From 90bcfaa2aa39b6e32ac8044f888d8a7de1f36c67 Mon Sep 17 00:00:00 2001
From: Azrenbeth <Azrenbeth@users.noreply.github.com>
Date: Mon, 6 Sep 2021 15:08:24 +0000
Subject: deploy: 6e895366ea7f194cd48fae08a9909ee01a9fadae

---
 develop/print.html | 42 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 38 insertions(+), 4 deletions(-)

(limited to 'develop/print.html')

diff --git a/develop/print.html b/develop/print.html
index ee674b8156..cb23b1ae2e 100644
--- a/develop/print.html
+++ b/develop/print.html
@@ -3274,6 +3274,24 @@ listeners:
   #  bind_addresses: ['::1', '127.0.0.1']
   #  type: manhole
 
+# Connection settings for the manhole
+#
+manhole_settings:
+  # The username for the manhole. This defaults to 'matrix'.
+  #
+  #username: manhole
+
+  # The password for the manhole. This defaults to 'rabbithole'.
+  #
+  #password: mypassword
+
+  # The private and public SSH key pair used to encrypt the manhole traffic.
+  # If these are left unset, then hardcoded and non-secret keys are used,
+  # which could allow traffic to be intercepted if sent over a public network.
+  #
+  #ssh_priv_key_path: CONFDIR/id_rsa
+  #ssh_pub_key_path: CONFDIR/id_rsa.pub
+
 # Forward extremities can build up in a room due to networking delays between
 # homeservers. Once this happens in a large room, calculation of the state of
 # that room can become quite expensive. To mitigate this, once the number of
@@ -11180,7 +11198,7 @@ debugging.</p>
 <p>Note that this will give administrative access to synapse to <strong>all users</strong> with
 shell access to the server. It should therefore <strong>not</strong> be enabled in
 environments where untrusted users have shell access.</p>
-<hr />
+<h2 id="configuring-the-manhole"><a class="header" href="#configuring-the-manhole">Configuring the manhole</a></h2>
 <p>To enable it, first uncomment the <code>manhole</code> listener configuration in
 <code>homeserver.yaml</code>. The configuration is slightly different if you're using docker.</p>
 <h4 id="docker-config"><a class="header" href="#docker-config">Docker config</a></h4>
@@ -11208,12 +11226,28 @@ The <code>bind_addresses</code> in the example below is important: it ensures th
     bind_addresses: ['::1', '127.0.0.1']
     type: manhole
 </code></pre>
-<h4 id="accessing-synapse-manhole"><a class="header" href="#accessing-synapse-manhole">Accessing synapse manhole</a></h4>
+<h3 id="security-settings"><a class="header" href="#security-settings">Security settings</a></h3>
+<p>The following config options are available:</p>
+<ul>
+<li><code>username</code> - The username for the manhole (defaults to <code>matrix</code>)</li>
+<li><code>password</code> - The password for the manhole (defaults to <code>rabbithole</code>)</li>
+<li><code>ssh_priv_key</code> - The path to a private SSH key (defaults to a hardcoded value)</li>
+<li><code>ssh_pub_key</code> - The path to a public SSH key (defaults to a hardcoded value)</li>
+</ul>
+<p>For example:</p>
+<pre><code class="language-yaml">manhole_settings:
+  username: manhole
+  password: mypassword
+  ssh_priv_key: &quot;/home/synapse/manhole_keys/id_rsa&quot;
+  ssh_pub_key: &quot;/home/synapse/manhole_keys/id_rsa.pub&quot;
+</code></pre>
+<h2 id="accessing-synapse-manhole"><a class="header" href="#accessing-synapse-manhole">Accessing synapse manhole</a></h2>
 <p>Then restart synapse, and point an ssh client at port 9000 on localhost, using
-the username <code>matrix</code>:</p>
+the username and password configured in <code>homeserver.yaml</code> - with the default 
+configuration, this would be:</p>
 <pre><code class="language-bash">ssh -p9000 matrix@localhost
 </code></pre>
-<p>The password is <code>rabbithole</code>.</p>
+<p>Then enter the password when prompted (the default is <code>rabbithole</code>).</p>
 <p>This gives a Python REPL in which <code>hs</code> gives access to the
 <code>synapse.server.HomeServer</code> object - which in turn gives access to many other
 parts of the process.</p>
-- 
cgit 1.5.1