| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142 | Filename: 119-controlport-auth.txtTitle: New PROTOCOLINFO command for controllersVersion: $Revision$Last-Modified: $Date$Author: Roger DingledineCreated: 14-Aug-2007Status: ClosedImplemented-In: 0.2.0.xOverview:  Here we describe how to help controllers locate the cookie  authentication file when authenticating to Tor, so we can a) require  authentication by default for Tor controllers and b) still keep  things usable.  Also, we propose an extensible, general-purpose mechanism  for controllers to learn about a Tor instance's protocol and  authentication requirements before authenticating.The Problem:  When we first added the controller protocol, we wanted to make it  easy for people to play with it, so by default we didn't require any  authentication from controller programs. We allowed requests only from  localhost as a stopgap measure for security.  Due to an increasing number of vulnerabilities based on this approach,  it's time to add authentication in default configurations.  We have a number of goals:  - We want the default Vidalia bundles to transparently work. That    means we don't want the users to have to type in or know a password.  - We want to allow multiple controller applications to connect to the    control port. So if Vidalia is launching Tor, it can't just keep the    secrets to itself.  Right now there are three authentication approaches supported  by the control protocol: NULL, CookieAuthentication, and  HashedControlPassword. See Sec 5.1 in control-spec.txt for details.  There are a couple of challenges here. The first is: if the controller  launches Tor, how should we teach Tor what authentication approach  it should require, and the secret that goes along with it? Next is:  how should this work when the controller attaches to an existing Tor,  rather than launching Tor itself?  Cookie authentication seems most amenable to letting multiple controller  applications interact with Tor. But that brings in yet another question:  how does the controller guess where to look for the cookie file,  without first knowing what DataDirectory Tor is using?Design:  We should add a new controller command PROTOCOLINFO that can be sent  as a valid first command (the others being AUTHENTICATE and QUIT). If  PROTOCOLINFO is sent as the first command, the second command must be  either a successful AUTHENTICATE or a QUIT.  If the initial command sequence is not valid, Tor closes the connection.Spec:  C:  "PROTOCOLINFO" *(SP PIVERSION) CRLF  S:  "250+PROTOCOLINFO" SP PIVERSION CRLF *InfoLine "250 OK" CRLF    InfoLine = AuthLine / VersionLine / OtherLine     AuthLine = "250-AUTH" SP "METHODS=" AuthMethod *(",")AuthMethod                       *(SP "COOKIEFILE=" AuthCookieFile) CRLF     VersionLine = "250-VERSION" SP "Tor=" TorVersion [SP Arguments] CRLF     AuthMethod =      "NULL"           / ; No authentication is required      "HASHEDPASSWORD" / ; A controller must supply the original password      "COOKIE"         / ; A controller must supply the contents of a cookie     AuthCookieFile = QuotedString     TorVersion = QuotedString     OtherLine = "250-" Keyword [SP Arguments] CRLF  For example:  C: PROTOCOLINFO CRLF  S: "250+PROTOCOLINFO 1" CRLF  S: "250-AUTH Methods=HASHEDPASSWORD,COOKIE COOKIEFILE="/tor/cookie"" CRLF  S: "250-VERSION Tor=0.2.0.5-alpha" CRLF  S: "250 OK" CRLF  Tor MAY give its InfoLines in any order; controllers MUST ignore InfoLines  with keywords it does not recognize.  Controllers MUST ignore extraneous  data on any InfoLine.  PIVERSION is there in case we drastically change the syntax one day. For  now it should always be "1", for the controller protocol.  Controllers MAY  provide a list of the protocol versions they support; Tor MAY select a  version that the controller does not support.  Right now only two "topics" (AUTH and VERSION) are included, but more  may be included in the future. Controllers must accept lines with  unexpected topics.  AuthCookieFile = QuotedString  AuthMethod is used to specify one or more control authentication  methods that Tor currently accepts.  AuthCookieFile specifies the absolute path and filename of the  authentication cookie that Tor is expecting and is provided iff  the METHODS field contains the method "COOKIE".  Controllers MUST handle  escape sequences inside this string.  The VERSION line contains the Tor version.  [What else might we want to include that could be useful? -RD]Compatibility:  Tor 0.1.2.16 and 0.2.0.4-alpha hang up after the first failed  command. Earlier Tors don't know about this command but don't hang  up. That means controllers will need a mechanism for distinguishing  whether they're talking to a Tor that speaks PROTOCOLINFO or not.  I suggest that the controllers attempt a PROTOCOLINFO. Then:    - If it works, great. Authenticate as required.    - If they get hung up on, reconnect and do a NULL AUTHENTICATE.    - If it's unrecognized but they're not hung up on, do a NULL      AUTHENTICATE.Unsolved problems:  If Torbutton wants to be a Tor controller one day... talking TCP is  bad enough, but reading from the filesystem is even harder. Is there  a way to let simple programs work with the controller port without  needing all the auth infrastructure?  Once we put this approach in place, the next vulnerability we see will  involve an attacker somehow getting read access to the victim's files  --- and then we're back where we started. This means we still need  to think about how to demand password-based authentication without  bothering the user about it.
 |