Re: tor-arm warning

To: Debian Users <debian-user@lists.debian.org>
Subject: Re: tor-arm warning
From: Zenaan Harkness <zen@freedbms.net>
Date: Thu, 20 Feb 2014 17:37:24 +1100
Message-id: <CAOsGNSSuj6Asz=Z6bksNLLOFoVtNmsW0chn8uH9Rh456m9nBBA@mail.gmail.com>
In-reply-to: <5304F4F4.6000400@tesco.net>
References: <CAOsGNSQGwfNrJTODF+XpDcKB+4UL0RhmDC9ZumH5G5rNKYavew@mail.gmail.com> <CAOsGNSSoW+0LGcy68FLXp4yjn9X3xUaVG6HRQzedKn7vbR9qcg@mail.gmail.com> <1392726960.9614.10.camel@tagesuhu-pc> <CAOsGNSRrkm-dv-WeBU6avrS0=JUpz2MacZSv+i5as6LPcfv2WA@mail.gmail.com> <5304F4F4.6000400@tesco.net>

On 2/20/14, Ron Leach <ronleach@tesco.net> wrote:
> On 19/02/2014 00:18, Zenaan Harkness wrote:
>> Here is my .ssh/config line:
>> LocalForward localhost:9051 127.0.0.1:9051
>
> I thought the LocalForward syntax differed slightly:
> LocalForward Localhost:Port RemoteHost:Port
> (if I've understood man ssh_config)
> so maybe
> LocalForward 127.0.0.1:9051 YourRemoteTORRelayHost:9051

No, although as a template your template is essentially correct, but
note that my tunnel matches your template (which matches the man
page).

We must put ourselves in the shoes of SSH processes:

I tunnel from LOCAL host L to REMOTE host R.
R runs the tor relay process T.
T has an "admin" port, usually 9051 unless configured otherwise.
T admin port 9051 should only EVER listen on 127.0.0.1 (localhost in
nearly all cases).

At L, I want to connect to ONLY a localhost ip:port, ie
127.0.0.1:9051, and have SSH tunnel those local connections across the
wire to R and to connect the other end of those connections to R's
127.0.0.1:9051 port.

So at L, localhost (or 127.0.0.1) is correct, and likewise at R.

My config was possibly confusing to those not familiar with SSH
tunnelling, since I used "localhost" at L and "127.0.0.1" at R. But
they're actually the same, and interchangeable AFAIU; my apologies for
the confusion.

If you have any further questions or suggestions, please ask, and
thanks for checking in.

> May I pass on a security concern?

Always appreciated.

> Again, if I understand the man
> pages correctly, anyone with access to your machine can use this

Who has access to my machine L?

> tunnel to reach your TOR relay on port 9051.  Using 127.0.0.1 means
> that 'only' local users can do this, but this would include everyone
> with a login on your machine (and anyone who could sit in your chair
> during lunch if you hadn't logged out).

This is true. There are probably more secure ways such as unix sockets
or authenticated socks proxy (by SSH), but I haven't bothered to
learn. It's my workstation though, so no worries for me generally.

Thank you for your considerations,
Zenaan

Reply to:

References:
- tor-arm warning
  - From: Zenaan Harkness <zen@freedbms.net>
- Re: tor-arm warning
  - From: Zenaan Harkness <zen@freedbms.net>
- Re: tor-arm warning
  - From: André Nunes Batista <andrenbatista@gmail.com>
- Re: tor-arm warning
  - From: Zenaan Harkness <zen@freedbms.net>
- Re: tor-arm warning
  - From: Ron Leach <ronleach@tesco.net>

Prev by Date: Re: Need to make sure I have the nvidia proprietary driver running.
Next by Date: Re: Samba 4
Previous by thread: Re: tor-arm warning
Next by thread: Re: tor-arm warning
Index(es):
- Date
- Thread