From 61ba607b67bd9d69daeb39f72914c61e6e23af63 Mon Sep 17 00:00:00 2001 From: redshiftzero Date: Thu, 3 May 2018 11:04:49 -0700 Subject: [PATCH] Revert "Docs: Update docs for SSH over local network, fix some nits" This reverts commit 1aa596dd94ffb441ed27767a57b4d66d3c9b8c03. --- docs/ssh_over_local_net.rst | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/docs/ssh_over_local_net.rst b/docs/ssh_over_local_net.rst index 53ce27fdf0..da2c0db026 100644 --- a/docs/ssh_over_local_net.rst +++ b/docs/ssh_over_local_net.rst @@ -4,16 +4,16 @@ SSH Over Local Network Under a production installation post-install, the default way to gain SSH administrative access is over the Tor network. This provides a number of benefits: -* Allows remote administration outside of the local network. +* Allows remote administration outside of the local network * Provides anonymity to an administrator while logging into the SecureDrop - servers. + back-end. * Can mitigate against an attacker on your local network attempting to exploit vulnerabilities against the SSH daemon. Most administrators will need SSH access during the course of running a -SecureDrop instance and a few times a year for maintenance. So the -potential shortfalls of having SSH over Tor aren't usually a big deal. -The cons of having SSH over Tor include: +SecureDrop instance and a few times a year for maintanence. So the +potential short-falls of having SSH over Tor aren't usually a big deal. +The cons of having SSH over Tor can include: * Really slow and delayed remote terminal performance * Allowing SSH access from outside of your local network can be seen as a @@ -32,7 +32,7 @@ Configuring SSH for local access .. warning:: It is important that your firewall is configured adequately if you decide you need SSH over the local network. The install process locks - down access as much as possible with net restrictions, SSH keys, and + down access as much as possible with net restrictions, SSH-keys, and google authenticator. However, you could still leave the interface exposed to unintended users if you did not properly follow our network firewall guide. @@ -40,7 +40,7 @@ Configuring SSH for local access .. warning:: This setting will lock you out of SSH access to your instance if your *Admin Workstation* passes through a NAT in order to get to the SecureDrop servers. If you are unsure whether this is the case, please - consult your firewall configuration or network administrator. + consult with your firewall configuration or network administrator. .. note:: Whichever network you install from will be the one that SSH is restricted to post-install. This will come into play particularly if @@ -55,9 +55,9 @@ latest production release. $ ./securedrop-admin update $ ./securedrop-admin setup -The setting that controls SSH over LAN access is set during the ``sdconfig`` step +The setting that controls SSH over LAN access is set during the `sdconfig` step of the install. Below is an example of what the prompt will look like. You can -answer either 'Tor' or 'LAN' when you are prompted: +answer either 'no' or 'false' when you are prompted for `Enable SSH over Tor`: .. code:: sh @@ -69,16 +69,16 @@ answer either 'Tor' or 'LAN' when you are prompted: Hostname for Application Server: app Hostname for Monitor Server: mon [...] - Enable SSH over Tor (recommended) or LAN: LAN + Enable SSH over Tor: no -Then you'll have to run the installation script: +Then you'll have to run the installation script .. code:: sh $ ./securedrop-admin install .. note:: If you are migrating from a production install previously configured - with SSH over Tor, you will be prompted to re-run the ``install`` portion + with SSH over Tor, you will be prompted to re-run the `install` portion twice. This is due to the behind the scenes configuration changes being done to switch between Tor and the local network. @@ -88,9 +88,10 @@ Finally, re-configure your *Admin Workstation* as follows: $ ./securedrop-admin tailsconfig -Assuming everything is working you should be able to gain SSH access as follows: +Assuming everything is working you should be able to gain SSH access as follows .. code:: sh $ ssh app $ ssh mon +