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_community3_exact_cmd); + install_element (RESTRICTED_NODE, &show_bgp_community4_exact_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_community4_exact_cmd); + install_element (RESTRICTED_NODE, &show_bgp_rsclient_route_cmd); + install_element (RESTRICTED_NODE, &show_bgp_rsclient_prefix_cmd); + install_element (RESTRICTED_NODE, &show_bgp_view_route_cmd); + install_element (RESTRICTED_NODE, &show_bgp_view_ipv6_route_cmd); + install_element (RESTRICTED_NODE, &show_bgp_view_prefix_cmd); + install_element (RESTRICTED_NODE, &show_bgp_view_ipv6_prefix_cmd); + install_element (RESTRICTED_NODE, &show_bgp_view_neighbor_received_prefix_filter_cmd); + install_element (RESTRICTED_NODE, &show_bgp_view_ipv6_neighbor_received_prefix_filter_cmd); + install_element (RESTRICTED_NODE, &show_bgp_view_rsclient_route_cmd); + install_element (RESTRICTED_NODE, &show_bgp_view_rsclient_prefix_cmd); install_element (ENABLE_NODE, &show_bgp_cmd); install_element (ENABLE_NODE, &show_bgp_ipv6_cmd); diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c index 90867373..9237cb0d 100644 --- a/bgpd/bgp_vty.c +++ b/bgpd/bgp_vty.c @@ -9747,6 +9747,18 @@ bgp_vty_init (void) install_element (VIEW_NODE, &show_bgp_instance_summary_cmd); install_element (VIEW_NODE, &show_bgp_ipv6_summary_cmd); install_element (VIEW_NODE, &show_bgp_instance_ipv6_summary_cmd); +#endif /* HAVE_IPV6 */ + install_element (RESTRICTED_NODE, &show_ip_bgp_summary_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_instance_summary_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_summary_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_instance_ipv4_summary_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_vpnv4_all_summary_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_vpnv4_rd_summary_cmd); +#ifdef HAVE_IPV6 + install_element (RESTRICTED_NODE, &show_bgp_summary_cmd); + install_element (RESTRICTED_NODE, &show_bgp_instance_summary_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_summary_cmd); + install_element (RESTRICTED_NODE, &show_bgp_instance_ipv6_summary_cmd); #endif /* HAVE_IPV6 */ install_element (ENABLE_NODE, &show_ip_bgp_summary_cmd); install_element (ENABLE_NODE, &show_ip_bgp_instance_summary_cmd); @@ -9772,6 +9784,11 @@ bgp_vty_init (void) install_element (VIEW_NODE, &show_ip_bgp_vpnv4_rd_neighbors_peer_cmd); install_element (VIEW_NODE, &show_ip_bgp_instance_neighbors_cmd); install_element (VIEW_NODE, &show_ip_bgp_instance_neighbors_peer_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_neighbors_peer_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_neighbors_peer_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_vpnv4_all_neighbors_peer_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_vpnv4_rd_neighbors_peer_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_instance_neighbors_peer_cmd); install_element (ENABLE_NODE, &show_ip_bgp_neighbors_cmd); install_element (ENABLE_NODE, &show_ip_bgp_ipv4_neighbors_cmd); install_element (ENABLE_NODE, &show_ip_bgp_neighbors_peer_cmd); @@ -9792,6 +9809,10 @@ bgp_vty_init (void) install_element (VIEW_NODE, &show_bgp_instance_ipv6_neighbors_cmd); install_element (VIEW_NODE, &show_bgp_instance_neighbors_peer_cmd); install_element (VIEW_NODE, &show_bgp_instance_ipv6_neighbors_peer_cmd); + install_element (RESTRICTED_NODE, &show_bgp_neighbors_peer_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_neighbors_peer_cmd); + install_element (RESTRICTED_NODE, &show_bgp_instance_neighbors_peer_cmd); + install_element (RESTRICTED_NODE, &show_bgp_instance_ipv6_neighbors_peer_cmd); install_element (ENABLE_NODE, &show_bgp_neighbors_cmd); install_element (ENABLE_NODE, &show_bgp_ipv6_neighbors_cmd); install_element (ENABLE_NODE, &show_bgp_neighbors_peer_cmd); @@ -9813,6 +9834,10 @@ bgp_vty_init (void) install_element (VIEW_NODE, &show_ip_bgp_instance_rsclient_summary_cmd); install_element (VIEW_NODE, &show_ip_bgp_ipv4_rsclient_summary_cmd); install_element (VIEW_NODE, &show_ip_bgp_instance_ipv4_rsclient_summary_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_rsclient_summary_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_instance_rsclient_summary_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_ipv4_rsclient_summary_cmd); + install_element (RESTRICTED_NODE, &show_ip_bgp_instance_ipv4_rsclient_summary_cmd); install_element (ENABLE_NODE, &show_ip_bgp_rsclient_summary_cmd); install_element (ENABLE_NODE, &show_ip_bgp_instance_rsclient_summary_cmd); install_element (ENABLE_NODE, &show_ip_bgp_ipv4_rsclient_summary_cmd); @@ -9823,6 +9848,10 @@ bgp_vty_init (void) install_element (VIEW_NODE, &show_bgp_ipv6_rsclient_summary_cmd); install_element (VIEW_NODE, &show_bgp_instance_rsclient_summary_cmd); install_element (VIEW_NODE, &show_bgp_instance_ipv6_rsclient_summary_cmd); + install_element (RESTRICTED_NODE, &show_bgp_rsclient_summary_cmd); + install_element (RESTRICTED_NODE, &show_bgp_ipv6_rsclient_summary_cmd); + install_element (RESTRICTED_NODE, &show_bgp_instance_rsclient_summary_cmd); + install_element (RESTRICTED_NODE, &show_bgp_instance_ipv6_rsclient_summary_cmd); install_element (ENABLE_NODE, &show_bgp_rsclient_summary_cmd); install_element (ENABLE_NODE, &show_bgp_ipv6_rsclient_summary_cmd); install_element (ENABLE_NODE, &show_bgp_instance_rsclient_summary_cmd); @@ -9869,6 +9898,7 @@ bgp_vty_init (void) /* "show bgp memory" commands. */ install_element (VIEW_NODE, &show_bgp_memory_cmd); + install_element (RESTRICTED_NODE, &show_bgp_memory_cmd); install_element (ENABLE_NODE, &show_bgp_memory_cmd); /* Community-list. */ diff --git a/lib/command.c b/lib/command.c index f3d96ede..4887f94f 100644 --- a/lib/command.c +++ b/lib/command.c @@ -53,6 +53,12 @@ struct cmd_node view_node = "%s> ", }; +struct cmd_node restricted_node = +{ + RESTRICTED_NODE, + "%s$ ", +}; + struct cmd_node auth_enable_node = { AUTH_ENABLE_NODE, @@ -1563,6 +1569,7 @@ cmd_try_do_shortcut (enum node_type node, char* first_word) { node != VIEW_NODE && node != AUTH_ENABLE_NODE && node != ENABLE_NODE && + node != RESTRICTED_NODE && 0 == strcmp( "do", first_word ) ) return 1; return 0; @@ -2376,6 +2383,7 @@ DEFUN (config_exit, { case VIEW_NODE: case ENABLE_NODE: + case RESTRICTED_NODE: if (vty_shell (vty)) exit (0); else @@ -2431,6 +2439,7 @@ DEFUN (config_end, { case VIEW_NODE: case ENABLE_NODE: + case RESTRICTED_NODE: /* Nothing to do. */ break; case CONFIG_NODE: @@ -3538,6 +3547,7 @@ cmd_init (int terminal) install_node (&enable_node, NULL); install_node (&auth_node, NULL); install_node (&auth_enable_node, NULL); + install_node (&restricted_node, NULL); install_node (&config_node, config_write_host); /* Each node's basic commands. */ @@ -3553,6 +3563,15 @@ cmd_init (int terminal) install_element (VIEW_NODE, &config_terminal_no_length_cmd); install_element (VIEW_NODE, &show_logging_cmd); install_element (VIEW_NODE, &echo_cmd); + + install_element (RESTRICTED_NODE, &config_list_cmd); + install_element (RESTRICTED_NODE, &config_exit_cmd); + install_element (RESTRICTED_NODE, &config_quit_cmd); + install_element (RESTRICTED_NODE, &config_help_cmd); + install_element (RESTRICTED_NODE, &config_enable_cmd); + install_element (RESTRICTED_NODE, &config_terminal_length_cmd); + install_element (RESTRICTED_NODE, &config_terminal_no_length_cmd); + install_element (RESTRICTED_NODE, &echo_cmd); } if (terminal) @@ -3620,6 +3639,7 @@ cmd_init (int terminal) install_element (VIEW_NODE, &show_thread_cpu_cmd); install_element (ENABLE_NODE, &show_thread_cpu_cmd); + install_element (RESTRICTED_NODE, &show_thread_cpu_cmd); install_element (VIEW_NODE, &show_work_queues_cmd); install_element (ENABLE_NODE, &show_work_queues_cmd); } diff --git a/lib/command.h b/lib/command.h index a7253788..d093df3c 100644 --- a/lib/command.h +++ b/lib/command.h @@ -63,6 +63,7 @@ struct host enum node_type { AUTH_NODE, /* Authentication mode of vty interface. */ + RESTRICTED_NODE, /* Restricted view mode */ VIEW_NODE, /* View node. Default mode of vty interface. */ AUTH_ENABLE_NODE, /* Authentication mode for change enable. */ ENABLE_NODE, /* Enable node. */ @@ -100,7 +101,7 @@ enum node_type DUMP_NODE, /* Packet dump node. */ FORWARDING_NODE, /* IP forwarding node. */ PROTOCOL_NODE, /* protocol filtering node */ - VTY_NODE /* Vty node. */ + VTY_NODE, /* Vty node. */ }; /* Node which has some commands and prompt string and configuration diff --git a/lib/memory.c b/lib/memory.c index 28b3d896..f5d0cba6 100644 --- a/lib/memory.c +++ b/lib/memory.c @@ -444,6 +444,16 @@ DEFUN (show_memory_isis, void memory_init (void) { + install_element (RESTRICTED_NODE, &show_memory_cmd); + install_element (RESTRICTED_NODE, &show_memory_all_cmd); + install_element (RESTRICTED_NODE, &show_memory_lib_cmd); + install_element (RESTRICTED_NODE, &show_memory_rip_cmd); + install_element (RESTRICTED_NODE, &show_memory_ripng_cmd); + install_element (RESTRICTED_NODE, &show_memory_bgp_cmd); + install_element (RESTRICTED_NODE, &show_memory_ospf_cmd); + install_element (RESTRICTED_NODE, &show_memory_ospf6_cmd); + install_element (RESTRICTED_NODE, &show_memory_isis_cmd); + install_element (VIEW_NODE, &show_memory_cmd); install_element (VIEW_NODE, &show_memory_all_cmd); install_element (VIEW_NODE, &show_memory_lib_cmd); diff --git a/lib/vty.c b/lib/vty.c index 32084713..14a36c16 100644 --- a/lib/vty.c +++ b/lib/vty.c @@ -82,6 +82,10 @@ static int vty_config; /* Login password check. */ static int no_password_check = 0; +/* Restrict unauthenticated logins? */ +static const u_char restricted_mode_default = 0; +static u_char restricted_mode = 0; + /* Integrated configuration file path */ char integrate_default[] = SYSCONFDIR INTEGRATE_DEFAULT_CONFIG; @@ -383,7 +387,7 @@ vty_auth (struct vty *vty, char *buf) /* AUTH_ENABLE_NODE */ vty->fail = 0; vty_out (vty, "%% Bad enable passwords, too many failures!%s", VTY_NEWLINE); - vty->node = VIEW_NODE; + vty->node = restricted_mode ? RESTRICTED_NODE : VIEW_NODE; } } } @@ -687,6 +691,7 @@ vty_end_config (struct vty *vty) { case VIEW_NODE: case ENABLE_NODE: + case RESTRICTED_NODE: /* Nothing to do. */ break; case CONFIG_NODE: @@ -1094,6 +1099,7 @@ vty_stop_input (struct vty *vty) { case VIEW_NODE: case ENABLE_NODE: + case RESTRICTED_NODE: /* Nothing to do. */ break; case CONFIG_NODE: @@ -1613,7 +1619,9 @@ vty_create (int vty_sock, union sockunion *su) vty->address = sockunion_su2str (su); if (no_password_check) { - if (host.advanced) + if (restricted_mode) + vty->node = RESTRICTED_NODE; + else if (host.advanced) vty->node = ENABLE_NODE; else vty->node = VIEW_NODE; @@ -2715,6 +2723,26 @@ DEFUN (no_vty_login, return CMD_SUCCESS; } +/* initial mode. */ +DEFUN (vty_restricted_mode, + vty_restricted_mode_cmd, + "anonymous restricted", + "Restrict view commands available in anonymous, unauthenticated vty\n") +{ + restricted_mode = 1; + return CMD_SUCCESS; +} + +DEFUN (vty_no_restricted_mode, + vty_no_restricted_mode_cmd, + "no anonymous restricted", + NO_STR + "Enable password checking\n") +{ + restricted_mode = 0; + return CMD_SUCCESS; +} + DEFUN (service_advanced_vty, service_advanced_vty_cmd, "service advanced-vty", @@ -2812,7 +2840,15 @@ vty_config_write (struct vty *vty) /* login */ if (no_password_check) vty_out (vty, " no login%s", VTY_NEWLINE); - + + if (restricted_mode != restricted_mode_default) + { + if (restricted_mode_default) + vty_out (vty, " no anonymous restricted%s", VTY_NEWLINE); + else + vty_out (vty, " anonymous restricted%s", VTY_NEWLINE); + } + vty_out (vty, "!%s", VTY_NEWLINE); return CMD_SUCCESS; @@ -2923,6 +2959,8 @@ vty_init (struct thread_master *master_thread) /* Install bgp top node. */ install_node (&vty_node, vty_config_write); + install_element (RESTRICTED_NODE, &config_who_cmd); + install_element (RESTRICTED_NODE, &show_history_cmd); install_element (VIEW_NODE, &config_who_cmd); install_element (VIEW_NODE, &show_history_cmd); install_element (ENABLE_NODE, &config_who_cmd); @@ -2943,6 +2981,8 @@ vty_init (struct thread_master *master_thread) install_element (VTY_NODE, &no_vty_access_class_cmd); install_element (VTY_NODE, &vty_login_cmd); install_element (VTY_NODE, &no_vty_login_cmd); + install_element (VTY_NODE, &vty_restricted_mode_cmd); + install_element (VTY_NODE, &vty_no_restricted_mode_cmd); #ifdef HAVE_IPV6 install_element (VTY_NODE, &vty_ipv6_access_class_cmd); install_element (VTY_NODE, &no_vty_ipv6_access_class_cmd); -- cgit v1.2.1