[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Why does tor control port 9051 allow empty authentication?



Hi Yuri. If you just set a ControlPort in your torrc but not password
or cookie auth then its open. Please see...

https://stem.torproject.org/faq.html#can-i-interact-with-tors-controller-interface-directly

By default tor restricts access to localhost but none the less, having
authentication *or* using ControlSocket instead is advised.
Authentication in addition to a ControlSocket is ok but redundant
since filesystem permissions of a ControlSocket provide the same
safety as using an authentication cookie.


On Fri, Aug 18, 2017 at 12:45 PM, Yuri <yuri@xxxxxxxxx> wrote:
> This confuses me:
>
>
> $ telnet localhost 9051
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> authenticate
> 250 OK
>
>
> Isn't it supposed to require either auth-cookie or hashed password?
>
> Where is authentication policy described?
>
>
> Yuri
>
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk