deploy: 6e895366ea7f194cd48fae08a9909ee01a9fadae
1 files changed, 38 insertions, 4 deletions
diff --git a/develop/print.html b/develop/print.html
index ee674b8156..cb23b1ae2e 100644
--- a/develop/print.html
+++ b/develop/print.html
@@ -3274,6 +3274,24 @@ listeners:
# bind_addresses: ['::1', '127.0.0.1']
# type: manhole
+# Connection settings for the manhole
+#
+manhole_settings:
+ # The username for the manhole. This defaults to 'matrix'.
+ #
+ #username: manhole
+
+ # The password for the manhole. This defaults to 'rabbithole'.
+ #
+ #password: mypassword
+
+ # The private and public SSH key pair used to encrypt the manhole traffic.
+ # If these are left unset, then hardcoded and non-secret keys are used,
+ # which could allow traffic to be intercepted if sent over a public network.
+ #
+ #ssh_priv_key_path: CONFDIR/id_rsa
+ #ssh_pub_key_path: CONFDIR/id_rsa.pub
+
# Forward extremities can build up in a room due to networking delays between
# homeservers. Once this happens in a large room, calculation of the state of
# that room can become quite expensive. To mitigate this, once the number of
@@ -11180,7 +11198,7 @@ debugging.</p>
<p>Note that this will give administrative access to synapse to <strong>all users</strong> with
shell access to the server. It should therefore <strong>not</strong> be enabled in
environments where untrusted users have shell access.</p>
-<hr />
+<h2 id="configuring-the-manhole"><a class="header" href="#configuring-the-manhole">Configuring the manhole</a></h2>
<p>To enable it, first uncomment the <code>manhole</code> listener configuration in
<code>homeserver.yaml</code>. The configuration is slightly different if you're using docker.</p>
<h4 id="docker-config"><a class="header" href="#docker-config">Docker config</a></h4>
@@ -11208,12 +11226,28 @@ The <code>bind_addresses</code> in the example below is important: it ensures th
bind_addresses: ['::1', '127.0.0.1']
type: manhole
</code></pre>
-<h4 id="accessing-synapse-manhole"><a class="header" href="#accessing-synapse-manhole">Accessing synapse manhole</a></h4>
+<h3 id="security-settings"><a class="header" href="#security-settings">Security settings</a></h3>
+<p>The following config options are available:</p>
+<ul>
+<li><code>username</code> - The username for the manhole (defaults to <code>matrix</code>)</li>
+<li><code>password</code> - The password for the manhole (defaults to <code>rabbithole</code>)</li>
+<li><code>ssh_priv_key</code> - The path to a private SSH key (defaults to a hardcoded value)</li>
+<li><code>ssh_pub_key</code> - The path to a public SSH key (defaults to a hardcoded value)</li>
+</ul>
+<p>For example:</p>
+<pre><code class="language-yaml">manhole_settings:
+ username: manhole
+ password: mypassword
+ ssh_priv_key: "/home/synapse/manhole_keys/id_rsa"
+ ssh_pub_key: "/home/synapse/manhole_keys/id_rsa.pub"
+</code></pre>
+<h2 id="accessing-synapse-manhole"><a class="header" href="#accessing-synapse-manhole">Accessing synapse manhole</a></h2>
<p>Then restart synapse, and point an ssh client at port 9000 on localhost, using
-the username <code>matrix</code>:</p>
+the username and password configured in <code>homeserver.yaml</code> - with the default
+configuration, this would be:</p>
<pre><code class="language-bash">ssh -p9000 matrix@localhost
</code></pre>
-<p>The password is <code>rabbithole</code>.</p>
+<p>Then enter the password when prompted (the default is <code>rabbithole</code>).</p>
<p>This gives a Python REPL in which <code>hs</code> gives access to the
<code>synapse.server.HomeServer</code> object - which in turn gives access to many other
parts of the process.</p>
|
