From 0efb25abe37512c817d781661e4b72fd6d774b09 Mon Sep 17 00:00:00 2001 From: Michael Sheinberg Date: Mon, 27 Nov 2017 17:30:21 -0500 Subject: [PATCH] Address documentation nits raised in PR Regarding case usage, language surrounding SSH usage by admins, and prompt language at install. --- docs/ssh_over_local_net.rst | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/docs/ssh_over_local_net.rst b/docs/ssh_over_local_net.rst index fc350a4e996..5dcf2595928 100644 --- a/docs/ssh_over_local_net.rst +++ b/docs/ssh_over_local_net.rst @@ -2,20 +2,21 @@ SSH Over Local Network ====================== Under a production installation post-install, the default way to gain ssh -administrative access is over the Tor network. This provides a number of benefits: +administrative access is over the tor network. This provides a number of benefits: * Allows remote administration outside of the local network * Provides anonymity to an administrator while logging into the SecureDrop back-end. * Can mitigate against an attacker on your local network attempting to exploit - vulnerabilities against the SSHd daemon. + vulnerabilities against the ssh daemon. -Most administrators will never need SSH access during the course of running a -SecureDrop instance so the potential short-falls of having ssh over tor aren't -usually a big deal. The cons of having SSH over tor can include: +Most administrators will need ssh access during the course of running a +SecureDrop instance and a few times a year for maintanence. So the +potential short-falls of having ssh over tor aren't usually a big deal. +The cons of having ssh over tor can include: * Really slow and delayed remote terminal performance -* Allowing SSH access from outside of your local network can be seen as a +* Allowing ssh access from outside of your local network can be seen as a potential larger security hole for some organizations. Particularly those with tight network security controls. @@ -30,16 +31,16 @@ Configuring SSH for local access -------------------------------- .. warning:: It is important that your firewall is configured adequately if you - decide you need SSH over the local network. The install process locks + decide you need ssh over the local network. The install process locks down access as much as possible with net restrictions, ssh-keys, and google authenticator. However, you could still leave the interface exposed to unintended users if you did not properly follow our network firewall guide. -The setting that controls ssh local-net access is set during the `sdconfig` step +The setting that controls ssh over LAN access is set during the `sdconfig` step of the install. -.. note:: Whichever network you install from will be the one that SSH is +.. note:: Whichever network you install from will be the one that ssh is restricted to post-install. This will come into play particularly if you have multiple network interfaces. @@ -66,7 +67,7 @@ the following : for more information https://docs.securedrop.org/en/stable" } - Enable SSH over Tor - alternatively ssh over local net [true]: no + Force SSH over Tor - (otherwise over LAN) [true]: no Then as usual you'll run