[vty] Add support for a 'restricted mode' with anonymous vty connections
* lib/command.h: Add a RESTRICTED_NODE, intended for use with
anonymous, 'no login' vtys, to provide a subset of 'view' mode
commands.
* lib/command.c: Add RESTRICTED_NODE bits, nothing special, just
following VIEW_NODE.
* lib/vty.c: (vty_auth) enable authentication should fall back to
restricted/view node as appropriate.
(vty_create) init vty's to restricted/view node as appropriate,
for the 'no login' case.
(vty_{no_,}restricted_mode_cmd) config commands to enable
'anonymous restricted' in vty configuration.
(vty_config_write) 'anonymous restricted' config.
(vty_init) Install some commands to restricted mode, and the
'anonymous restricted' config commands into VTY_NODE.
* bgpd/*.c: Install some of the safe(r) BGP commands into
'restricted mode', i.e. lookup commands of non-sensitive data.
Useful with looking-glass route-servers.
diff --git a/lib/vty.c b/lib/vty.c
index 3208471..14a36c1 100644
--- a/lib/vty.c
+++ b/lib/vty.c
@@ -82,6 +82,10 @@
/* Login password check. */
static int no_password_check = 0;
+/* Restrict unauthenticated logins? */
+static const u_char restricted_mode_default = 0;
+static u_char restricted_mode = 0;
+
/* Integrated configuration file path */
char integrate_default[] = SYSCONFDIR INTEGRATE_DEFAULT_CONFIG;
@@ -383,7 +387,7 @@
/* AUTH_ENABLE_NODE */
vty->fail = 0;
vty_out (vty, "%% Bad enable passwords, too many failures!%s", VTY_NEWLINE);
- vty->node = VIEW_NODE;
+ vty->node = restricted_mode ? RESTRICTED_NODE : VIEW_NODE;
}
}
}
@@ -687,6 +691,7 @@
{
case VIEW_NODE:
case ENABLE_NODE:
+ case RESTRICTED_NODE:
/* Nothing to do. */
break;
case CONFIG_NODE:
@@ -1094,6 +1099,7 @@
{
case VIEW_NODE:
case ENABLE_NODE:
+ case RESTRICTED_NODE:
/* Nothing to do. */
break;
case CONFIG_NODE:
@@ -1613,7 +1619,9 @@
vty->address = sockunion_su2str (su);
if (no_password_check)
{
- if (host.advanced)
+ if (restricted_mode)
+ vty->node = RESTRICTED_NODE;
+ else if (host.advanced)
vty->node = ENABLE_NODE;
else
vty->node = VIEW_NODE;
@@ -2715,6 +2723,26 @@
return CMD_SUCCESS;
}
+/* initial mode. */
+DEFUN (vty_restricted_mode,
+ vty_restricted_mode_cmd,
+ "anonymous restricted",
+ "Restrict view commands available in anonymous, unauthenticated vty\n")
+{
+ restricted_mode = 1;
+ return CMD_SUCCESS;
+}
+
+DEFUN (vty_no_restricted_mode,
+ vty_no_restricted_mode_cmd,
+ "no anonymous restricted",
+ NO_STR
+ "Enable password checking\n")
+{
+ restricted_mode = 0;
+ return CMD_SUCCESS;
+}
+
DEFUN (service_advanced_vty,
service_advanced_vty_cmd,
"service advanced-vty",
@@ -2812,7 +2840,15 @@
/* login */
if (no_password_check)
vty_out (vty, " no login%s", VTY_NEWLINE);
-
+
+ if (restricted_mode != restricted_mode_default)
+ {
+ if (restricted_mode_default)
+ vty_out (vty, " no anonymous restricted%s", VTY_NEWLINE);
+ else
+ vty_out (vty, " anonymous restricted%s", VTY_NEWLINE);
+ }
+
vty_out (vty, "!%s", VTY_NEWLINE);
return CMD_SUCCESS;
@@ -2923,6 +2959,8 @@
/* Install bgp top node. */
install_node (&vty_node, vty_config_write);
+ install_element (RESTRICTED_NODE, &config_who_cmd);
+ install_element (RESTRICTED_NODE, &show_history_cmd);
install_element (VIEW_NODE, &config_who_cmd);
install_element (VIEW_NODE, &show_history_cmd);
install_element (ENABLE_NODE, &config_who_cmd);
@@ -2943,6 +2981,8 @@
install_element (VTY_NODE, &no_vty_access_class_cmd);
install_element (VTY_NODE, &vty_login_cmd);
install_element (VTY_NODE, &no_vty_login_cmd);
+ install_element (VTY_NODE, &vty_restricted_mode_cmd);
+ install_element (VTY_NODE, &vty_no_restricted_mode_cmd);
#ifdef HAVE_IPV6
install_element (VTY_NODE, &vty_ipv6_access_class_cmd);
install_element (VTY_NODE, &no_vty_ipv6_access_class_cmd);