Onion Services Authentication

Script needed basez to work. It did what it was supposed to, but I find the whole process of what to do next with the generated pub/priv key pair very confusing. The wiki and script differ in naming and terminology of the same thing and I’m not understanding it.

Problem: tor can’t restart with the changes in torrc.d and no onionv3 is ever created. I think the instructions for generating a plain v3 onion are broken. journalctl logs are useless here.

1 Like

EDIT:

plain v3 works. There is no need to make an authorized client folder as there is one in hidden_service

1 Like

I’m just not seeing the usecase to justify all the complexity when one can just generate unique onions and hand them out to different parties and delete the ones no longer permitted to access?

1 Like

Maybe it’s based on incorrect assumptions? Maybe finding an onion through trying to connect randomly to them is conceivable? Chances are? I am speculating under the assumption that Tor Project wouldn’t have gone through the complexity of implementing this if there is no gain. Maybe we can find a rationale for this feature or maybe ask upstream?

1 Like

Asked:

https://lists.torproject.org/pipermail/tor-dev/2019-December/014105.html

1 Like

https://lists.torproject.org/pipermail/tor-dev/2019-December/014106.html

Reply summary:

  • Guessing it is as likely as guessing the correct key that has 2^256 entropy.

  • The only advantage I’m seeing is that it has less resource load than the multi onion approach, but then again if you have a authenticated access scenario, how many parties do you hope to manage before it becomes out of hand? The security argument is moot when malware can just steal the auth cookie. Also you can take v3 service keys offline for extra security. Another argument for authenticated access is it makes webserver configuration more manageable than in the multi onion scenario.

https://lists.torproject.org/pipermail/tor-dev/2019-December/014107.html

  • Another suggestion is to use it to protect a publicly accessible bookmark that you refer to, but I would archive the info all offline because it gives more peace of mind.

Thoughts on this?

1 Like

Current wiki instructions are broken. Tor can’t reload:

Main PID: 784 (tor)
Tasks: 1 (limit: 540)
Memory: 19.6M
CGroup: /system.slice/system-tor.slice/tor@default.service
└─784 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defau…

Dec 13 15:47:47 host Tor[784]: Read configuration file “/etc/tor/torrc”.
Dec 13 15:47:47 host Tor[784]: Included configuration file or directory at…onf".
Dec 13 15:47:47 host Tor[784]: Included configuration file or directory at…onf".
Dec 13 15:47:47 host Tor[784]: Included configuration file or directory at…onf".
Dec 13 15:47:47 host Tor[784]: You configured a non-loopback address '10.1…nted.
Dec 13 15:47:47 host Tor[784]: You configured a non-loopback address '10.1…nted.
Dec 13 15:47:47 host Tor[784]: Permissions on directory /var/lib/tor/hidde…sive.
Dec 13 15:47:47 host Tor[784]: Failed to parse/validate config: Failed to …ails.
Dec 13 15:47:47 host Tor[784]: Reading config failed–see warnings above. …y -h.
Dec 13 15:47:47 host Tor[784]: Restart failed (config error?). Exiting.

These lines are truncated.

sudo systemdctl --no-pager status tor@default
sudo journalctl --no-pager -u tor@default

Tor Documentation for Whonix Users

anon-verify

Need to read the full error message. For got this step?

Fix owner permissions.

sudo chown --recursive debian-tor:debian-tor /var/lib/tor/hidden_service

1 Like

No, but I’ll take another crack and report logs properly.

1 Like

This important setting was missing from the documentation:

ClientOnionAuthDir /var/lib/tor/hidden_service/authorized_clients/

Error still there but it’s a permissions thing:

Dec 17 :12 host systemd[1]: Reloading Anonymizing overlay network for TCP.
Dec 17 :12 host systemd[1]: Reloaded Anonymizing overlay network for TCP.
Dec 17 :12 host Tor[1093]: Received reload signal (hup). Reloading config and resetting internal state.
Dec 17 :12 host Tor[1093]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Dec 17 :12 host Tor[1093]: Read configuration file "/etc/tor/torrc".
Dec 17 :12 host Tor[1093]: Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/40_tor_control_panel.conf".
Dec 17 :12 host Tor[1093]: Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/50_user.conf".
Dec 17 :12 host Tor[1093]: Included configuration file or directory at recursion level 1: "/etc/torrc.d/95_whonix.conf".
Dec 17 :12 host Tor[1093]: You configured a non-loopback address '10.152.152.10:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Dec 17 :12 host Tor[1093]: You configured a non-loopback address '10.152.152.10:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Dec 17 :12 host Tor[1093]: Permissions on directory /var/lib/tor/hidden_service/ are too permissive.
Dec 17 :12 host Tor[1093]: Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Dec 17 :12 host Tor[1093]: Reading config failed--see warnings above. For usage, try -h.
Dec 17 :12 host Tor[1093]: Restart failed (config error?). Exiting.
Dec 17 :13 host systemd[1]: tor@default.service: Main process exited, code=exited, status=1/FAILURE
user@host:~$ 



user@host:~$ anon-verify
/===================================================================\
|                      Report Summary                               |
\===================================================================/
Your Tor config files contain at least one error.
Tor verify exit code: 1
/===================================================================\
|                    Tor Concise Report                             |
\===================================================================/
Below warns and errors must be fixed before you can use Tor:
Dec 17 :40.099 [warn] Permissions on directory /var/lib/tor/hidden_service/ are too permissive.
Dec 17 :40.099 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Dec 17 :40.099 [err] Reading config failed--see warnings above.
/===================================================================\
|                      Tor Full Report                              |
\===================================================================/
Dec 17 :40.085 [notice] Tor 0.4.1.6 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
Dec 17 :40.085 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 17 :40.086 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Dec 17 :40.086 [notice] Read configuration file "/etc/tor/torrc".
Dec 17 :40.097 [notice] Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/40_tor_control_panel.conf".
Dec 17 :40.097 [notice] Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/50_user.conf".
Dec 17 :40.097 [notice] Included configuration file or directory at recursion level 1: "/etc/torrc.d/95_whonix.conf".
Dec 17 :40.098 [notice] You configured a non-loopback address '10.152.152.10:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Dec 17 :40.098 [notice] You configured a non-loopback address '10.152.152.10:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Dec 17 :40.099 [warn] Permissions on directory /var/lib/tor/hidden_service/ are too permissive.
Dec 17 :40.099 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Dec 17 :40.099 [err] Reading config failed--see warnings above.
/===================================================================\
|                 Used Tor Configuration Files                      |
\===================================================================/
5 files are used as Tor configuration files: 
/usr/share/tor/tor-service-defaults-torrc /etc/tor/torrc /etc/torrc.d/95_whonix.conf /usr/local/etc/torrc.d/40_tor_control_panel.conf /usr/local/etc/torrc.d/50_user.conf
=====================================================================
user@host:~$
1 Like

Try these two commands. One.

sudo chown --recursive debian-tor:debian-tor /var/lib/tor

Two.

sudo chmod --recursive o-rwx /var/lib/tor

Otherwise please show

ls -la /var/lib/tor
ls -la /var/lib/tor/hidden_service/

It is here: Onion Services - Whonix

1 Like

A post was split to a new topic: Onion Services DDOS Defense Tor 0.4.2.5

No dice with either or both of the permission change commands.

Output:

ls: cannot open directory '/var/lib/tor': Permission denied
user@host:~$ ls -la /var/lib/tor/hidden_service/
ls: cannot access '/var/lib/tor/hidden_service/': Permission denied
1 Like

ls failing as user is actually expected. Upstream default. Needs to run with sudo.
sudo ls …

1 Like

Also try:

sudo chmod --recursive g-rwx /var/lib/tor

That removes read/write/execute permissions for group members (of debian-tor) too. I don’t know which files in /var/lib/tor - if any - might require read/write access by group debian-tor members. Maybe none.

1 Like
user@host:~$ sudo ls -la /var/lib/tor
total 5964
drwx--S---  4 debian-tor debian-tor    4096 Dec 19  .
drwxr-xr-x 35 root       root          4096 Dec  7  ..
-rw-------  1 debian-tor debian-tor   20442 Dec  7 cached-certs
-rw-------  1 debian-tor debian-tor 2053723 Dec 19 cached-microdesc-consensus
-rw-------  1 debian-tor debian-tor 3999110 Dec 19 cached-microdescs
-rw-------  1 debian-tor debian-tor       0 Dec 19 cached-microdescs.new
drwx--Sr-x  3 root       debian-tor    4096 Dec 19 hidden_service
drwx--S---  2 debian-tor debian-tor    4096 Dec  7 keys
-rw-------  1 debian-tor debian-tor       0 Dec 19 lock
-rw-------  1 debian-tor debian-tor    9681 Dec 19 state
user@host:~$ sudo ls -la /var/lib/tor/hidden_service/
total 12
drwx--Sr-x 3 root       debian-tor 4096 Dec 19 .
drwx--S--- 4 debian-tor debian-tor 4096 Dec 19 ..
drwx--Sr-x 2 root       debian-tor 4096 Dec 19 authorized_clients
user@host:~$
1 Like

Still fails to reload

1 Like

Why is it still owned by root?

Did you run

sudo chown --recursive debian-tor:debian-tor /var/lib/tor

?

I just tried it again and now and this its not going anywhere.

checked the dir list and everything is debian-tor:debian-tor. So while something may have been overlooked last time, it isn’t the reason now.

1 Like