|
|
@@ -0,0 +1,124 @@
|
|
|
+Filename: 119-protocolinfo-on-controlport.txt
|
|
|
+Title: New PROTOCOLINFO command for controllers
|
|
|
+Version: $Revision$
|
|
|
+Last-Modified: $Date$
|
|
|
+Author: Roger Dingledine
|
|
|
+Created: 14-Aug-2007
|
|
|
+Status: Open
|
|
|
+
|
|
|
+Overview:
|
|
|
+
|
|
|
+ Here we describe how to help controllers locate the cookie
|
|
|
+ authentication file when authenticating to Tor, so we can a) require
|
|
|
+ authentication by default for Tor controllers and b) still keep
|
|
|
+ things usable.
|
|
|
+
|
|
|
+The Problem:
|
|
|
+
|
|
|
+ When we first added the controller protocol, we wanted to make it
|
|
|
+ easy for people to play with it, so by default we didn't require any
|
|
|
+ authentication from controller programs. We allowed requests only from
|
|
|
+ localhost as a stopgap measure for security.
|
|
|
+
|
|
|
+ Due to an increasing number of vulnerabilities based on this approach,
|
|
|
+ it's time to add authentication in default configurations.
|
|
|
+
|
|
|
+ We have a number of goals:
|
|
|
+ - We want the default Vidalia bundles to transparently work. That
|
|
|
+ means we don't want the users to have to type in or know a password.
|
|
|
+ - We want to allow multiple controller applications to connect to the
|
|
|
+ control port. So if Vidalia is launching Tor, it can't just keep the
|
|
|
+ secrets to itself.
|
|
|
+
|
|
|
+ Right now there are three authentication approaches supported
|
|
|
+ by the control protocol: NULL, CookieAuthentication, and
|
|
|
+ HashedControlPassword. See Sec 5.1 in control-spec.txt for details.
|
|
|
+
|
|
|
+ There are a couple of challenges here. The first is: if the controller
|
|
|
+ launches Tor, how should we teach Tor what authentication approach
|
|
|
+ it should require, and the secret that goes along with it? Next is:
|
|
|
+ how should this work when the controller attaches to an existing Tor,
|
|
|
+ rather than launching Tor itself?
|
|
|
+
|
|
|
+ Cookie authentication seems most amenable to letting multiple controller
|
|
|
+ applications interact with Tor. But that brings in yet another question:
|
|
|
+ how does the controller guess where to look for the cookie file,
|
|
|
+ without first knowing what DataDirectory Tor it using?
|
|
|
+
|
|
|
+Design:
|
|
|
+
|
|
|
+ We should add a new controller command PROTOCOLINFO that can be sent
|
|
|
+ as a valid first command (the others being AUTHENTICATE and QUIT). If
|
|
|
+ PROTOCOLINFO is sent as the first command, the second command must be
|
|
|
+ either a successful AUTHENTICATE or a QUIT.
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+Spec:
|
|
|
+
|
|
|
+ C: PROTOCOLINFO CRLF
|
|
|
+ S: "250+PROTOCOLINFO" PIVERSION CRLF
|
|
|
+ S: "250-AUTH" SP "METHODS=" AuthMethod *("," AuthMethod)
|
|
|
+ [SP "COOKIEFILE=" AuthCookieFile] CRLF
|
|
|
+ S: "250-VERSION" SP "Tor=" Version [...]
|
|
|
+ S: "250 OK"
|
|
|
+
|
|
|
+ PIVERSION is there in case we drastically change the syntax one day. For
|
|
|
+ now it should always be "1".
|
|
|
+
|
|
|
+ [XXX Is there a better way to do PIVERSION? The above way seems bad,
|
|
|
+ since what do controllers do if they hear a 2 but don't know what to
|
|
|
+ do with it? -RD]
|
|
|
+
|
|
|
+ Right now only two "topics" (AUTH and VERSION) are included, but more
|
|
|
+ may be included in the future. Controllers must accept lines with
|
|
|
+ unexpected topics.
|
|
|
+
|
|
|
+ AuthMethod =
|
|
|
+ "NULL" / ; No authentication is required
|
|
|
+ "HASHEDPASSWORD" / ; A controller must supply the original password
|
|
|
+ "COOKIE" / ; A controller must supply the contents of a cookie
|
|
|
+
|
|
|
+ AuthCookieFile = QuotedString
|
|
|
+
|
|
|
+ AuthMethod is used to specify one or more control authentication
|
|
|
+ methods that Tor currently accepts.
|
|
|
+
|
|
|
+ AuthCookieFile specifies the absolute path and filename of the
|
|
|
+ authentication cookie that Tor is expecting and is provided only if
|
|
|
+ the METHODS field contains the method "COOKIE". This field MUST be
|
|
|
+ enclosed in DQUOTEs, since the absolute path to the cookie file may
|
|
|
+ contain spaces on some platforms.
|
|
|
+
|
|
|
+ The VERSION line contains the Tor version, in DQUOTES. In the future
|
|
|
+ it might also contain Link versions, Circuit versions, or others as
|
|
|
+ described in proposal 105.
|
|
|
+
|
|
|
+ [What else might we want to include that could be useful? -RD]
|
|
|
+
|
|
|
+Compatibility:
|
|
|
+
|
|
|
+ Tor 0.1.2.16 and 0.2.0.4-alpha hang up after the first failed
|
|
|
+ command. Earlier Tors don't know about this command but don't hang
|
|
|
+ up. That means controllers will need a mechanism for distinguishing
|
|
|
+ whether they're talking to a Tor that speaks PROTOCOLINFO or not.
|
|
|
+
|
|
|
+ I suggest that the controllers attempt a PROTOCOLINFO. Then:
|
|
|
+ - If it works, great. Authenticate as required.
|
|
|
+ - If they get hung up on, reconnect and do a NULL AUTHENTICATE.
|
|
|
+ - If it's unrecognized but they're not hung up on, do a NULL
|
|
|
+ AUTHENTICATE.
|
|
|
+
|
|
|
+Unsolved problems:
|
|
|
+
|
|
|
+ If Torbutton wants to be a Tor controller one day... talking TCP is
|
|
|
+ bad enough, but reading from the filesystem is even harder. Is there
|
|
|
+ a way to let simple programs work with the controller port without
|
|
|
+ needing all the auth infrastructure?
|
|
|
+
|
|
|
+ Once we put this approach in place, the next vulnerability we see will
|
|
|
+ involve an attacker somehow getting read access to the victim's files
|
|
|
+ --- and then we're back where we started. This means we still need
|
|
|
+ to think about how to demand password-based authentication without
|
|
|
+ bothering the user about it.
|
|
|
+
|
Roger Dingledine