[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] ControlPort Authentication Options

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] ControlPort Authentication Options
From: Ralph Seichter <m16+tor@xxxxxxxxxxxxxxx>
Date: Sun, 3 Sep 2017 01:17:14 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 02 Sep 2017 19:17:42 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=monksofcool.net; h=content-transfer-encoding:content-language:content-type :content-type:in-reply-to:mime-version:user-agent:date:date :message-id:from:from:references:subject:subject; s=alpha; t= 1504394235; x=1506986236; bh=Toe0dy+1iPvugT4kl8XSpJHguA+pU/AmdiU s+wa6sZw=; b=H6ufF6GBsPd19X26xzS2MvAIMSQw1QIysL5ng/HFVkt08c1N7r+ Vzvm4r+w4roHTxd4AJx/lGB7D5qcfd+blWb+rBJQ9qNbVJD67egf8LwRD14NQTOW KgZhdtnazwK8ptVguuN5st4J0Z1OMJkQWPxkvxBiOR5/U22nQ+NMcccVBtEjmNmB ZzxGQzjOXzJzJdejegyai6+yxM0R5iser/5JRblEUIP/LGmVrwO01sFhH9o3OC4r m4cSjcO1+NHXXFobF8tZawcEUKhv59EkpaKGJvaqtR1ZyTP5vF3ufZn1J/rVeWac 0OUPfAiX3ZnpoGxqGT4yL4TioLmTvaLeXPA==
In-reply-to: <c442d00e-b314-ec3e-bac2-253a42a5e118@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <df28964d-4b89-c4dd-613e-b24cb7eabd64@cni.net> <CAJdkzEM9Hc2FL3ZABVGAyu3LKXeUSCELz=JmsH3=NQMNEGthyw@mail.gmail.com> <30bf8165-f1c1-a11a-b55b-c0ceeaa8167b@monksofcool.net> <CAJdkzEOiSCdd5fb6kCCL+Wfd2T5DEdDMpULvvZASQhgV73KuzQ@mail.gmail.com> <68b14862-856b-d4ec-62ea-56562fc7e63e@monksofcool.net> <c442d00e-b314-ec3e-bac2-253a42a5e118@riseup.net>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

On 02.09.17 23:39, nusenu wrote:

> The ControlPort supports none, password-based and cookie-based
> authentication, Damian was suggesting the cookie option:
>
> https://www.torproject.org/docs/tor-manual.html.en#CookieAuthentication
> https://www.torproject.org/docs/tor-manual.html.en#ControlPort

Ah, I misunderstood, thanks for clarifying. I have made my SSH-user
member of the Tor-user's group, added

  CookieAuthentication 1
  CookieAuthFile /var/lib/tor/cookie_auth
  CookieAuthFileGroupReadable 1

to torrc, and now I can indeed run Nyx without typing a controller
password. However, the following notices are displayed in Nyx:

  [NYX_NOTICE] We were unable to use any of your system's resolvers to
  get tor's connections.This is fine, but means that the connections
  page will be empty. This is usually permissions related so if you
  would like to fix this then run nyx with the same user as tor (ie,
  "sudo -u <tor user> nyx").
  [NYX_NOTICE] Unable to query connections with netstat, trying lsof
  [NYX_NOTICE] Unable to query connections with proc, trying netstat

Not being able to see the connections is a bit of a disadvantage. More
importantly: The first notice directly contradicts the advice not to use
"sudo -u tor" to run Arm or Nyx. Make up your mind, you guys. :-D

I also tried using a control socket instead of a control port, alas, the
parameter RelaxDirModeCheck is rejected by Tor 0.3.0.10:

  [warn] Failed to parse/validate config: Unknown option
  'RelaxDirModeCheck'. Failing.
  [err] Reading config failed--see warnings above.

It is documented in https://www.torproject.org/docs/tor-manual.html.en
and without RelaxDirModeCheck, Tor does not start unless the directory
containing the control socket is accessible only by the Tor user, so no
access for anybody else, meaning once more that Arm/Nyx needs to be run
as the Tor user... Deep breaths. ;-)

-Ralph
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] ControlPort Authentication Options
  - From: Roger Dingledine

References:
- [tor-relays] Tor-arm failure
  - From: Arisbe
- Re: [tor-relays] Tor-arm failure
  - From: Damian Johnson
- Re: [tor-relays] Tor-arm failure
  - From: Ralph Seichter
- Re: [tor-relays] Tor-arm failure
  - From: Damian Johnson
- Re: [tor-relays] Tor-arm failure
  - From: Ralph Seichter
- Re: [tor-relays] ControlPort Authentication Options (was: Tor-arm failure)
  - From: nusenu

Prev by Author: Re: [tor-relays] HOW-TO: Simple DNS resolver for tor exit operators
Next by Author: Re: [tor-relays] Would you also like to have family-level atlas pages?
Previous by thread: Re: [tor-relays] ControlPort Authentication Options (was: Tor-arm failure)
Next by thread: Re: [tor-relays] ControlPort Authentication Options
Index(es):
- Author
- Thread