[tor-relays] ControlPort Authentication Options
Ralph Seichter
m16+tor at monksofcool.net
Sat Sep 2 23:17:14 UTC 2017
On 02.09.17 23:39, nusenu wrote:
> The ControlPort supports none, password-based and cookie-based
> authentication, Damian was suggesting the cookie option:
>
> https://www.torproject.org/docs/tor-manual.html.en#CookieAuthentication
> https://www.torproject.org/docs/tor-manual.html.en#ControlPort
Ah, I misunderstood, thanks for clarifying. I have made my SSH-user
member of the Tor-user's group, added
CookieAuthentication 1
CookieAuthFile /var/lib/tor/cookie_auth
CookieAuthFileGroupReadable 1
to torrc, and now I can indeed run Nyx without typing a controller
password. However, the following notices are displayed in Nyx:
[NYX_NOTICE] We were unable to use any of your system's resolvers to
get tor's connections.This is fine, but means that the connections
page will be empty. This is usually permissions related so if you
would like to fix this then run nyx with the same user as tor (ie,
"sudo -u <tor user> nyx").
[NYX_NOTICE] Unable to query connections with netstat, trying lsof
[NYX_NOTICE] Unable to query connections with proc, trying netstat
Not being able to see the connections is a bit of a disadvantage. More
importantly: The first notice directly contradicts the advice not to use
"sudo -u tor" to run Arm or Nyx. Make up your mind, you guys. :-D
I also tried using a control socket instead of a control port, alas, the
parameter RelaxDirModeCheck is rejected by Tor 0.3.0.10:
[warn] Failed to parse/validate config: Unknown option
'RelaxDirModeCheck'. Failing.
[err] Reading config failed--see warnings above.
It is documented in https://www.torproject.org/docs/tor-manual.html.en
and without RelaxDirModeCheck, Tor does not start unless the directory
containing the control socket is accessible only by the Tor user, so no
access for anybody else, meaning once more that Arm/Nyx needs to be run
as the Tor user... Deep breaths. ;-)
-Ralph
More information about the tor-relays
mailing list