Allow SSH over local network instead of Tor #2592
Conversation
msheiny
force-pushed
the
SSHoverLocal
branch
from
462b94c to
01c0093
Compare
docs/ssh_over_local_net.rst
Outdated
|
|
||
| Most administrators will never need SSH access during the course of running a | ||
| SecureDrop instance so the potential short-falls of having ssh over tor aren't | ||
| usually a big deal. The cons of having SSH over tor can include: |
There was a problem hiding this comment.
Most administrators will never need SSH access during the course of running a SecureDrop instance
Not true. We ask Admins to run commands against servers on average twice a year. They'll definitely need it at some point. Still, the point about minimizing attack surface is valid. Specifically we're trading the additional factor of a HidServAuth cookie for physical access to the hardware firewall. Given the damage an attacker could do with physical access to the boxes, that's a reasonable trade-off for some orgs.
docs/ssh_over_local_net.rst
Outdated
| * Provides anonymity to an administrator while logging into the SecureDrop | ||
| back-end. | ||
| * Can mitigate against an attacker on your local network attempting to exploit | ||
| vulnerabilities against the SSHd daemon. |
There was a problem hiding this comment.
Changes to be made throughout:
s/ssh/SSH/(unless referenced specifically as a command)s/SSHd daemon/SSH daemon/s/tor/Tor/(unless referenced as a command or file)
docs/ssh_over_local_net.rst
Outdated
| exposed to unintended users if you did not properly follow our network | ||
| firewall guide. | ||
|
|
||
| The setting that controls ssh local-net access is set during the `sdconfig` step |
There was a problem hiding this comment.
ssh local-net access
How about: "SSH over LAN".
docs/ssh_over_local_net.rst
Outdated
| for more information https://docs.securedrop.org/en/stable" | ||
| } | ||
|
|
||
| Enable SSH over Tor - alternatively ssh over local net [true]: no |
There was a problem hiding this comment.
This is a confusing prompt—hard to tell what system state "true" will enforce. How about:
Force SSH over Tor (otherwise over LAN) [true]: no
Even that phrasing makes it tempting for Admins to disable the option.
There was a problem hiding this comment.
👍 i really like this wording change
| # connections are forced over Tor. In staging, this value will be 0.0.0.0 | ||
| # to enable direct access for testing during development. | ||
| ssh_listening_address: 127.0.0.1 | ||
| enable_ssh_over_tor: true |
There was a problem hiding this comment.
Default value consistent with current project settings. 👍
| {%- if ssh_ip|ipaddr(net_string) -%} | ||
| {%- set ssh_local_net = net_string|ipaddr('cidr') -%} | ||
| {%- set ssh_int = interface -%} | ||
| {%- if enable_ssh_over_tor == true or 'staging' in group_names -%} |
There was a problem hiding this comment.
The if enable_ssh_over_tor conditional should be the governor of whether the entire "Permit direct SSH access" block is entered. Let's move this to the top of the block and iterate over the interfaces only if required.
The netmask attributes on ifaces will also require additional pip requirements, but I see you already added those to the admin requirements file.
There was a problem hiding this comment.
unfortunately -- if you do that logic (only loop over this if enable_ssh_over_tor) you are unable to use these values outside that loop. That bit me hard while debugging and I couldnt find a way to set jinja variables global inside a loop
There was a problem hiding this comment.
for reference of similar issue I ran into when trying to add this under a giant conditional at the top previously -- https://stackoverflow.com/questions/17925674/jinja2-local-global-variable
i did just find a post of someone assigning to a dictionary instead though to get around this --> https://stackoverflow.com/questions/9486393/jinja2-change-the-value-of-a-variable-inside-a-loop .
I honestly dont think its a huge deal as-is. can you chip in with more context on why you think the current logic is going to be problematic?
msheiny
force-pushed
the
SSHoverLocal
branch
from
31a93f7 to
0efb25a
Compare
|
rebased on |
msheiny
force-pushed
the
SSHoverLocal
branch
from
0efb25a to
ca3f8a6
Compare
msheiny
force-pushed
the
SSHoverLocal
branch
from
9b94c9f to
8162c81
Compare
|
rebased again to fix an issue with a previous rebase ... :| |
msheiny
force-pushed
the
SSHoverLocal
branch
from
8162c81 to
7d17c41
Compare
|
I realize this PR has undergone significant rebasing, but CI is failing at the moment, so I am not re-reviewing. Unlikely to make it into 0.6 before merge window closes @msheiny. 😞 |
Addressed two issues here: * One bug report during QA of the PR where a user had an interface up without an active ipv4 address (so the ipv4 attribute failed) * Added back the ssh rate-limiting logic to local ssh that is present in the ssh over tor logic (for feature parity)
Found a situation when a user previously had ssh_over_tor enabled, they disable it, and run tailsconfig. We want to ensure that the local users sshconfig is setup to connect directly as oppossed to over tor.
This is a rare scenario that I'm addressing and this isnt the smoothest logic in the world, but it does the trick. All of our roles are currently designed for the opposite scenario (transistioning from ssh localnet -> ssh over tor), going the opposite way is tricky. So I added a minimal amount of conditional logic and have it bail early with a friendly user message. I tried to do a message and a meta `end_play` event instead so it wouldn't show as an "error" but I was unsuccessful to get that working as documented
* Noticed a white-space bug in the iptables template :| * Expanded iptables tests for the staging environment
Turns out this wasnt "legacy" and is needed for macosx/vbox users under vagrant 🤷
Previously system would not reboot as needed when iptables changes were made after the initial install. With the updated logic when iptables changes, we drop a file on disk indicating a reboot is needed. The reboot task which is wayy further down the line sees that file and reboots as necessary.
Modified the comments a bit. In general the iptables rules are pretty terrible and need a huge refactor. There is a community member attempting to address some of that. Hopefully I can assist with rebase efforts after this.
So during testing against a production hardware instance this came up and smacked me in the face :) During testing locally everything is done on the same /24 but in PROD we recommend having split networks which is what I had -- and things fell down fast :( So this fixes the logic, so it'll calculate the network CIDR of the ADMIN network (derived from commands run on the admin workstation) and allow all from there.
* Fix reference to securedrop-admin sdconfig * Add warning about not using this feature through a NAT
Its important the user specifically updates to a later branch that includes this update. It is also important for the end-user to update their pip dependencies which includes a jinja ipaddr filter used for network string parsing
|
Rebased on develop to pull in #3272 fix |
|
Having an exceedingly hard time breaking this, which is fantastic. Going to run through yet another install on clean prod VMs, this time validating that opting out of ssh-over-tor from the get-go works smoothly. Very optimistic this'll get in before the current sprint is over. |
|
Repeated runs with both clean-install-without-tor and converted-install worked well. Used prod VMs from virtualized Tails environment exclusively. We'll surely get in more quality time with this puppy during pre-release QA for 0.7, but as it stands, it addresses all the major edges we should accommodate. Fantastic work here, @msheiny. |
redshiftzero
dismissed stale reviews from emkll and themself
Dismissing blocking review because @emkll commented LGTM in text comment above
ghost
mentioned this pull request
Status
Ready for review
Description of Changes
Changes proposed in this pull request:
If an admin toggles this setting (optional, its off by default) though, this PR will:
toron the monitor serversecuredrop-admin sdconfigTesting
How should the reviewer test this PR?
I've tested this locally under a full provisioning (boot to tails, running
./securedrop-admincommands). So I could use eyes on vagrant work-flow . CI now takes advantage of this mode (since essentially it was running staging before anyways).Deployment
Any special considerations for deployment? Consider both:
monserver. I just thought of that. I don't have a good story here right now. I'd like to push off to another ticket so this PR doesnt get too crazy (if theres no objections).sdconfigChecklist
I made changes to both system config and docs.
If you made changes to the system configuration:
If you made changes to documentation: