Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v3 onion migration] add v3 onion support to tor-hidden-services ansible role #4628

Closed
redshiftzero opened this issue Jul 19, 2019 · 4 comments · Fixed by #4652
Closed

[v3 onion migration] add v3 onion support to tor-hidden-services ansible role #4628

redshiftzero opened this issue Jul 19, 2019 · 4 comments · Fixed by #4652
Milestone
1.0.0

Comments

@redshiftzero
Copy link
Contributor

Description

This ticket is to modify the tor-hidden-services Ansible role to use v2_onion_services and v3_onion_services variables from site-specific (ref: #4627) to support the following three cases for SSH on app/mon (if SSH over Tor is configured), Journalist interface, and the Source interface:

  • Only v2 onion services (using HidServAuth as we currently do for SSH and the Journalist Interface)
  • v2 and v3 alongside
  • Only v3 onion services (using ClientOnionAuthDir for SSH and the Journalist Interface) - references: Appendix G here, tor client auth docs

If the v2_onion_services and v3_onion_services values are unset (this covers a case where the admin re-runs securedrop-admin install after 1.0.0 without re-running securedrop-admin sdconfig), their defaults should be:

  • v2_onion_services: True
  • v3_onion_services: False

Subticket of #2951
@redshiftzero redshiftzero added this to the 1.0.0 milestone Jul 19, 2019
@redshiftzero redshiftzero mentioned this issue Jul 19, 2019
Closed
6 tasks
@kushaldas
Copy link
Contributor

In the morning I became I bit confused about the time when both v2 and v3 are available and we are using auth-header. As I don't know when will we handle the v3 authenticated services.

@kushaldas
Copy link
Contributor

I will push the changes in the morning in a draft PR. Will update cryptography for admin to generate the onion keys in Tails station.

@kushaldas
Copy link
Contributor

I wrote a Python script which can generate the private and public keys using cryptography module, but, it will requires an update to the cryptography module to 2.5 or above (2.7 is the latest).

Now, to execute the script properly, I will have to place the scrip to the adjacent ./admin/.venv/bin/ directory and call it via command module in Ansible, but, I am being able to fail to do so. Any tips about how to do that? I pasting the part of the new task below:

---
- name: Copy the command file
  copy:
    src: gentorv3keys.py
    dest: ../../admin/.venv/bin/gentorv3keys.py
    mode: 0755
  when: "v3_onion_services|default(false)"

- name: Generate v3 Onion keys if mentioned
  command: gentorv3keys.py
  register: genkeyv3
  when: "v3_onion_services|default(false)"

- name: Get the public and private key
  set_fact:
    torkeys: "{{ genkeyv3.stdout }}"
  when: "v3_onion_services|default(false)"

- debug: 
    var: hostvars['localhost']['torkeys']['private_key']
    when: "v3_onion_services|default(false)"

@emkll @msheiny @conorsch ^^^ any tips?

@kushaldas
Copy link
Contributor

Got some input from @emkll and @msheiny over the video call, I will work on those input.

@kushaldas kushaldas mentioned this issue Jul 30, 2019
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0.0
Development

Successfully merging a pull request may close this issue.

Add v3 onion support to tor-hidden-services ansible role freedomofpress/securedrop
2 participants
@kushaldas @redshiftzero