[Software Announcement] FamilyGenerator: Tor MyFamily Generator
Hi tor-relays mailing list, I have created a tool called FamilyGenerator. FamilyGenerator is a tool to automatically construct a Tor MyFamily line based on Onionoo parameters. Why? If you run multiple relays, it can become hard to keep your MyFamily line updated if you add or remove relays. FamilyGenerator makes it easier (and automated if you use cron, or maybe without it in a future version if it ever comes). Does it integrate with Tor directly? As of now, no. If you want to automatically load FamilyGenerator outputs to Tor, you can: 1. Make sure all your relays has something in common in the Nickname or ContactInfo lines 2. Use a shell script to generate the MyFamily line with FamilyGenerator 3. Use a cron job to reload Tor after FamilyGenerator runs 4. Include the output in a Include line in your torrc Hopefully, a future version can avoid cron (that is, if it comes). FamilyGenerator is available on GitHub at: https://github.com/neelchauhan/FamilyGenerator You can install it from PyPI with: pip install FamilyGenerator A FreeBSD port is underway. For Debian users, sorry, but there's no Debian package in the pipeline as I don't use Debian. That's it. Thank You, Neel Chauhan
As a person with 50 relays, I thank you.
On Jul 21, 2018, at 19:29, Neel Chauhan <neel@neelc.org> wrote:
Hi tor-relays mailing list,
I have created a tool called FamilyGenerator. FamilyGenerator is a tool to automatically construct a Tor MyFamily line based on Onionoo parameters.
Why? If you run multiple relays, it can become hard to keep your MyFamily line updated if you add or remove relays. FamilyGenerator makes it easier (and automated if you use cron, or maybe without it in a future version if it ever comes).
Does it integrate with Tor directly? As of now, no. If you want to automatically load FamilyGenerator outputs to Tor, you can:
1. Make sure all your relays has something in common in the Nickname or ContactInfo lines 2. Use a shell script to generate the MyFamily line with FamilyGenerator 3. Use a cron job to reload Tor after FamilyGenerator runs 4. Include the output in a Include line in your torrc
Hopefully, a future version can avoid cron (that is, if it comes).
FamilyGenerator is available on GitHub at:
https://github.com/neelchauhan/FamilyGenerator
You can install it from PyPI with:
pip install FamilyGenerator
A FreeBSD port is underway. For Debian users, sorry, but there's no Debian package in the pipeline as I don't use Debian.
That's it.
Thank You,
Neel Chauhan _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Sat, 21 Jul 2018 20:29:17 -0400 Neel Chauhan <neel@neelc.org> wrote:
Hi tor-relays mailing list,
I have created a tool called FamilyGenerator. FamilyGenerator is a tool to automatically construct a Tor MyFamily line based on Onionoo parameters.
If you blindly trust fingerprints fetched "from the Internet" and insert them into your MyFamily string, then you might as well just use nicknames there. Actually this is what I do, and while it does have the same downside as your tool ("what if someone uses the same nickname"), at least it's much simpler, human-readable in torrc, and not requiring any extra scripts. -- With respect, Roman
Dear operators, please don't generate your torrc MyFamily configurations based on untrusted input. I think it is a *bad* idea to modify tor configurations based on other people's descriptor data *especially* if anyone is going to run this automatically. Please use ground-truth to generate MyFamily sets otherwise we can no longer even trust MyFamily sets. That said if you trust onionoo, you might be able to build onionoo search queries that are NOT vulnerable to random people injecting themselves in your MyFamily set. Examples: - you run your own AS and all servers in that AS are under your control (parameter: as) https://metrics.torproject.org/onionoo.html#parameters_as - all your relays are under your own DNS domain and only you can generate DNS A records for that domain and [1] is implemented (note: these onionoo fields appear currently somewhat broken) Ideally the generator only allows more safe parameter and rejects unsafe parameters like contact
Does this have a disadvantage? Well, yes. If someone creates a relay with the same pattern in ContactInfo and MyFamily as what you put into FamilyGenerator, their relay(s) may get picked up and put in your generated MyFamily line as well.
[1] https://trac.torproject.org/projects/tor/ticket/26898 -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
Hi, On 22/07/18 10:11, nusenu wrote:
- you run your own AS and all servers in that AS are under your control (parameter: as) https://metrics.torproject.org/onionoo.html#parameters_as
This effectively puts MaxMind in charge of MyFamily.
- all your relays are under your own DNS domain and only you can generate DNS A records for that domain and [1] is implemented (note: these onionoo fields appear currently somewhat broken)
There is no attempt currently to perform any DNSSEC or other validation. The changes don't actually improve trust, just allow you to see data that was previously discarded (when there was no A record). Onionoo is useful for many things, but I don't think this is one of them. Instead, you can use Ansible/Salt/Puppet/whatever to configure MyFamily and there are plenty of ways out there to do this. Thanks, Iain.
- you run your own AS and all servers in that AS are under your control (parameter: as) https://metrics.torproject.org/onionoo.html#parameters_as
This effectively puts MaxMind in charge of MyFamily.
good point and I guess there is only a handful of operators with their own AS anyway
- all your relays are under your own DNS domain and only you can generate DNS A records for that domain and [1] is implemented (note: these onionoo fields appear currently somewhat broken)
There is no attempt currently to perform any DNSSEC or other validation.
I was about to make a ticket for that when I wrote the last mail, since using a DNSSEC validating resolver should not be a whole lot of effort. https://trac.torproject.org/projects/tor/ticket/26901
Onionoo is useful for many things, but I don't think this is one of them. Instead, you can use Ansible/Salt/Puppet/whatever to configure MyFamily and there are plenty of ways out there to do this.
+1 nonetheless I find it positive that Neel now finally has a (proper?) MyFamily config probably because of this non-perfect way of collecting FPs. I still hope no one is using onionoo query results to alter their config *automatically* -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
nonetheless I find it positive that Neel now finally has a (proper?) MyFamily config probably because of this non-perfect way of collecting FPs.
Well, my relays don't use FamilyGenerator.
I still hope no one is using onionoo query results to alter their config *automatically*
I guess then I realized that generating MyFamily from Onionoo output is not such a good idea after all. I updated my GitHub page for "FamilyGenerator" to reflect these issues and put a link to this thread (so random people don't just use my software). -Neel Chauhan On 2018-07-22 12:01, nusenu wrote:
- you run your own AS and all servers in that AS are under your control (parameter: as) https://metrics.torproject.org/onionoo.html#parameters_as
This effectively puts MaxMind in charge of MyFamily.
good point and I guess there is only a handful of operators with their own AS anyway
- all your relays are under your own DNS domain and only you can generate DNS A records for that domain and [1] is implemented (note: these onionoo fields appear currently somewhat broken)
There is no attempt currently to perform any DNSSEC or other validation.
I was about to make a ticket for that when I wrote the last mail, since using a DNSSEC validating resolver should not be a whole lot of effort.
https://trac.torproject.org/projects/tor/ticket/26901
Onionoo is useful for many things, but I don't think this is one of them. Instead, you can use Ansible/Salt/Puppet/whatever to configure MyFamily and there are plenty of ways out there to do this.
+1
nonetheless I find it positive that Neel now finally has a (proper?) MyFamily config probably because of this non-perfect way of collecting FPs.
I still hope no one is using onionoo query results to alter their config *automatically*
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (5)
-
Iain Learmonth -
John Ricketts -
Neel Chauhan -
nusenu -
Roman Mamedov