[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] [RELEASE] Torsocks 2.0.0-rc4
On Tue, Mar 4, 2014 at 10:13 AM, David Goulet <dgoulet@xxxxxxxxx> wrote:
> On 04 Mar (08:36:13), Nick Mathewson wrote:
>> On Mar 4, 2014 4:26 AM, "Lunar" <lunar@xxxxxxxxxxxxxx> wrote:
>> >
>> > David Goulet:
>> > > After a big code review from Nick and help from a lot of people
>> > > contributing and testing, this is the release candidate 4 for the new
>> > > torsocks.
>> >
>> > I was about to push the new version to Debian experimental, but it just
>> > breaks my SSH configuration too badly.
>> >
>> > The new version forbids listen() and accept().
>> >
>> > That means that at least SSH options ControlMaster, LocalForward, and
>> > DynamicForward will not work. Being able to multiplex connections
>> > (ControlMaster) is pretty crucial to keep sanity when working over
>> > hidden services. Forwarding options allow a simple way to create to
>> > tunnel TCP connections to a remote system through SSH over Tor.
>> >
>> > I am not sure what is the right move here. Perhaps allowing listen on
>> > Unix sockets and localhost? Or maybe allowing listen() entirely?
>>
>> Those sound like good candidates for options. I think that listen-local is
>> probably safe*, but arbitrary listen is broken in enough use cases that it
>> should IMO be off by default.
>
> I agree here that this should not break the ssh -L. What I propose is an
> option that allows torsocks to accept inbound connection thus
> listen()/accept().
>
> An option in the configuration file and an environment variable also
> (which adds a command line option to torsocks as well). What about
> "AllowInbound" or "AllowListen" or "AcceptListen" that is off by
> default.
AllowInbound is probably okay, though still I think that "allow
inbound locally only" is a good idea.
(Could we implement that by checking getsockname() on the socket
before the call to listen(), to make sure that it was localhost or
unix?)
--
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev