119-controlport-auth.txt 5.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142
  1. Filename: 119-controlport-auth.txt
  2. Title: New PROTOCOLINFO command for controllers
  3. Version: $Revision$
  4. Last-Modified: $Date$
  5. Author: Roger Dingledine
  6. Created: 14-Aug-2007
  7. Status: Closed
  8. Implemented-In: 0.2.0.x
  9. Overview:
  10. Here we describe how to help controllers locate the cookie
  11. authentication file when authenticating to Tor, so we can a) require
  12. authentication by default for Tor controllers and b) still keep
  13. things usable. Also, we propose an extensible, general-purpose mechanism
  14. for controllers to learn about a Tor instance's protocol and
  15. authentication requirements before authenticating.
  16. The Problem:
  17. When we first added the controller protocol, we wanted to make it
  18. easy for people to play with it, so by default we didn't require any
  19. authentication from controller programs. We allowed requests only from
  20. localhost as a stopgap measure for security.
  21. Due to an increasing number of vulnerabilities based on this approach,
  22. it's time to add authentication in default configurations.
  23. We have a number of goals:
  24. - We want the default Vidalia bundles to transparently work. That
  25. means we don't want the users to have to type in or know a password.
  26. - We want to allow multiple controller applications to connect to the
  27. control port. So if Vidalia is launching Tor, it can't just keep the
  28. secrets to itself.
  29. Right now there are three authentication approaches supported
  30. by the control protocol: NULL, CookieAuthentication, and
  31. HashedControlPassword. See Sec 5.1 in control-spec.txt for details.
  32. There are a couple of challenges here. The first is: if the controller
  33. launches Tor, how should we teach Tor what authentication approach
  34. it should require, and the secret that goes along with it? Next is:
  35. how should this work when the controller attaches to an existing Tor,
  36. rather than launching Tor itself?
  37. Cookie authentication seems most amenable to letting multiple controller
  38. applications interact with Tor. But that brings in yet another question:
  39. how does the controller guess where to look for the cookie file,
  40. without first knowing what DataDirectory Tor is using?
  41. Design:
  42. We should add a new controller command PROTOCOLINFO that can be sent
  43. as a valid first command (the others being AUTHENTICATE and QUIT). If
  44. PROTOCOLINFO is sent as the first command, the second command must be
  45. either a successful AUTHENTICATE or a QUIT.
  46. If the initial command sequence is not valid, Tor closes the connection.
  47. Spec:
  48. C: "PROTOCOLINFO" *(SP PIVERSION) CRLF
  49. S: "250+PROTOCOLINFO" SP PIVERSION CRLF *InfoLine "250 OK" CRLF
  50. InfoLine = AuthLine / VersionLine / OtherLine
  51. AuthLine = "250-AUTH" SP "METHODS=" AuthMethod *(",")AuthMethod
  52. *(SP "COOKIEFILE=" AuthCookieFile) CRLF
  53. VersionLine = "250-VERSION" SP "Tor=" TorVersion [SP Arguments] CRLF
  54. AuthMethod =
  55. "NULL" / ; No authentication is required
  56. "HASHEDPASSWORD" / ; A controller must supply the original password
  57. "COOKIE" / ; A controller must supply the contents of a cookie
  58. AuthCookieFile = QuotedString
  59. TorVersion = QuotedString
  60. OtherLine = "250-" Keyword [SP Arguments] CRLF
  61. For example:
  62. C: PROTOCOLINFO CRLF
  63. S: "250+PROTOCOLINFO 1" CRLF
  64. S: "250-AUTH Methods=HASHEDPASSWORD,COOKIE COOKIEFILE="/tor/cookie"" CRLF
  65. S: "250-VERSION Tor=0.2.0.5-alpha" CRLF
  66. S: "250 OK" CRLF
  67. Tor MAY give its InfoLines in any order; controllers MUST ignore InfoLines
  68. with keywords it does not recognize. Controllers MUST ignore extraneous
  69. data on any InfoLine.
  70. PIVERSION is there in case we drastically change the syntax one day. For
  71. now it should always be "1", for the controller protocol. Controllers MAY
  72. provide a list of the protocol versions they support; Tor MAY select a
  73. version that the controller does not support.
  74. Right now only two "topics" (AUTH and VERSION) are included, but more
  75. may be included in the future. Controllers must accept lines with
  76. unexpected topics.
  77. AuthCookieFile = QuotedString
  78. AuthMethod is used to specify one or more control authentication
  79. methods that Tor currently accepts.
  80. AuthCookieFile specifies the absolute path and filename of the
  81. authentication cookie that Tor is expecting and is provided iff
  82. the METHODS field contains the method "COOKIE". Controllers MUST handle
  83. escape sequences inside this string.
  84. The VERSION line contains the Tor version.
  85. [What else might we want to include that could be useful? -RD]
  86. Compatibility:
  87. Tor 0.1.2.16 and 0.2.0.4-alpha hang up after the first failed
  88. command. Earlier Tors don't know about this command but don't hang
  89. up. That means controllers will need a mechanism for distinguishing
  90. whether they're talking to a Tor that speaks PROTOCOLINFO or not.
  91. I suggest that the controllers attempt a PROTOCOLINFO. Then:
  92. - If it works, great. Authenticate as required.
  93. - If they get hung up on, reconnect and do a NULL AUTHENTICATE.
  94. - If it's unrecognized but they're not hung up on, do a NULL
  95. AUTHENTICATE.
  96. Unsolved problems:
  97. If Torbutton wants to be a Tor controller one day... talking TCP is
  98. bad enough, but reading from the filesystem is even harder. Is there
  99. a way to let simple programs work with the controller port without
  100. needing all the auth infrastructure?
  101. Once we put this approach in place, the next vulnerability we see will
  102. involve an attacker somehow getting read access to the victim's files
  103. --- and then we're back where we started. This means we still need
  104. to think about how to demand password-based authentication without
  105. bothering the user about it.