Skip to content

Looking Glass: FRRouting (FRR) configuration and tips.

FRR has its roots in the Quagga project. In fact, it was started by many long-time Quagga developers who combined their efforts to improve on Quagga's well-established foundation in order to create the best routing protocol stack available. We invite you to participate in the FRRouting community and help shape the future of networking.

Instalation FRRouting


Security and user access

Looking Glass directly calls vtysh -c "frr command". Thus, the lg user only needs to run vtysh, ping and traceroute. To achieve this, we recommend the use of rbash (restricted bash, see [1]), ssh key based authentication and a bit of dark magic.


Rough steps ahead (maybe more doc later):

# create the "lg" unix user and add it to 'frr' and 'frrvty' group's.
root@frr-router ~# adduser lg
(boring questions)
root@frr-router ~# pw group mod frr -m lg
root@frr-router ~# pw group mod frrvty -m lg

# log in as lg user
root@frr-router ~# su -l lg

# create ssh userdir and authorized the looking glass RSA pubkey with limited access and features
lg@frr-router ~# mkdir ~/.ssh/
lg@frr-router ~# echo 'from=",$IP4-OF-YOUR-LG",no-port-forwarding,no-x11-forwarding,no-agent-forwarding ssh-rsa $RSA-PUBKEY-HERE lg@looking-glass' >| ~/.ssh/authorized_keys

# truncate the profile dotfile
lg@frr-router ~# echo >| ~/.profile

# set up a limited PATH
lg@frr-router ~# echo "export PATH=/opt/lg-bin" >| ~/.profile
lg@frr-router ~# exit

# render the profile dotfile immutable, the lg user will not be able to truncate/edit it
root@frr-router ~# chattr +i ~lg/.profile

# change lg user shell to restricted bash
root@frr-router ~# chsh -s /bin/rbash lg

# set up the restricted PATH with the only necessary binaries simlinks
root@frr-router ~# mkdir -p /opt/lg-bin
root@frr-router ~# for cmd in vtysh ping traceroute; do ln -s $(which $cmd) /opt/lg-bin/; done
root@frr-router ~#

You can disable password authentication for the lg user in the sshd config:

Match user lg
  PasswordAuthentication no

and reload sshd:

service ssh reload


Test the SSH connection from the server where the looking glass is installed:

ssh -i lg-user-id_rsa.key

After successful login, verify that only built-in functions and vtysh, ping and traceroute are available and functionnal.


  • [1]