Opened 3 years ago

Closed 3 years ago

Last modified 13 months ago

#16917 closed enhancement (fixed)

Support torified torsocks ssh -D socks proxy ports (for wingnuts)

Reported by: mikeperry Owned by: cypherpunks
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability-stoppoint-wingnuts, TorBrowserTeam201603R
Cc: mcs, isis, whonix-devel@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When Tor is blocked by a website, wingnuts sometimes resort to using ssh -D proxies in combination with torsocks (so that the connection to the ssh server goes over Tor, and then when you connect to the SSH proxy port on localhost, it gets routed through Tor and then it uses your SSH server as your exit IP).

Unfortunately, in TBB 4.5 we added socks username+password isolation to Torbutton, and there is no way to disable this easily. For example, see this sad panda: https://superuser.com/questions/941136/how-can-i-bypass-proxy-using-tunneling (though that guy is still doing it wrong. ssh -D is way more flexible, if TBB 4.5+ supported it).

The following Torbutton patch works to completely disable the use of SOCKS auth in TBB (which also disables circuit isolation):

--- a/src/components/domain-isolator.js
+++ b/src/components/domain-isolator.js
@@ -71,8 +71,8 @@ tor.socksProxyCredentials = function (originalProxy, domain) {
   return mozilla.protocolProxyService
            .newSOCKSProxyInfo(proxy.host,
                               proxy.port,
-                              domain, // username
-                              tor.noncesForDomains[domain].toString(), // password
+                              null, //domain, // username
+                              null, //tor.noncesForDomains[domain].toString(), // password
                               proxy.flags,
                               proxy.failoverTimeout,
                               proxy.failoverProxy);

You also need to set the following about:config prefs to false: extensions.torbutton.local_tor_check and extensions.torbutton.test_enabled.

You also need to start TBB with TOR_SOCKS_PORT=4444, or whatever your ssh -D SOCKS port is.

Finally, you need to set 'AllowInbound 1' in /etc/tor/torsocks.conf (or wherever torsocks.conf lives).

If some random cypherpunk(s) want to turn that Torbutton patch into a Torbutton pref and either script the rest of this or document this process better, I would merge the patch and add a link to the script to the TBB Hacking Guide. We should also put the answer on a few stackoverflow questions like the one I linked. There probably are more.

The following Hacking Guide sections may be useful in this process:
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#BuildingJustTorLauncherOrTorbutton
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#UsinganExistingTorProcess

Child Tickets

Change History (14)

comment:1 Changed 3 years ago by mcs

Cc: mcs added

comment:2 Changed 3 years ago by cypherpunks

I used to do this before it broke. I guess I'm a wingnut. Presently I just use another firefox instance in private browsing mode for my ssh-socks-over-tor browsing.

If anyone is updating the Hacking guide, know this: Instead of running ssh under torsocks and needing to set AllowInbound 1, this wingnut recommends putting something like this in your .ssh/config:

Host foo
User yourname
HostName foo.example.com
DynamicForward 4444
ProxyCommand socat - SOCKS4A:localhost:%h:%p,socksport=9050

Then you can just ssh foo with no arguments and have your ssh-over-tor socks port listening.

Note that the sad panda on superuser.com is actually just hitting the torsocks problem, and not the more difficult problem of Tor Browser's non-optional socks auth stuff. If they knew about AllowInbound 1 their next problem would be that facebook probably doesn't like being served from a URL that contains a port number (i'm assuming they planned to make facebook.com resolve to localhost). Anyway that person is all kinds of confused, they should obviously just be using facebookcorewwwi.onion.

I agree it would be nice if someone added a torbutton pref to disable stream isolation.

comment:3 Changed 3 years ago by isis

Severity: Normal

As one of the aforementioned wingnuts, I also do this from time to time to access things that I absolutely need to access which block tor. The following patch to Torbutton will make Tor Browser work for this purpose again:

From d47796696555f34a5dba358ce47cbef9ec572097 Mon Sep 17 00:00:00 2001
From: Isis Lovecruft <isis@torproject.org>
Date: Fri, 28 Aug 2015 03:36:17 +0000
Subject: [PATCH] Disable SocksAuth so that SSH tunnels work again.

---
 src/components/domain-isolator.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/components/domain-isolator.js b/src/components/domain-isolator.js
index 93c7f65..26476ba 100644
--- a/src/components/domain-isolator.js
+++ b/src/components/domain-isolator.js
@@ -71,8 +71,8 @@ tor.socksProxyCredentials = function (originalProxy, domain) {
   return mozilla.protocolProxyService
            .newSOCKSProxyInfo(proxy.host,
                               proxy.port,
-                              domain, // username
-                              tor.noncesForDomains[domain].toString(), // password
+                              null, //domain, // username
+                              null, //tor.noncesForDomains[domain].toString(), // password
                               proxy.flags,
                               proxy.failoverTimeout,
                               proxy.failoverProxy);
-- 
2.1.4

It's in my fix/disable-socks-auth_r1 branch, and it should be applied to master. Afterwards, running makexpi.sh and then installing the produced .xpi addon in pkg/ in a separate Tor Browser will enable that browser to work again through an SSH tunnel.

However, I do not think this patch is suitable for merging. Obviously, there should be some preference to enable us "wingnuts" to enable a feature that could prove dangerous and/or confusing for sane people. Any recommendations as to the best way to proceed are entirely welcome.

comment:4 Changed 3 years ago by isis

Cc: isis added

comment:5 Changed 3 years ago by isis

Status: newneeds_review

comment:6 Changed 3 years ago by isis

FWIW, I kind of think that this shouldn't be mentioned in the UI because any wingnut who wants to use this and understands what it does should be more than capable of editing about:config manually. Further, I think that adding it to the UI would be yet more clutter and yet another confusing/dangerous option for sane users.

That aside, how does naming it extensions.torbutton.disable_socks_auth sound? And adding a note on it to the HACKING doc (or somewhere else more appropriate, if there is such a place)?

comment:7 in reply to:  6 Changed 3 years ago by gk

Replying to isis:

FWIW, I kind of think that this shouldn't be mentioned in the UI because any wingnut who wants to use this and understands what it does should be more than capable of editing about:config manually. Further, I think that adding it to the UI would be yet more clutter and yet another confusing/dangerous option for sane users.

That aside, how does naming it extensions.torbutton.disable_socks_auth sound? And adding a note on it to the HACKING doc (or somewhere else more appropriate, if there is such a place)?

Sound good to me. Having an env variable in the Linux start script might be useful, too.

comment:8 Changed 3 years ago by gk

Status: needs_reviewneeds_revision

Oh, the needs_revision is for the missing things (like pref, etc.); see Mike's description as well.

comment:9 Changed 3 years ago by proper

Cc: whonix-devel@… added

comment:10 Changed 3 years ago by mcs

I resolved #16073 as a duplicate of this ticket.

comment:11 Changed 3 years ago by mikeperry

Cc: TorBrowserTeam201602R added
Status: needs_revisionneeds_review

Ok, I have a way better version of this in mikeperry/ticket16917 (commit b0e0dbd219264084173f5a851387d8ef11bd54e1). That patch creates a new hidden pref extensions.torbutton.use_nontor_proxy. If that gets set to true, NoScript ABE is enabled (to block localhost/RFC1918 connections), and SOCKS u+p domain isolation is disabled. It does the reverse when the pref is flipped back. In both cases, it also does a new identity operation.

When this pref is true, an SSH socks -D proxy can be configured in the TBB network settings, and it works.

comment:12 Changed 3 years ago by gk

Cc: TorBrowserTeam201602R removed
Keywords: TorBrowserTeam201603R added

I wonder who that TorBrowserTeam201602R-guy is... :)

comment:13 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Okay, this looks good to me (and is commit 06800f1c9c0a3c2adf850f9ad70e7ee8c3e645d0 now) with one execption:

let nontor_mode = m_tb_prefs.getBoolPref("extensions.torbutton.use_nontor_proxy");

is basically superfluous. I removed it in a fixup commit (8f40dd361efd3704a65ac8647f814f0415399da0). This will make it into 6.0a3.

comment:14 in reply to:  11 Changed 13 months ago by cypherpunks

Replying to mikeperry:

If that gets set to true, NoScript ABE is enabled (to block localhost/RFC1918 connections), and SOCKS u+p domain isolation is disabled.

Enabling ABE is noscript enables the dnt header for some reason. Fingerprinting issue?

Setting noscript.doNotTrack.enabled to false seems to fix it. (which is enabled by default)

Note: See TracTickets for help on using tickets.