0 - INTRODUCTION OpenBGP Looking Glass, look & feel inspired on Reyk's bgplg, but written from scratch in a couple minutes to run under PHP. Raw, poor, no gloss or glitter but with some extra goodies (commands I tend to need myself). Not intended add complexity, it should use a limited version of bgpctl, called bgpctl-lg which is a striped down version of bgpctl with no commands other than "show" stuff (no reload/clear/add/remove/delete/irrfilter/etc), which may allow suidbit safe usage. 1 - INSTALL BGPCTL-LG APPLICATION To install bgpctl-lg simply cd bgpctl-lg make This very simple and raw Makefile will apply a ridiculous yet functional patch that modifies bgpctl in such a way only the basic "show" operations are available, everything else returns usage error. The patched bgpctl will get installed as /usr/local/sbin/bgpctl-lg and suidbit to root while only the GID 80 members will be able to execute bgpctl-lg. Hope its safe enough. 2 - USAFE ALTERNATIVE TO BGPCTL-LG An alternative to: cp -f /usr/local/sbin/bgpctl /usr/local/sbin/bgpctl-lg chmod 4555 /usr/local/sbin/bgpctl-lg 3 - SSH SUPPORT Optionally, you can have this looking glass in one server while running OpenBGP service somewhere else. In this case add a ssh user in the OpenBGP server and set a password: pw useradd bgpctl-lg -d /usr/home/bgpctl-lg -s /bin/sh -m passwd bgpctl-lg Adjust permissions so that only that user may execute bgpctl-lg: chmod 4550 /usr/local/sbin/bgpctl-lg chgrp bgpctl-lg /usr/local/sbin/bgpctl-lg Remember to have pecl-ssh2 extension loaded in PHP and edit our sshd_config to allow Password Based authentication (by Default on FreeBSD password access is only valid from interactive keyboard input, other systems may differ): PasswordAuthentication yes Restart sshd service accordingly. 4 - DEPENDENCIES You need PHP 5.2 or higher with posix and pecl-ssh2 extensions loaded. You also need to be on FreeBSD with Ports Collection available so that bgpctl-lg can be patched/build/installed, other than that do it manually accordingly to bgpctl-lg/Makefile 5 - CONFIGURATION Edit config.inc.php and customize it as needed. 6 - BEWARE Use this script with caution. Its not completely tested yet. Patrick Tracanelli