Control Port Filter Proxy Python (cpfpy) / anon-ws-disable-stacked-tor

Patrick · May 24, 2015, 4:27am

Yes, these were not merged. Somehow slipped through. Now all merged. Should work now?

Patrick · May 24, 2015, 1:13pm

[code]
W: control-port-filter-python: systemd-service-file-refers-to-obsolete-target lib/systemd/system/control-port-filter-python.service syslog.target
N: 
N:    The systemd service file refers to an obsolete target.
N:    
N:    Some targets are obsolete by now, e.g. syslog.target or dbus.target. For
N:    example, declaring After=syslog.target is unnecessary by now because
N:    syslog is socket-activated and will therefore be started when needed.
N:    
N:    Severity: normal, Certainty: certain
N:    
N:    Check: systemd, Type: binary
N:[/code]

W: control-port-filter-python: systemd-service-file-refers-to-obsolete-target lib/systemd/system/control-port-filter-python.service syslog.target N: N: The systemd service file refers to an obsolete target. N: N: Some targets are obsolete by now, e.g. syslog.target or dbus.target. For N: example, declaring After=syslog.target is unnecessary by now because N: syslog is socket-activated and will therefore be started when needed. N: N: Severity: normal, Certainty: certain N: N: Check: systemd, Type: binary N:

Patrick · May 24, 2015, 1:16pm

systemd unit: removed ‘syslog.target’ from ‘After=’ to fix lintian warning ‘W: control-port-filter-python: systemd-service-file-refers-to-obsolete-target lib/systemd/system/control-port-filter-python.service syslog.target’ - Whonix Forum
https://github.com/Whonix/control-port-filter-python/commit/7c393884622c719bd482dd7cf8447b067a7003c8

Patrick · May 24, 2015, 3:30pm

StandardOutput=syslog StandardError=syslog
Wondering, do we have any reason for using that?

troubadour · May 24, 2015, 4:50pm

Pushed your commits to troubadoour.

Wondering, do we have any reason for using that?

No special reason, it was taken from a generic unit file. It does not seem to write anything to syslog.

Patrick · May 28, 2015, 5:06pm

systemd unit: removed ‘StandardOutput=syslog’ and ‘StandardError=syslog’ as per Whonix Forum
https://github.com/Whonix/control-port-filter-python/commit/838061e72547b308adee51182350135c830fc2c5

troubadour · May 29, 2015, 8:53pm

Merged.

Removed argument parsing (start / stop / restart) in cpfpd, as it’s managed by systemd.
remove argument parsing, done in daemon/systemd · troubadoour/control-port-filter-python@3c1f475 · GitHub

Patrick · May 29, 2015, 9:37pm

Merged.

Patrick · August 19, 2015, 11:54pm

workaround for ‘dh_installinit should run systemd-tmpfiles if a /usr/lib/tmpfiles.d/ snippet gets shipped for systemd-only packages also’ - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795519

https://github.com/Whonix/control-port-filter-python/commit/20390f32e6d9a9271580500caa57a69f66df94a8

(Similar to this change: Whonix Forum)

troubadour · August 20, 2015, 6:38pm

Merged.

troubadour · December 29, 2015, 5:57pm

Patrick · January 3, 2016, 3:23pm

Tested. Works fine. Merged. And closed the ticket.
( ⚓ T445 CONTROL_PORT_FILTER_WHITELIST wildcard feature )

Added some minor commits on top. Please review and merge.

Patrick · January 3, 2016, 3:26pm

Added the following to the config.

CONTROL_PORT_FILTER_ALLOW_WILDCARDS=true

CONTROL_PORT_FILTER_WHITELIST=protocolinfo 1
CONTROL_PORT_FILTER_WHITELIST=authchallenge *

Then run the following on a Qubes-Whonix-Gateway.

tor-prompt -i 10.137.3.1:9052

Did not work.

Unable to authenticate: All lines should end with CRLF

Could this be a more general error? Should we end lines with CRLF?

(What I really was doing was trying multi lined commands in context of research control port filter proxy whiltelist wildcard security implications.)

Patrick · September 14, 2016, 7:33pm

End lines with CRLF now.

https://github.com/Whonix/control-port-filter-python/commit/7fe75ffab2a5a6ce0716abbe6c496ca15dbc6cda

Patrick · September 14, 2016, 8:01pm

Since GitHub - Whonix/anon-ws-disable-stacked-tor functionality interacts with https://github.com/Whonix/control-port-filter-python, I am also discussing anon-ws-disable-stacked-tor here.

( Dev/anon-ws-disable-stacked-tor - Whonix also needs an update. )

Patrick · September 14, 2016, 8:03pm

Also help wanted with Control Port Filter Proxy Python (cpfpy)! See:

https://forums.whonix.org/t/contributors-needed-python-help

Patrick · September 14, 2016, 8:32pm

(Tor control protocol)

The default anon-ws-disable-stacked-tor config file should explain most of what anon-ws-disable-stacked-tor does.

anon-ws-disable-stacked-tor/30_anon-dist.conf at master · Whonix/anon-ws-disable-stacked-tor · GitHub

Now it is almost possible for python-stem based applications to do Tor Control Auth Cookie authentication. One small piece for this is still missing.

We would have to whitelist protocolinfo 1 by default also. It would answer (and relay back to the workstation):

250-PROTOCOLINFO 1
250-AUTH METHODS=COOKIE,SAFECOOKIE COOKIEFILE="/var/run/tor/control.authcookie"
250-VERSION Tor="0.2.8.7"
250 OK

Does that look alright? Should we whitelist protoclinfo? Or does anything speak against this? If so, we could implement a hardcoded, fake answer, another “lie”.

HulaHoop · September 15, 2016, 2:17pm

Using https://github.com/subgraph/roflcoptor/blob/master/session.go as a reference - its ok to whitelist protocolinfo however their filter lies about the supported authentication types.

Patrick · September 16, 2016, 2:58pm

Done.

https://github.com/Whonix/control-port-filter-python/commit/74c913fe730e4247b59eca4a1c82a0546441c216

Patrick · September 16, 2016, 5:32pm

https://github.com/Whonix/control-port-filter-python/commit/703e7c97a8e7e43e3a057c0f923e4cf394f753cf