TOR /etc/tor/torsocks.conf not working

Til asked:

I try to activate username and password authentication for my tor installation using the fields SOCKS5Username and SOCKS5Password in the /etc/tor/torsocks.conf file. I have restarted the service after config change and checked if it really restarted. But tor is still available without username and password on my machine.

I have installed Tor from EPEL repo. More information about Installation:

Installed Packages
Name        : tor
Arch        : x86_64
Version     : 0.2.7.6
Release     : 5.el7


Current OS
CentOS Linux release 7.2.1511 (Core)


Tor Configuration
[root@torproxy ~]# cat /etc/tor/torsocks.conf | grep -v "^#"
TorAddress curl 10.0.0.43
TorPort 18009
OnionAddrRange 127.42.42.0/24
SOCKS5Username test
SOCKS5Password 1234

[root@torproxy ~]# cat /etc/tor/torrc | grep -v "^#"
ControlSocket /run/tor/control
ControlSocketsGroupWritable 1
CookieAuthentication 1
CookieAuthFile /run/tor/control.authcookie
CookieAuthFileGroupReadable 1
SOCKSPort 10.0.0.43:18009
SOCKSPolicy accept *

My answer:


Tor does not actually make any attempt to verify the authentication information that a SOCKS client provides to it. It can be used entirely unauthenticated, and it has no configuration to force authentication. As such, you are strongly recommended to not expose the SOCKS port to any IP address that you don’t want connecting directly to it.

From the man page:

       NOTE: Although this option allows you to specify an IP address
       other than localhost, you should do so only with extreme caution.
       The SOCKS protocol is unencrypted and (as we use it)
       unauthenticated, so exposing it in this way could leak your
       information to anybody watching your network, and allow anybody to
       use your computer as an open proxy.

What Tor does do with the authentication information is stream isolation. Tor can be configured to use completely different circuits for clients which “authenticate” with different credentials.

       IsolateSOCKSAuth
           Don’t share circuits with streams for which different SOCKS
           authentication was provided. (On by default; you can disable it
           with NoIsolateSOCKSAuth.)

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.