Skip to content

Tor null auth and listen fixes #2490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 15, 2019
Merged

Tor null auth and listen fixes #2490

merged 2 commits into from
Mar 15, 2019

Conversation

aakselrod
Copy link
Contributor

@aakselrod aakselrod commented Jan 17, 2019
edited by Roasbeef
Loading

This PR should fix #2388 and #2176 in the following ways:

  • allowing NULL authentication when attempting to create a hidden service automatically
  • when automatic hidden service configuration is disabled, defaulting to listening on localhost and allowing manual override for manual or alternative hidden service configuration

This allows lnd to work better in environments where the Tor daemon lives on a different machine, such as Whonix or OnionPi, and where certain Tor control protocol requests and responses are filtered.

Fixes #2388
Fixes #2176

@aakselrod aakselrod requested a review from wpaulino January 17, 2019 05:26
@qubenix
Copy link

qubenix commented Jan 17, 2019

Awesome of you to work on this! I'm just testing this out on Whonix.

For me the null auth fix worked, but I'm still running into an issue listening on something other than localhost.

user@host:~$ lnd
lnd must *only* be listening on localhost when running with Tor inbound support enabled

I think it may have to do with these lines: https://github.com/lightningnetwork/lnd/blob/570b60e75b2822fc737b46a223c944ceadfedaab/config.go#L950-L962

@Roasbeef Roasbeef added enhancement Improvements to existing features / behaviour security General label for issues/PRs related to the security of the software tor bug fix P3 might get fixed, nice to have labels Jan 18, 2019
@Roasbeef Roasbeef added this to the 0.6 milestone Jan 18, 2019
@aakselrod
Copy link
Contributor Author

@qubenix, I think you might be correct. You can work around it by manually configuring the hidden service for now, and I'll fix the other issue momentarily.

@aakselrod
tor: add support for NULL authentication to controller
288870f 
This change allows the Tor controller to request hidden service
configuration over unauthenticated Tor control ports, such as used
in Whonix.
@aakselrod
config: default to listening for p2p on localhost when tor enabled
66a1502 
When Tor is enabled, this change allows manual hidden service
configuration by defaulting to listening for p2p connections on
the loopback address. It also allows overriding this manually
for situations where the Tor daemon is running on another machine,
such as when using Whonix or OnionPi-like systems.
@aakselrod aakselrod force-pushed the tor-null-auth-and-listen-fixes branch from 570b60e to 66a1502 Compare January 19, 2019 05:45
@aakselrod
Copy link
Contributor Author

I've made the fix and rebased. I tested this on my Whonix system with a brand new lnd installation and was able to successfully auto-create a v3 service (with a new onion-grater merge file for the lnd request) while listening on eth0.

@qubenix
Copy link

qubenix commented Jan 19, 2019

Tested ACK: 288870f 66a1502

wpaulino
wpaulino reviewed Jan 23, 2019
View reviewed changes
@wpaulino wpaulino mentioned this pull request Feb 2, 2019
Closed
@wereHamster wereHamster mentioned this pull request Feb 3, 2019
Closed
@Roasbeef Roasbeef mentioned this pull request Mar 12, 2019
Closed
@NicolasDorier
Copy link
Contributor

Concept ACK, I needed this.

NicolasDorier
NicolasDorier reviewed Mar 14, 2019
View reviewed changes
config.go
if len(cfg.RawListeners) == 0 {
addr := fmt.Sprintf(":%d", defaultPeerPort)
if cfg.Tor.Active {
addr = fmt.Sprintf("localhost:%d", defaultPeerPort)
Copy link
Contributor

@NicolasDorier NicolasDorier Mar 14, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it makes sense.

I want to use Tor with LND as an alternative way for people to connect to me, not as an exclusive way.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will only happen if you don't explicitly set the listen flag. It can be overridden.

@tzarebczan
Copy link

I'm running into this same problem...anyone have a windows build to test this out?

wpaulino
wpaulino approved these changes Mar 15, 2019
View reviewed changes
Copy link
Contributor

@wpaulino wpaulino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🎲

Roasbeef
Roasbeef approved these changes Mar 15, 2019
View reviewed changes
Copy link
Member

@Roasbeef Roasbeef left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 💣

@Roasbeef Roasbeef merged commit b4a1024 into lightningnetwork:master Mar 15, 2019
@tzarebczan
Copy link

Awesome @Roasbeef, can't wait to try this out!

@qubenix qubenix mentioned this pull request Jul 25, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NicolasDorier NicolasDorier NicolasDorier left review comments

@Roasbeef Roasbeef Roasbeef approved these changes

@wpaulino wpaulino wpaulino approved these changes

Assignees
No one assigned
Labels
bug fix enhancement Improvements to existing features / behaviour P3 might get fixed, nice to have security General label for issues/PRs related to the security of the software tor
Projects
None yet
Milestone
0.6
Development

Successfully merging this pull request may close these issues.

Support unauthenticated Tor control port Can't connect to onion nodes when using remote Tor
6 participants
@aakselrod @qubenix @NicolasDorier @tzarebczan @Roasbeef @wpaulino