lepidopter icon indicating copy to clipboard operation
lepidopter copied to clipboard

Published 20 hours ago verified publisher icon TheTorProject

Add support to configuring a tor hidden service for SSH access

Open anadahz opened this issue 8 years ago • 5 comments

The build script should also support configuring a tor hidden service that allows ssh access to some set of keys.

anadahz avatar Jun 03 '16 14:06 anadahz

Prior to enabling access to a set of ssh keys we 'll first need to set the group/user permissions in lepidopter. Currently the default username (lepidopter) is on the sudo group and requires user authentication (default password: lepidopter) to run sudo. In order to access lepidopter via ssh and perform superuser tasks (with sudo) we 'll either need to know the password of the user, disable sudo user authentication or log as root via ssh.

If we expose the ssh service via a tor hidden service we should ensure that the default authentication password is being changed or allow only public key authentication (which may not be applicable to headless lepidopter setups).

anadahz avatar Aug 06 '16 21:08 anadahz

@hellais, @darkk, @bassosimone any thoughts on https://github.com/TheTorProject/lepidopter/issues/35#issuecomment-238049020?

anadahz avatar Aug 28 '16 16:08 anadahz

@anadahz, thanks for the question, I guess that's a very important one. So, let's discuss this and here's what I just said in the IRC meeting about this issue:

if possible I'd avoid us having root access on Lepidopters because it increases the scope of what we can do using the probes way beyond the software we deploy using standard channels and this IMHO could put partners in a more troubling situation if caught, not to mention that say I have access to all Lepidopters, I am compromised, and someone uses that access to do nasty things (e.g. installing a botnet and doing DoS attacks using the probes).

and to further clarify:

I am not advocating against having a root user, I am advocating against us having ssh access as root (but also I think I am advocating against us having ssh access)

and:

to further clarify, I think we should not have assh access, because I think we should not be able to run arbitrary commands on the probe in an unaccountable way, and I think this is also a safeguard for partners (one thing is if you can demonstrate what software was running, another if one can argue a partner gave a box to "foreign agents")

bassosimone avatar Aug 29 '16 17:08 bassosimone

After last meeting's discussion it seems that we are going to drop the idea of using a tor HS for SSH access in lepidopter images.

anadahz avatar Aug 30 '16 19:08 anadahz

I would say we keep this as a ticket, but defer it to future versions.

hellais avatar Aug 31 '16 16:08 hellais