On Fri, 11 Mar 2016, Paul Jakma wrote:
On Fri, 11 Mar 2016, Donald Sharp wrote:
The RESTRICTED_NODE command is not used, introduces code
complexity and provides no additional levels of security.
The only way to get into RESTRICTED_NODE is to add, under
vty configuration the command 'anonymous restricted', and
then telnet to a daemon, provide a password, then type
'enable' and fail to enter the password three times.
No, that's not right. It's intended for use with another vty-config command
that allows anonymous access - 'no login' I think.
You go straight into restricted mode.
Oh, it should be the unauthenticated "go straight into non-enabled vty
access without password" feature that is under discussion here. If
'restricted mode' doesn't make sense, then the no-auth vty feature
doesn't either and it should go too.
If the no-auth telnet to vty feature is being used by some route servers
or looking-glasses, then 'restricted mode' does make sense, cause you
can give access to just reasonably performant 'query' commands - without
giving access to the expensive table dumping commands (which vty just
isn't the right tool for - use MRT dumps).
So, the question is, does anyone use or need the unauthenticated bgpd
telnet feature? It could be hard to answer that...
regards,
--
Paul Jakma [email protected] @pjakma Key ID: 64A2FF6A
Fortune:
What the large print giveth, the small print taketh away.
_______________________________________________
Quagga-dev mailing list
[email protected]
https://lists.quagga.net/mailman/listinfo/quagga-dev
