Opened 6 years ago

Closed 5 years ago

#12555 closed defect (not a bug)

Socks5 password authentication not working

Reported by: starlight Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.2.4.22
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

configured relay with

Socks5ProxyUsername user
Socks5ProxyPassword pass

added to FF 'prefs.js'

user_pref("network.proxy.socks_username", "user");
user_pref("network.proxy.socks_password", "pass");

not working as far as I can tell

Wireshark of connection shows

Socks Protocol

Version: 5
Client Authentication Methods
Authentication Method Count: 1
Method[0]: 0 (No authentication)

so relay is not enforcing authentication
and I don't see any options for requiring
that it do so

Child Tickets

Change History (4)

comment:1 Changed 6 years ago by yawning

Those options do not do what you think they do, they are for the case where tor needs to use an external proxy to reach the internet, not for the SOCKS proxy provided by tor.

           If defined, authenticate to the SOCKS 5 server using username and
           password in accordance to RFC 1929. Both username and password must
           be between 1 and 255 characters.

And you are right, there is no support for enforcing authentication for the SOCKS port, though SocksPolicy can provide limited access control. Actually supporting auth would break IsolateSocksAuth and the underlying code needs a lot of love in general so this is non-trivial to implement.

A separate bug as an enhancement for some future version of tor should be filed since the options in question are working as intended.

comment:2 Changed 6 years ago by nickm

Milestone: Tor: unspecified
Status: newneeds_information

Has Yawning diagnosed this correctly? Were you expecting that Socks5Proxy{Username,Password} would make Tor demand a username and password?

If so, it would also help if you could point to the documentation that made you think these options would do that.

comment:3 Changed 5 years ago by starlight

I looked again and my idea seems correct, per

https://bugzilla.mozilla.org/show_bug.cgi?id=122752

the config variables set the SOCKS5 user/pass
which is, I believe, the same proxy pathway
used by FF to connect to the Tor relay daemon.
I recall using Wireshark to observe it functioning
though I can't muster enough enthusiasm to
re-check it now.

But I don't see it as a big deal especially
if it's much work to implement. Using a
torrc "SocksPolicy accept" line here to limit
access to just the systems that need access
and using an alias network to keep the
Tor client VMs somewhat isolated from
other systems.

If one is running a separate Tor relay
and client and is seriously concerned about
local network security, one should configure
IPSEC authentication and encryption for
the SOCKS connection.

Sorry slow on the reply--forgot to put an
email address in my account profile. This
issue can be closed.

comment:4 Changed 5 years ago by yawning

Resolution: not a bug
Status: needs_informationclosed

No worries, closing. In the future, if you want Tor to require auth on the SOCKS port, file a enhancement bug (though that will definitely need to wait till after a refactor of that code happens).

Note: See TracTickets for help on using tickets.