Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only configure v2 ssh service when v2 services are enabled #5718

Merged
merged 1 commit into from
Jan 19, 2021
Merged

Only configure v2 ssh service when v2 services are enabled #5718

merged 1 commit into from
Jan 19, 2021

Conversation

emkll
Copy link
Contributor

@emkll emkll commented Jan 18, 2021
edited
Loading

Status

Ready for review

Description of Changes

Fixes #5717

Updates the torrc template to conditionally add the ssh config for v2 onion services

Testing

  1. Make sure the underlying issue is reproducible
  1. Install from develop (or 1.7.0-rc2) using staging or prod scenarios, with the following config:
  • enable_ssh_over_tor: true
  • v2_onion_services: true
  • v3_onion_services: true
  1. Confirm that you receive the alert:
  • An email alert is received indicating v2 services are enabled
  • /var/ossec/logs/alerts/alert.log contains rule 4000901 triggered
  1. Check out this branch, set v2_onion_services: false and run ./securedrop-admin install
  2. Confirm the changes work as expected
  • /var/ossec/logs/alerts.log does not contain a new rule 4000901 that was triggered
  • /etc/tor/torrc does not contain occurrences of HiddenServiceVersion 2 on both app and mon

Deployment

New and existing installs will be configured using Ansible. For orgs which have already updated to disable v2, they will need to run the playbook again to ensure v2 onion services for ssh are properly disabled.

Disabling v2 and enabling v3 in a single pass might prove problematic if provisioning over Tor, but the documentation appears sufficiently clear that one should enable v2+v3 first, then disable v2: https://docs.securedrop.org/en/stable/v3_services.html#disabling-v2-onion-services

Checklist

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

rmol
rmol previously approved these changes Jan 19, 2021
View reviewed changes
Copy link
Contributor

@rmol rmol left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Starting from develop, /etc/tor/torrc contained v2 SSH. Reran install from this branch, and only v3 services were left in the file. Legacy SSH services were no longer reachable.

I did not get the OSSEC alerts from the develop installation, but that's probably because the check is daily and I didn't reduce the interval.

This is good to merge once rebased on current develop to get CI green.

@rmol rmol force-pushed the 5717-torrc-sshv2 branch from 35f07eb to 0405015 Compare January 19, 2021 19:15
@rmol rmol merged commit cbcc894 into develop Jan 19, 2021
@rmol rmol deleted the 5717-torrc-sshv2 branch January 19, 2021 20:48
@emkll emkll mentioned this pull request Jan 19, 2021
Merged
4 tasks
@sssoleileraaa sssoleileraaa mentioned this pull request Jan 22, 2021
Closed
22 tasks
@eloquence eloquence mentioned this pull request Jan 26, 2021
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmol rmol rmol approved these changes

@conorsch conorsch Awaiting requested review from conorsch

@kushaldas kushaldas Awaiting requested review from kushaldas

Assignees
No one assigned
Labels
release blocker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ossec alert is still being triggered after v2 services were disabled due to v2 ssh hidden service in torrc
3 participants
@emkll @rmol @eloquence