vtysh provides a combined frontend to all Frr daemons in a single combined session. It is enabled by default at build time, but can be disabled through the --disable-vtysh option to ./configure.
vtysh has a configuration file, vtysh.conf. The location of that file cannot be changed from /usr/local/etc since it contains options controlling authentication behavior. This file will also not be written by configuration-save commands, it is intended to be updated manually by an administrator with an external editor.
Warning: This also means the hostname and banner motd commands (which both do have effect for vtysh) need to be manually updated in vtysh.conf.
vtysh connects to running daemons through Unix sockets located in /var/run. Running vtysh thus requires access to that directory, plus membership in the group (which is the group that the daemons will change ownership of their sockets to).
To restrict access to Frr configuration, make sure no unauthorized users are members of the group.
vtysh has working (but rather useless) PAM support. It will perform an "authenticate" PAM call using frr as service name. No other (accounting, session, password change) calls will be performed by vtysh.
Users using vtysh still need to have appropriate access to the daemons' VTY sockets, usually by being member of the group. If they have this membership, PAM support is useless since they can connect to daemons and issue commands using some other tool. Alternatively, the vtysh binary could be made SGID (set group ID) to the group. No security guarantees are made for this configuration.