Merge pull request #3357 from freedomofpress/no-fancy-tor-ssh-sdconfig

Fix #3354: Tor over SSH prompt should not be populated with invalid response
freedomofpress · May 3, 2018 · d8205f9 · d8205f9
2 parents 640f56f + 61e7778
commit d8205f9
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 34 deletions.
diff --git a/admin/securedrop_admin/__init__.py b/admin/securedrop_admin/__init__.py
@@ -71,13 +71,6 @@ def validate(self, document):
             raise ValidationError(
                 message="Must not be root, amnesia or an empty string")
 
-    class ValidateSSH(Validator):
-        def validate(self, document):
-            text = document.text
-            if text.lower() == 'tor' or text.lower() == 'lan':
-                return True
-            raise ValidationError(message="Must be Tor (recommended) or LAN")
-
     class ValidateIP(Validator):
         def validate(self, document):
             if re.match('((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}$',
@@ -347,9 +340,10 @@ def __init__(self, args):
              SiteConfig.ValidateOSSECPassword(),
              None],
             ['enable_ssh_over_tor', True, bool,
-             u'Enable SSH over Tor (recommended) or LAN',
-             SiteConfig.ValidateSSH(),
-             self.sanitize_ssh_over_tor_or_lan],
+             u'Enable SSH over Tor (recommended, disables SSH over LAN). '
+             u'If you respond no, SSH will be available over LAN only',
+             SiteConfig.ValidateYesNo(),
+             lambda x: x.lower() == 'yes'],
             ['securedrop_supported_locales', [], types.ListType,
              u'Space separated list of additional locales to support '
              '(' + translations + ')',
@@ -418,12 +412,6 @@ def validated_input(self, prompt, default, validator, transform):
     def sanitize_fingerprint(self, value):
         return value.upper().replace(' ', '')
 
-    def sanitize_ssh_over_tor_or_lan(self, value):
-        if value.lower() == 'tor':
-            return True
-        elif value.lower() == 'lan':
-            return False
-
     def validate_gpg_keys(self):
         keys = (('securedrop_app_gpg_public_key',
                  'securedrop_app_gpg_fingerprint'),

diff --git a/admin/tests/test_securedrop-admin.py b/admin/tests/test_securedrop-admin.py
@@ -363,17 +363,6 @@ def test_validate_yes_no(self):
         assert validator.validate(Document("no"))
         assert validator.validate(Document("NO"))
 
-    def test_validate_ssh_tor_or_lan(self):
-        validator = securedrop_admin.SiteConfig.ValidateSSH()
-        with pytest.raises(ValidationError):
-            validator.validate(Document("not Tor or LAN"))
-        with pytest.raises(ValidationError):
-            validator.validate(Document("yes"))
-        with pytest.raises(ValidationError):
-            validator.validate(Document("no"))
-        assert validator.validate(Document("Tor"))
-        assert validator.validate(Document("LAN"))
-
     def test_validate_fingerprint(self):
         validator = securedrop_admin.SiteConfig.ValidateFingerprint()
         assert validator.validate(Document(
@@ -613,6 +602,7 @@ def verify_prompt_boolean(
 
     verify_prompt_securedrop_app_https_on_source_interface = \
         verify_prompt_boolean
+    verify_prompt_enable_ssh_over_tor = verify_prompt_boolean
 
     verify_prompt_securedrop_app_gpg_public_key = verify_desc_consistency
 
@@ -649,7 +639,6 @@ def verify_prompt_fingerprint(self, site_config, desc):
     verify_prompt_sasl_domain = verify_desc_consistency_allow_empty
     verify_prompt_sasl_username = verify_prompt_not_empty
     verify_prompt_sasl_password = verify_prompt_not_empty
-    verify_prompt_enable_ssh_over_tor = verify_prompt_not_empty
 
     def verify_prompt_securedrop_supported_locales(self, site_config, desc):
         (var, default, etype, prompt, validator, transform) = desc

diff --git a/docs/ssh_over_local_net.rst b/docs/ssh_over_local_net.rst
@@ -12,12 +12,12 @@ administrative access is over the Tor network. This provides a number of benefit
 
 Most administrators will need SSH access during the course of running a
 SecureDrop instance and a few times a year for maintenance. So the
-potential shortfalls of having SSH over Tor aren't usually a big deal.
-The cons of having SSH over Tor include:
+potential shortfalls of having SSH over Tor are not usually a major issue.
+The cons of having SSH over Tor can include:
 
-* Really slow and delayed remote terminal performance
+* Slow and delayed remote terminal performance
 * Allowing SSH access from outside of your local network can be seen as a
-  potential larger security hole for some organizations. Particularly those
+  potential larger security hole for some organizations, particularly those
   with tight network security controls.
 
 That being said, the default setting of only allowing SSH over Tor is a good fit
@@ -57,7 +57,7 @@ latest production release.
 
 The setting that controls SSH over LAN access is set during the ``sdconfig`` step
 of the install. Below is an example of what the prompt will look like. You can
-answer either 'Tor' or 'LAN' when you are prompted:
+answer either 'no' or 'false' when you are prompted for ``Enable SSH over Tor``:
 
 .. code:: sh
 
@@ -69,7 +69,7 @@ answer either 'Tor' or 'LAN' when you are prompted:
     Hostname for Application Server: app
     Hostname for Monitor Server: mon
     [...]
-    Enable SSH over Tor (recommended) or LAN: LAN
+    Enable SSH over Tor (recommended, disables SSH over LAN). If you respond no, SSH will be available over LAN only: yes
 
 Then you'll have to run the installation script: