bgplgsh —
looking glass shell for the OpenBSD Border Gateway Protocol
daemon
The bgplgsh program is a looking glass shell for the
bgpd(8) Border Gateway Protocol daemon. The
looking glass will provide a simple command line interface with read-only
access to a restricted set of bgpd(8) and
system status information, which is typically used on route servers by
Internet Service Providers (ISPs) and Internet eXchange points (IXs).
It requires three steps to enable the looking glass shell:
- Add
bgplgsh as a valid login shell. See
shells(5) for more information.
# echo /usr/bin/bgplgsh >> /etc/shells
- Create a new user for restricted looking glass access. See
adduser(8) for more information about
system user management.
# adduser -shell bgplgsh -batch bgplg
# passwd bgplg
- Start the Border Gateway Protocol daemon with a second, restricted,
control socket. See bgpd.conf(5) and
bgplg(8) for more information.
For example, add the following to
/etc/bgpd.conf to have
bgpd(8) open a second, restricted,
control socket:
socket
"/var/www/run/bgpd.rsock" restricted
- /var/www/run/bgpd.rsock
- Position of the second, restricted, control socket of
bgpd(8).
The bgplgsh program first appeared in
OpenBSD 4.1. The initial implementation was done in
2005 for DE-CIX, the German commercial internet exchange point.
To prevent commands from running endlessly, bgplgsh will
kill the corresponding processes after a hard limit of 60 seconds. For
example, this can take effect when using
traceroute(8) with blackholed or bad
routes.