[tor-talk] Why does tor control port 9051 allow empty authentication?
Damian Johnson
atagar at torproject.org
Fri Aug 18 22:16:44 UTC 2017
Hi Yuri. If you just set a ControlPort in your torrc but not password
or cookie auth then its open. Please see...
https://stem.torproject.org/faq.html#can-i-interact-with-tors-controller-interface-directly
By default tor restricts access to localhost but none the less, having
authentication *or* using ControlSocket instead is advised.
Authentication in addition to a ControlSocket is ok but redundant
since filesystem permissions of a ControlSocket provide the same
safety as using an authentication cookie.
On Fri, Aug 18, 2017 at 12:45 PM, Yuri <yuri at rawbw.com> wrote:
> This confuses me:
>
>
> $ telnet localhost 9051
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> authenticate
> 250 OK
>
>
> Isn't it supposed to require either auth-cookie or hashed password?
>
> Where is authentication policy described?
>
>
> Yuri
>
>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
More information about the tor-talk
mailing list