New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New option [libdefaults] socks4a_proxy. #1204
base: master
Are you sure you want to change the base?
New option [libdefaults] socks4a_proxy. #1204
Conversation
ec3bfbd
to
078fa78
Compare
078fa78
to
d2f7729
Compare
d2f7729
to
fa1294a
Compare
Ahh, you need to also modify You should probably name the |
0f3d224
to
c4cc19c
Compare
I updated the branch with changes that I think are correct and necessary for lib/krb5/NTMakefile, but the Windows build is still failing and I can't figure out how to read an understanding of the problem out of the log. Hints welcome! Couple notes on the design: Configuration syntaxTo keep the implementation simple and commit early, commit often, I called the configuration parameter In the future, there might be other proxies, like SOCKS5 or HTTP CONNECT proxies -- I'm not implementing them now because it's not needed for Tor, but I can imagine someone wanting these. If we added If you'd rather see SOCKS4a user idI implemented automatically passing the principal as the SOCKS4a user id. This isn't for authentication -- this is for Tor circuit isolation, so that stream connections which don't use the SOCKS4a user id don't use the same circuit and thus won't appear to be related. That way, your anonymous web browsing through Tor doesn't get correlated with your krb5 logins, and Tor gives you location privacy from the KDC when you do use krb5 logins. Kerberized applications that talk through the SOCKS4a proxy have to do the same, of course, to get the same isolation. (ssh SOCKS4a proxies also accept a user id but ignore it.) If there are users who might want to use SOCKS4a with non-Tor (and non-ssh) proxies, where the user id has some other significance, we might need some other configuration knob to manage that. |
You have click on the Windows check's details and view the logs, and search for "error" because the Windows build emits lots of noise after the fatal error, so you won't find the error of interest near the bottom of the logs (sad), but the way the GitHub UI works the whole logs won't be in the page, so you can't search using the normal browser search feature (ctrl-f), instead you either have to use the GitHub logs search feature or you have to download the logs and grep / whatever for "error", which will find:
I haven't done a local Windows build in ages, so I always deal with those in this way, meaning it's a lot of effort to debug build issues because of the need to iterate through GitHub Actions runs. To speed that up I make sure only the Windows checks run, which greatly speeds up the process. I either disable the checks using a suitable branch name, or delete workflows other than the Windows one, or just manually stop all actions other than the Windows workflow's action(s). |
c4cc19c
to
05e3fbc
Compare
All network traffic to KDC goes through the SOCKS4a proxy if it is configured. This is deliberately kept simple -- and is not generalized to SOCKS4 or SOCKS5 or other types of proxies -- so it is easy to audit for network and DNS leaks. (SOCKS4 works in IP addresses, and so invites DNS leaks. SOCKS5 can be OK, if used judiciously, but takes more work to implement.) This only affects krb5_sendto -- the other initiator of network traffic in libkrb5, krb5_change_password, will be fixed to respect socks4a_proxy in a subsequent commit. XXX Need to figure out where the socks4a.c code should go. fix heimdal#1151
Default of UDP transport doesn't work over SOCKS4a anyway, so this makes configuration with socks4a_proxy easier.
This enables Tor stream isolation.
This enables Tor stream isolation.
05e3fbc
to
ab546a1
Compare
The code seems to work and passes all github actions checks, but see some notes in #1204 (comment) about ways you might want it to be changed before merging. |
This is deliberately kept simple -- and is not generalized to SOCKS4 or SOCKS5 or other types of proxies -- so it is easy to audit for network and DNS leaks. (SOCKS4 works in IP addresses, and so invites DNS leaks. SOCKS5 can be OK, if used judiciously, but takes more work to implement.)
XXX Need to combine with #1155 to plug DNS leaks.
XXX Need to figure out where the socks4a.c code should go.
fix #1151