Re: [Tails-dev] Tor Control Port in Tails

このメッセージを削除

このメッセージに返信
著者: Rafael Bonifaz
日付:  
To: tails-dev
題目: Re: [Tails-dev] Tor Control Port in Tails
Hi, sorry for the delay in the response.

anonym:
> Whoops, I realize I didn't Cc you when responding, so I have included my response below for your convenience. If you want to reply to tails-dev@ without breaking threading you can use:
>
> In-Reply-To: <6b9d3ecc-c284-c3fe-67ac-51fffd831086@???>
>

That didn't worked :(, sorry for breaking the thread:
https://lists.autistici.org/thread/20200306.135207.40fcd110.en.html#i20200306.135207.40fcd110

I would also like to register to the mailing list, but can't find how to
do it.


[...]
> Rafael Bonifaz:
>> Hello,
>>
>> Last time I wrote to this list was related to the Mumble + Tails
>> scripts. Here in CAD we have been working on GUI client that
>> integrates Mumble and Tor Onion Service. The GUI is very simple you can
>> host meetings and join meetings.
>>
>> At the moment we have a client that works in most modern Linux
>> distributions and you can see the source[2].
>>
>>
>> We also have a website, where you can download the binaries (of course
>> that website needs a lot of work)[3].
>
> Cool! Tails really lacks a VoIP solution!
>
> It's worth mentioning that we have been working on something similar through the Tails server project, basically a GUI with a list of predefined services that users can set up to be hosted via hidden service via essentially "one click", as well as a way to easily share the corresponding client configuration [1]. Sadly that project has halted (since ~2018), I think because its flagship service, namely Mumble (well, its server murmurd to be specific), worked so poorly (over Tor) that it in the end made us hesitate whether we wanted to expose users to such poor UX. Do you not share this experience? Do you find that Mumble works well over Tor these days? In those tests, was murmurd hosted/accessed through a hidden service?
>


I have done some tests with Tor Mumble since around 2018 too. We manage
to have a decent 4 people conferences to organize an event. The trick
was to use push to talk and one person has to speak at the same time.

For me this is more similar to a walkie talkie than a skype conference.

> [1] If you are interested, the images attached to this ticket should give you a decent idea of how it works: https://redmine.tails.boum.org/code/issues/15300
>


That looks really nice. I have also been thinking on something similar.
A kind of "app store" to install and publish services via tor onion
services. I want a nextcloud, a pad... a couple of clicks and you have
your onion address.

>> We want it to work in Tails, however we are not sure how to manage the
>> control port in Tails. On Linux we start a new instance of Tor that we
>> can control and use the AuthCookie to manage to the Control port.
>> In Tails we can not do that as it would end in running Tor over Tor. Do
>> you have advice on how we can have access to manage the control port so
>> that we can create Onion Services?
>
> For security reasons we created a custom filter, onion-grater, which allows you to define very precise access control rules how it can be used in a specific context. Basically you can make rules like "the binary /usr/bin/wahay when run under the amnesia user is allowed to send the command GETINFO but only with arguments matching the ip-to-country/\d+\.\d+\.\d+\.\d+ regular expression" (it uses a whitelist approach, so by default everything is forbidden).
>
> You can find examples of such filter rules in /etc/onion-grater.d/ and hopefully the documentation inside the script itself, /usr/local/lib/onion-grater, is enough to allow you to write your own [2]. If not, I'm happy to be of assistance! To make your life easier onion-grater can be started with the --complain option which will disable filtering (i.e. all control port access is allowed) while logging exactly what is going on, which you then can try to condense down to appropriate rules.
>
> [2] In its own repo, https://git.tails.boum.org/onion-grater, there's a slightly improved documentation (also extracted to its own man page) that might be easier to read, although IIRC there is a difference that the "apparmor-profiles" key was renamed to "app-targets".
>
> Cheers, and good luck!
>


Thanks a lot, we have manage to make Wahay work in Tails :).

Best,

Rafael