Page MenuHomePhabricator
Create Task
Maniphest T73

default socksification of ssh, wget, curl, etc. is confusing for local connections
Closed, ResolvedPublic
Actions

Description

Many advanced users are confused by Whonix's socksification of default applications such as ssh, wget, curl, etc. (For stream isolation by uwt.

When they do ssh 10.152.152.11, uwt will result in actually executing torsocks /usr/bin/ssh.anondist-orig 10.152.152.11 . Therefore traffic will flow though torsocks and go a Tor SocksPort. This will fail for local connections. It will result in the following error message:

libtorsocks(12021): connect: Connection is to a local address (10.152.152.11), may be a TCP DNS request to a local DNS server so have to reject to be safe. Please report a bug to http://code.google.com/p/torsocks/issues/entry if this is preventing a program from working properly with torsocks

Maybe in ~/.bashrc (as terminal greeting) we should output the contents of the UWT_DEV_PASSTHROUGH variable.

Users can either use export UWT_DEV_PASSTHROUGH=1 or ssh.anondist-orig to circumvent uwt. This is documented.

Example support request: 1

$ ssh -NgD 4444 root@111.222.333.444
listen: Operation not permitted
listen: Operation not permitted
channel_setup_fwd_listener_tcpip: cannot listen to port: 4444
Could not request local forwarding.

TODO:

  • run this from .bashrc
  • upgrade existing .bashrc files?

Details

Impact
Needs Triage

Event Timeline

JasonJAyalaP created this task.Jan 14 2015, 12:42 AM
JasonJAyalaP updated the task description. (Show Details)
JasonJAyalaP raised the priority of this task from to Normal.
JasonJAyalaP added projects: Whonix, usability, user documentation.
JasonJAyalaP added a subscriber: JasonJAyalaP.

Is there a way to flip socks on and off depending on the destination? That would be the most elegant (and I hope not impossible) solution.

Patrick updated the task description. (Show Details)Jan 14 2015, 2:38 AM
Patrick added a comment.Jan 14 2015, 2:51 AM

Not sure. The wrapper or uwt (?) would need to have a concept of local networks and understand the command line of each individual command. Make sure something like wget https://www.somedoc.com/explain/what_is_10.152.152.11_about does not trigger it. uwt is doing some sort of this already - no the best code:
https://github.com/Whonix/uwt/blob/master/usr/bin/uwt#L247
Not sure how sane that is. Well, at worst, traffic would pollute Tor's TransPort, rather than use expected Tor SocksPort (stream isolation).

Patrick updated the task description. (Show Details)Mar 17 2016, 4:44 PM
Patrick added a project: Whonix 14.
Patrick set Impact to Needs Triage.
Patrick updated the task description. (Show Details)Mar 17 2016, 4:50 PM
Patrick added subscribers: HulaHoop, marmarek.
entr0py added a subscriber: entr0py.Jun 4 2016, 5:13 AM
Patrick added a comment.Oct 12 2016, 11:02 PM

Ideally for usability after the user run into some torsocks warning message, a tooltip or konsole message would offer help. But I don't think terminals support that feature.

WIP:

When a terminal is opened, uwt_settings_show is run.

uwt INFO: Stream isolation for some applications enabled. uwt / torsocks will be automatically prepended to some commands. What is that? See:
uwt INFO: https://www.whonix.org/wiki/Stream_Isolation/Easy

Any feedback?

Patrick updated the task description. (Show Details)Oct 12 2016, 11:03 PM
entr0py added a comment.Oct 25 2016, 9:02 PM

The other option would be to present INFO every time a wrapped command is invoked, but that would probably be too intrusive for anyone other than occasional terminal users.

If you want to be verbose, you could append the list of wrapped executables to your INFO message.

In general, this is a good idea. Took me a while to figure out why I couldn't ssh to a server on my vpn network. This kind of reminder would probably have helped.

Patrick added a comment.EditedOct 25 2016, 11:59 PM

Thanks for the feedback!

entr0py (entr0py):

The other option would be to present INFO every time a wrapped command is invoked, but that would probably be too intrusive for anyone other than occasional terminal users.

Yes, and break scripts that parse the output of these commands.

Patrick changed the task status from Open to Review.Jan 9 2017, 8:34 AM

run this from .bashrc

Done:
https://github.com/Whonix/whonix-base-files/commit/34782f82130e5f99c57aa742fad6b4b962392d49

upgrade existing .bashrc files?

Probably not worth the effort. Would require changes to https://github.com/Whonix/whonix-base-files/blob/master/usr/lib/anon-base-files/first-boot-skel or so which could introduce some regressions.

Patrick closed this task as Resolved.Mar 7 2018, 12:45 AM
Patrick claimed this task.
Whonix Issue Tracker · Unread Notifications · Open Issues · Homepage · Blog · Forum · Github · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer