[or-cvs] r11106: add draft 119-controlport-auth proposal (tor/trunk/doc/spec/proposals)
arma at seul.org
arma at seul.org
Tue Aug 14 17:51:58 UTC 2007
Author: arma
Date: 2007-08-14 13:51:58 -0400 (Tue, 14 Aug 2007)
New Revision: 11106
Added:
tor/trunk/doc/spec/proposals/119-controlport-auth.txt
Log:
add draft 119-controlport-auth proposal
Added: tor/trunk/doc/spec/proposals/119-controlport-auth.txt
===================================================================
--- tor/trunk/doc/spec/proposals/119-controlport-auth.txt (rev 0)
+++ tor/trunk/doc/spec/proposals/119-controlport-auth.txt 2007-08-14 17:51:58 UTC (rev 11106)
@@ -0,0 +1,124 @@
+Filename: 119-protocolinfo-on-controlport.txt
+Title: New PROTOCOLINFO command for controllers
+Version: $Revision$
+Last-Modified: $Date$
+Author: Roger Dingledine
+Created: 14-Aug-2007
+Status: Open
+
+Overview:
+
+ Here we describe how to help controllers locate the cookie
+ authentication file when authenticating to Tor, so we can a) require
+ authentication by default for Tor controllers and b) still keep
+ things usable.
+
+The Problem:
+
+ When we first added the controller protocol, we wanted to make it
+ easy for people to play with it, so by default we didn't require any
+ authentication from controller programs. We allowed requests only from
+ localhost as a stopgap measure for security.
+
+ Due to an increasing number of vulnerabilities based on this approach,
+ it's time to add authentication in default configurations.
+
+ We have a number of goals:
+ - We want the default Vidalia bundles to transparently work. That
+ means we don't want the users to have to type in or know a password.
+ - We want to allow multiple controller applications to connect to the
+ control port. So if Vidalia is launching Tor, it can't just keep the
+ secrets to itself.
+
+ Right now there are three authentication approaches supported
+ by the control protocol: NULL, CookieAuthentication, and
+ HashedControlPassword. See Sec 5.1 in control-spec.txt for details.
+
+ There are a couple of challenges here. The first is: if the controller
+ launches Tor, how should we teach Tor what authentication approach
+ it should require, and the secret that goes along with it? Next is:
+ how should this work when the controller attaches to an existing Tor,
+ rather than launching Tor itself?
+
+ Cookie authentication seems most amenable to letting multiple controller
+ applications interact with Tor. But that brings in yet another question:
+ how does the controller guess where to look for the cookie file,
+ without first knowing what DataDirectory Tor it using?
+
+Design:
+
+ We should add a new controller command PROTOCOLINFO that can be sent
+ as a valid first command (the others being AUTHENTICATE and QUIT). If
+ PROTOCOLINFO is sent as the first command, the second command must be
+ either a successful AUTHENTICATE or a QUIT.
+
+
+
+Spec:
+
+ C: PROTOCOLINFO CRLF
+ S: "250+PROTOCOLINFO" PIVERSION CRLF
+ S: "250-AUTH" SP "METHODS=" AuthMethod *("," AuthMethod)
+ [SP "COOKIEFILE=" AuthCookieFile] CRLF
+ S: "250-VERSION" SP "Tor=" Version [...]
+ S: "250 OK"
+
+ PIVERSION is there in case we drastically change the syntax one day. For
+ now it should always be "1".
+
+ [XXX Is there a better way to do PIVERSION? The above way seems bad,
+ since what do controllers do if they hear a 2 but don't know what to
+ do with it? -RD]
+
+ Right now only two "topics" (AUTH and VERSION) are included, but more
+ may be included in the future. Controllers must accept lines with
+ unexpected topics.
+
+ AuthMethod =
+ "NULL" / ; No authentication is required
+ "HASHEDPASSWORD" / ; A controller must supply the original password
+ "COOKIE" / ; A controller must supply the contents of a cookie
+
+ AuthCookieFile = QuotedString
+
+ AuthMethod is used to specify one or more control authentication
+ methods that Tor currently accepts.
+
+ AuthCookieFile specifies the absolute path and filename of the
+ authentication cookie that Tor is expecting and is provided only if
+ the METHODS field contains the method "COOKIE". This field MUST be
+ enclosed in DQUOTEs, since the absolute path to the cookie file may
+ contain spaces on some platforms.
+
+ The VERSION line contains the Tor version, in DQUOTES. In the future
+ it might also contain Link versions, Circuit versions, or others as
+ described in proposal 105.
+
+ [What else might we want to include that could be useful? -RD]
+
+Compatibility:
+
+ Tor 0.1.2.16 and 0.2.0.4-alpha hang up after the first failed
+ command. Earlier Tors don't know about this command but don't hang
+ up. That means controllers will need a mechanism for distinguishing
+ whether they're talking to a Tor that speaks PROTOCOLINFO or not.
+
+ I suggest that the controllers attempt a PROTOCOLINFO. Then:
+ - If it works, great. Authenticate as required.
+ - If they get hung up on, reconnect and do a NULL AUTHENTICATE.
+ - If it's unrecognized but they're not hung up on, do a NULL
+ AUTHENTICATE.
+
+Unsolved problems:
+
+ If Torbutton wants to be a Tor controller one day... talking TCP is
+ bad enough, but reading from the filesystem is even harder. Is there
+ a way to let simple programs work with the controller port without
+ needing all the auth infrastructure?
+
+ Once we put this approach in place, the next vulnerability we see will
+ involve an attacker somehow getting read access to the victim's files
+ --- and then we're back where we started. This means we still need
+ to think about how to demand password-based authentication without
+ bothering the user about it.
+
Property changes on: tor/trunk/doc/spec/proposals/119-controlport-auth.txt
___________________________________________________________________
Name: svn:keywords
+ Revision Date Id
Name: svn:eol-style
+ native
More information about the tor-commits
mailing list