make new introducer furls unguessable #1802
Labels
No Label
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
1.0.0
1.1.0
1.10.0
1.10.1
1.10.2
1.10a2
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.15.1
1.2.0
1.3.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7β
1.8.0
1.8.1
1.8.2
1.8.3
1.8β
1.9.0
1.9.0-s3branch
1.9.0a1
1.9.0a2
1.9.0b1
1.9.1
1.9.2
1.9.2a1
LeastAuthority.com automation
blocker
cannot reproduce
cloud-branch
code
code-dirnodes
code-encoding
code-frontend
code-frontend-cli
code-frontend-ftp-sftp
code-frontend-magic-folder
code-frontend-web
code-mutable
code-network
code-nodeadmin
code-peerselection
code-storage
contrib
critical
defect
dev-infrastructure
documentation
duplicate
enhancement
fixed
invalid
major
minor
n/a
normal
operational
packaging
somebody else's problem
supercritical
task
trivial
unknown
was already fixed
website
wontfix
worksforme
No Milestone
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Reference: tahoe-lafs/trac-2024-07-25#1802
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
In source:src/allmydata/introducer/server.py, new introducer furls are created with the guessable swissnum "introducer".
New furls should instead be created as random, by omitting the
"introducer"argument to tub.registerReference and usingfurlFile=os.path.join(self.basedir, "private", "introducer.furl")instead. Existing furls will not change becauseintroducer.furlwill already exist, so this is backward-compatible.The full security benefit is not obtained without #860, but there's no reason to continue generating guessable furls for new introducers in the meantime.
I guess this is a forward-compatibility feature because people who use it before we've landed this will have a persistent guessable furl, which could interfere with future access control features (#860).
I'll try to write the patch for this over the weekend.. should be a simple use of
tub.registerReference(ref, furlFile=).Hm. The introducer currently writes its furl to
NODEDIR/introducer.furl, and our docs recommend copying it from that location to all the clients. To fit with out current pattern of putting all secrets inNODEDIR/private/, we should change that toNODEDIR/private/introducer.furl. Which is a pity, because if we usedtub.registerReference(ref, furlFile=NODEDIR/introducer.furl), we'd get automatic backwards-compatibility: any existing nodes that upgrade to the new code will keep using their same old (guessable) FURLs, but new nodes will create a new (unguessable) FURL. And users could force the creation of a new (unguessable) FURL by just deletingintroducer.furland restarting.I suppose the fix will be to this:
NODEDIR/introducer.furlexists andNODEDIR/private/introducer.furldoes not, copy it intoNODEDIR/private/introducer.furlfurlFile=NODEDIR/private/introducer.furlThe only downside of that would be leaving the old
NODEDIR/introducer.furllying around, where it might get stale if the connection hints change. Anyone think we should delete the old one after copying it into private/ ?Replying to warner:
We should move the file into private/
Oh, yeah, good point. So like this?:
Replying to warner:
Perhaps, print a message telling the user to delete one of them, and then exit.
+1
please see the last patch on https://github.com/warner/tahoe-lafs/tree/1802-unguessable-introducer and review.
In changeset:9be1a94043ce1518:
Local smoke tests look good. Thanks for taking case of the helper furl too!
Attachment 1802-port-to-ticket999.darcs.patch (21404 bytes) added