deploy: 6e895366ea

develop/manhole.html

@@ -190,7 +190,7 @@ debugging.</p>
 <p>Note that this will give administrative access to synapse to <strong>all users</strong> with
 shell access to the server. It should therefore <strong>not</strong> be enabled in
 environments where untrusted users have shell access.</p>
-<hr />
+<h2 id="configuring-the-manhole"><a class="header" href="#configuring-the-manhole">Configuring the manhole</a></h2>
 <p>To enable it, first uncomment the <code>manhole</code> listener configuration in
 <code>homeserver.yaml</code>. The configuration is slightly different if you're using docker.</p>
 <h4 id="docker-config"><a class="header" href="#docker-config">Docker config</a></h4>
@@ -218,12 +218,28 @@ The <code>bind_addresses</code> in the example below is important: it ensures th
     bind_addresses: ['::1', '127.0.0.1']
     type: manhole
 </code></pre>
-<h4 id="accessing-synapse-manhole"><a class="header" href="#accessing-synapse-manhole">Accessing synapse manhole</a></h4>
+<h3 id="security-settings"><a class="header" href="#security-settings">Security settings</a></h3>
+<p>The following config options are available:</p>
+<ul>
+<li><code>username</code> - The username for the manhole (defaults to <code>matrix</code>)</li>
+<li><code>password</code> - The password for the manhole (defaults to <code>rabbithole</code>)</li>
+<li><code>ssh_priv_key</code> - The path to a private SSH key (defaults to a hardcoded value)</li>
+<li><code>ssh_pub_key</code> - The path to a public SSH key (defaults to a hardcoded value)</li>
+</ul>
+<p>For example:</p>
+<pre><code class="language-yaml">manhole_settings:
+  username: manhole
+  password: mypassword
+  ssh_priv_key: &quot;/home/synapse/manhole_keys/id_rsa&quot;
+  ssh_pub_key: &quot;/home/synapse/manhole_keys/id_rsa.pub&quot;
+</code></pre>
+<h2 id="accessing-synapse-manhole"><a class="header" href="#accessing-synapse-manhole">Accessing synapse manhole</a></h2>
 <p>Then restart synapse, and point an ssh client at port 9000 on localhost, using
-the username <code>matrix</code>:</p>
+the username and password configured in <code>homeserver.yaml</code> - with the default 
+configuration, this would be:</p>
 <pre><code class="language-bash">ssh -p9000 matrix@localhost
 </code></pre>
-<p>The password is <code>rabbithole</code>.</p>
+<p>Then enter the password when prompted (the default is <code>rabbithole</code>).</p>
 <p>This gives a Python REPL in which <code>hs</code> gives access to the
 <code>synapse.server.HomeServer</code> object - which in turn gives access to many other
 parts of the process.</p>

develop/print.html

@@ -3274,6 +3274,24 @@ listeners:
   #  bind_addresses: ['::1', '127.0.0.1']
   #  type: manhole
 
+# Connection settings for the manhole
+#
+manhole_settings:
+  # The username for the manhole. This defaults to 'matrix'.
+  #
+  #username: manhole
+
+  # The password for the manhole. This defaults to 'rabbithole'.
+  #
+  #password: mypassword
+
+  # The private and public SSH key pair used to encrypt the manhole traffic.
+  # If these are left unset, then hardcoded and non-secret keys are used,
+  # which could allow traffic to be intercepted if sent over a public network.
+  #
+  #ssh_priv_key_path: CONFDIR/id_rsa
+  #ssh_pub_key_path: CONFDIR/id_rsa.pub
+
 # Forward extremities can build up in a room due to networking delays between
 # homeservers. Once this happens in a large room, calculation of the state of
 # that room can become quite expensive. To mitigate this, once the number of
@@ -11180,7 +11198,7 @@ debugging.</p>
 <p>Note that this will give administrative access to synapse to <strong>all users</strong> with
 shell access to the server. It should therefore <strong>not</strong> be enabled in
 environments where untrusted users have shell access.</p>
-<hr />
+<h2 id="configuring-the-manhole"><a class="header" href="#configuring-the-manhole">Configuring the manhole</a></h2>
 <p>To enable it, first uncomment the <code>manhole</code> listener configuration in
 <code>homeserver.yaml</code>. The configuration is slightly different if you're using docker.</p>
 <h4 id="docker-config"><a class="header" href="#docker-config">Docker config</a></h4>
@@ -11208,12 +11226,28 @@ The <code>bind_addresses</code> in the example below is important: it ensures th
     bind_addresses: ['::1', '127.0.0.1']
     type: manhole
 </code></pre>
-<h4 id="accessing-synapse-manhole"><a class="header" href="#accessing-synapse-manhole">Accessing synapse manhole</a></h4>
+<h3 id="security-settings"><a class="header" href="#security-settings">Security settings</a></h3>
+<p>The following config options are available:</p>
+<ul>
+<li><code>username</code> - The username for the manhole (defaults to <code>matrix</code>)</li>
+<li><code>password</code> - The password for the manhole (defaults to <code>rabbithole</code>)</li>
+<li><code>ssh_priv_key</code> - The path to a private SSH key (defaults to a hardcoded value)</li>
+<li><code>ssh_pub_key</code> - The path to a public SSH key (defaults to a hardcoded value)</li>
+</ul>
+<p>For example:</p>
+<pre><code class="language-yaml">manhole_settings:
+  username: manhole
+  password: mypassword
+  ssh_priv_key: &quot;/home/synapse/manhole_keys/id_rsa&quot;
+  ssh_pub_key: &quot;/home/synapse/manhole_keys/id_rsa.pub&quot;
+</code></pre>
+<h2 id="accessing-synapse-manhole"><a class="header" href="#accessing-synapse-manhole">Accessing synapse manhole</a></h2>
 <p>Then restart synapse, and point an ssh client at port 9000 on localhost, using
-the username <code>matrix</code>:</p>
+the username and password configured in <code>homeserver.yaml</code> - with the default 
+configuration, this would be:</p>
 <pre><code class="language-bash">ssh -p9000 matrix@localhost
 </code></pre>
-<p>The password is <code>rabbithole</code>.</p>
+<p>Then enter the password when prompted (the default is <code>rabbithole</code>).</p>
 <p>This gives a Python REPL in which <code>hs</code> gives access to the
 <code>synapse.server.HomeServer</code> object - which in turn gives access to many other
 parts of the process.</p>

develop/sample_config.yaml

@@ -335,6 +335,24 @@ listeners:
   #  bind_addresses: ['::1', '127.0.0.1']
   #  type: manhole
 
+# Connection settings for the manhole
+#
+manhole_settings:
+  # The username for the manhole. This defaults to 'matrix'.
+  #
+  #username: manhole
+
+  # The password for the manhole. This defaults to 'rabbithole'.
+  #
+  #password: mypassword
+
+  # The private and public SSH key pair used to encrypt the manhole traffic.
+  # If these are left unset, then hardcoded and non-secret keys are used,
+  # which could allow traffic to be intercepted if sent over a public network.
+  #
+  #ssh_priv_key_path: CONFDIR/id_rsa
+  #ssh_pub_key_path: CONFDIR/id_rsa.pub
+
 # Forward extremities can build up in a room due to networking delays between
 # homeservers. Once this happens in a large room, calculation of the state of
 # that room can become quite expensive. To mitigate this, once the number of

develop/usage/configuration/homeserver_sample_config.html

@@ -527,6 +527,24 @@ listeners:
   #  bind_addresses: ['::1', '127.0.0.1']
   #  type: manhole
 
+# Connection settings for the manhole
+#
+manhole_settings:
+  # The username for the manhole. This defaults to 'matrix'.
+  #
+  #username: manhole
+
+  # The password for the manhole. This defaults to 'rabbithole'.
+  #
+  #password: mypassword
+
+  # The private and public SSH key pair used to encrypt the manhole traffic.
+  # If these are left unset, then hardcoded and non-secret keys are used,
+  # which could allow traffic to be intercepted if sent over a public network.
+  #
+  #ssh_priv_key_path: CONFDIR/id_rsa
+  #ssh_pub_key_path: CONFDIR/id_rsa.pub
+
 # Forward extremities can build up in a room due to networking delays between
 # homeservers. Once this happens in a large room, calculation of the state of
 # that room can become quite expensive. To mitigate this, once the number of