[research] Configure apps to use rpc_cookie authentication

[openoms]

Configure apps to use the rpc cookie

basic notes to be followed command by command

the cookie file reverts to only user permission 600 on restart. Proposed solution to be added to the bitcoind.service: https://github.com/bitcoin/bitcoin/issues/25270#issuecomment-1150049416 used in raspibolt: https://github.com/raspibolt/raspibolt/pull/846 Adds:

-startupnotify="chmod g+r /mnt/hdd/bitcoin/.cookie"

Working example:

Click to expand/collapse

``` # /etc/systemd/system/bitcoind.service # RaspiBlitz: systemd unit for bitcoind # based on https://github.com/bitcoin/bitcoin/blob/master/contrib/init/bitcoind.service [Unit] Description=Bitcoin daemon After=bootstrap.service Wants=bootstrap.service # for use with sendmail alert #OnFailure=systemd-sendmail@%n [Service] ExecStartPre=-/home/admin/config.scripts/blitz.systemd.sh log blockchain STARTED ExecStart=/usr/local/bin/bitcoind -daemonwait \ -conf=/mnt/hdd/bitcoin/bitcoin.conf \ -datadir=/mnt/hdd/bitcoin \ -debuglogfile=/mnt/hdd/bitcoin/debug.log \ -startupnotify="chmod g+r /mnt/hdd/bitcoin/.cookie" # Make sure the config directory is readable by the service user PermissionsStartOnly=true ExecStartPre=/bin/chgrp bitcoin /mnt/hdd/bitcoin # Process management #################### Type=forking # PIDFile=/mnt/hdd/bitcoin/bitcoind.pid Restart=on-failure TimeoutStartSec=infinity TimeoutStopSec=600 # Directory creation and permissions #################################### User=bitcoin UMask=0027 StandardOutput=null StandardError=journal # Hardening measures #################### # Provide a private /tmp and /var/tmp. PrivateTmp=true # Mount /usr, /boot/ and /etc read-only for the process. ProtectSystem=full # Deny access to /home, /root and /run/user ProtectHome=true # Disallow the process and all of its children to gain # new privileges through execve(). NoNewPrivileges=true # Use a new /dev namespace only populated with API pseudo devices # such as /dev/null, /dev/zero and /dev/random. PrivateDevices=true # Deny the creation of writable and executable memory mappings. MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target ```

btc-rpc-proxy

An alternative solution is to avoid reconfiguring all apps is to run btc-rpc-proxy. Change bitcoind to serve on 8331 with cookie auth Configure btc-rpc-proxy to serve on 8332 with the previous username and password.

Config to achieve this:

Click to expand/collapse

``` verbose = 4 bitcoind_port = 8330 # change this in bitcoin.conf from 8332 cookie_file = "/mnt/hdd/bitcoin/.cookie" bind_address = "127.0.0.1" bind_port = 8332 [user.raspibolt] password = "PASSWORD_B" allowed_calls = [ "getinfo", "getblock", "getblockchaininfo", "getbestblockhash", "getblockcount", "getblockhash", "getblockheader", "getchaintips", "getdifficulty", "getnetworkinfo", "getmempoolinfo", "getrawmempool", "gettxout", "gettxoutproof", "gettxoutsetinfo", "verifytxoutproof", "createrawtransaction", "decoderawtransaction", "decodescript", "getrawtransaction", "sendrawtransaction", "estimatefee", "estimatepriority", "estimatesmartfee", "estimatesmartpriority" ] ```

In case of using btc-rpc-proxy.there is no need to touch the other apps.

Configuring apps to use rpc cookie auth

CLN works ok

LND

# comment out bitcoin.rpcpassword and bitcoin.rpcuser in lnd.conf
sudo sed -i "s/^bitcoin.rpcpassword/#bitcoin.rpcpassword/g" /mnt/hdd/lnd/lnd.conf
sudo sed -i "s/^bitcoin.rpcuser/#bitcoin.rpcuser/g" /mnt/hdd/lnd/lnd.conf

# add bitcoind.rpccookie=/mnt/hdd/bitcoin/.cookie under the header [bitcoind] in lnd.conf
sudo sed -i '/^\[bitcoind\]/a bitcoin.cookiefile=/path/to/.cookie' /mnt/hdd/lnd/lnd.conf

# make the .cookie file group readable
sudo chmod 640 /mnt/hdd/bitcoin/.cookie

# move lnd.check.sh to lnd.check.sh.bak
mv /home/admin/config.scripts/lnd.check.sh /home/admin/config.scripts/lnd.check.sh.bak

# restart lnd
sudo systemctl restart lnd

lnd on signet is not working with cookie auth, getting (see https://github.com/lightningnetwork/lnd/issues/6613#issuecomment-1445148829):

error creating wallet config: unable to create partial chain control: status code: 401, response: ""

Mempool

• basic display works, but tx lookup isn't
• cookie auth support is WIP : https://github.com/mempool/mempool/issues/2806
• maybe a temporary workaround could be running https://github.com/Kixunil/btc-rpc-proxy to provide username-password auth

Fulcrum

sudo usermod -a -G bitcoin fulcrum
#comment out rpcuser and rpcpassword in fulcrum.conf
sudo sed -i "s/^rpcuser/#rpcuser/g" /home/fulcrum/.fulcrum/fulcrum.conf
sudo sed -i "s/^rpcpassword/#rpcpassword/g" /home/fulcrum/.fulcrum/fulcrum.conf
# add the rpccookie option
if ! grep -q "^rpccookie" /home/fulcrum/.fulcrum/fulcrum.conf; then
  echo "rpccookie=/mnt/hdd/bitcoin/.cookie" | sudo tee -a /home/fulcrum/.fulcrum/fulcrum.conf
else
  sudo sed -i "s/^#rpccookie/rpccookie/g" /home/fulcrum/.fulcrum/fulcrum.conf
fi
# make the .cookie file group readable
sudo chmod 640 /mnt/hdd/bitcoin/.cookie
# restart fulcrum
sudo systemctl restart fulcrum

Electrs

# comment out auth="USER:PASSWORD" in the electrs.toml
sudo sed -i "s/^auth/#auth/g" /home/electrs/.electrs/config.toml
# add the elecrs user to the bitcoin group
sudo usermod -a -G bitcoin electrs
# symlink the cookie file to the electrs home dir
sudo -u electrs mkdir /home/electrs/.bitcoin
sudo ln -s /mnt/hdd/bitcoin/.cookie /home/electrs/.bitcoin/.cookie
# make the .cookie file group readable
sudo chmod 640 /mnt/hdd/bitcoin/.cookie
# restart electrs
sudo systemctl restart electrs

Specter

# this process is to be simplified
sudo systemctl stop specter
# add the user to the bitcoin group
sudo usermod -a -G bitcoin specter
# symlink the cookie file to the home dir
sudo -u specter mkdir /home/specter/.bitcoin
sudo ln -s /mnt/hdd/bitcoin/.cookie /home/specter/.bitcoin/.cookie

# move /home/specter/.specter/config.json
sudo mv /home/specter/.specter/config.json /home/specter/.specter/config.json.bak
## move /home/specter/.specter/nodes/default.json
sudo mv /home/specter/.specter/nodes/default.json /home/specter/.specter/nodes/default.json.bak
# move /home/specter/.specter/nodes/raspiblitz_mainnet.json
sudo mv /home/specter/.specter/nodes/raspiblitz_mainnet.json /home/specter/.specter/nodes/raspiblitz_mainnet.json.bak

# make new specter config
proxy="socks5h://localhost:9050"
torOnly="true"
tor_control_port="9051"
chain="main"
cat > /home/admin/config.json <<EOF
{
    "auth": {
        "method": "none",
        "password_min_chars": 6,
        "rate_limit": 10,
        "registration_link_timeout": 1
    },
    "active_node_alias": "raspiblitz_${chain}net",
    "proxy_url": "${proxy}",
    "only_tor": "${torOnly}",
    "tor_control_port": "${tor_control_port}",
    "tor_status": true,
    "hwi_bridge_url": "/hwi/api/"
}
EOF
sudo mkdir -p /home/specter/.specter/nodes
sudo mv /home/admin/config.json /home/specter/.specter/config.json
sudo chown -R specter:specter /home/specter/.specter/config.json
sudo chown -R specter:specter /mnt/hdd/app-data/.specter

# here I had an error where needed to move the specter wallets folder
# not sure if this is reoccuring
sudo -u bitcoin cp -r /mnt/hdd/bitcoin/specter /mnt/hdd/bitcoin/specternewfolder

# restart specter
sudo systemctl restart specter

# open the Specter WebUI and set a password ASAP

[mitohund]

Since I installed ord according to your beautiful instructions, my LND stopped working. Which is fine with me - I'm not using Ligthning. I would actually like to turn LND off so it stops asking me to regularly type in my password (which it does quite frequently). Is that possible?

[mitohund]

For anybody wanting to turn off Lightning on their RB:

nano /mnt/hdd/raspiblitz.conf add or edit to: lightning=off