security/tor: Hidden Service Client Authorization

[alphazo]

I just tried out the new official Tor plugin and found it awesome. I was wondering if there was any plan to add a GUI option for managing client authorization through HiddenServiceAuthorizeClient. Thanks

[fichtner]

Hi @alphazo,

The Tor plugin maintainer @fabianfrz is currently indisposed so I have to get back on this in his place after a bit of research as I don't know a lot about the topic yet. :)

Cheers, Franco

[alphazo]

No problem. Seems to be fairly simple to get the stealth mode working. After adding a hidden service called testme using the GUI I went to the command line and added the following line to /usr/local/etc/tor/torrc HiddenServiceAuthorizeClient stealth client1,client2

I then restarted tor via the gui and the information tab now shows:

Hidden Service Name | Hostname | 
testme | 7xevfoo6aq4fvvp6.onion 1dVQrgk/IGI0WwcQQKb88x # client: client1 6iylcdtlyhisrusn.onion 832wXTfkGaj9SZTug9QPnh # client: client2

The website can no longer be viewed using only its 7xevfoo6aq4fvvp6.onion address. On the client side I now have to add 7xevfoo6aq4fvvp6.onion 1dVQrgk/IGI0WwcQQKb88x in the tor browser's torrc or tor client's torrc in order to view the hidden website.

So a GUI that allows to enter the name multiple client names to be added to /usr/local/etc/tor/torrc would be nice. An improved parsing of /var/db/tor/testme/hostname would be required to properly display the hidden website URL and associated key.

[fichtner]

@alphazo thanks, that helped a lot. So I've added the client authorisation to hidden services... can you try the following patch?

# opnsense-patch -c plugins 6dc272c

If it works as expected we can fix the information GUI page.

There might be an edit bug in there if a hidden service ACL is defined, I will look at it later. As long as there is no ACL assigned to the service the edit seems to work fine.

[alphazo]

@fichtner I have never used opnsense-patch service. Before I play around with it, is there a way to revert back to how it was before the patch?

Thanks

[fichtner]

opnsense-patch pulls the commit via hash from github and installs it. rerunning the command with the same hash will remove the patch again

you can also reset your tor plugin via:

# opnsense-revert os-tor

which will revert to the latest known version in the online repository

[alphazo]

Thanks for the patch that worked quite nicely. Here are my comments:

• I could only enter one client under Authorized clients. If for exemple I use myc1 myc2 then I receive the following error message when trying to save the settings The authorized clients should only consist of alphanumeric characters, dashes, underscores and plus sign.
• After saving the stealth settings the first time, if I go back to edit them and then try to save them then I'm prompted with an error message An API exception occured Not Found Error. I can no longer switch back to Basic mode or even remove that particular entry. The only way to edit or remove the entry is to first remove the corresponding entry in the Hidden Service Routing tab.
• Information page shows the .onion address + token (only for one client for now). Maybe it would be nice to have an info box saying you will need to add: HidServAuth cld7uazv7brtgxb4.onion xTYCjhRNrPNeF2HdZ2TWAh # client: myc1 to the Tor client that needs to connect to this resource.

[fichtner]

If you remove the ACL (next tab) from the service the editing works as expected instead of "Not Found Error"... it's a bug somewhere in the backend that needs fixing, but it seemed to be there before this was added.

You need to type "," or hit enter to render each client, the input is tokenized :)

[alphazo]

Saw your answer just after editing my comment. As stated, removing the ACL fixes the issue. It also allowed me to enter multiple clients. It's all good!

[fichtner]

Jolly good, thanks for your help and comments. I will address the remaining issues in the next days and ping you again.

[fabianfrz]

@fichtner because you are working on this ticket: don't forget that there is also the other end of the connection which needs HidServAuth to access such a service. HidServAuth is 1:n which means that it needs a custom page.

The directive is (from tor man page)

HidServAuth onion-address auth-cookie [service-name]

so the form will be onion-address as text and auth-cookie as text.

[fichtner]

Right now I'm more concerned about an API config bug in core https://github.com/opnsense/core/issues/1885 and if that is solved I'd rather release what we already have and keep this open

[fichtner]

we don't have a pretty information page parsing, but it seems like a low value target to me. all the info is there, tor just writes it in a weird way...

[fabianfrz]

@fichtner As far as I know I have added a workaround to prettify that a bit (convert \n to br tags)

[fabianfrz]

@fichtner needed a fixup - pushed it to master: https://github.com/opnsense/plugins/commit/528e3674a257405831a0bb9e123d1e6fb1745dfd

[fichtner]

thanks!