tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit e7ab20710c0961ba82b49628c3b76a5b78b81c68
parent b4f20ec8a634dc734b103b1773d6565c876e7a24
Author: David Goulet <dgoulet@torproject.org>
Date:   Wed, 12 Sep 2018 13:23:06 -0400

hs-v3: Add changes file and man page for client authorization

Closes #27547

Signed-off-by: David Goulet <dgoulet@torproject.org>

Diffstat:

Achanges/ticket27547 | 7+++++++


Mdoc/tor.1.txt | 30++++++++++++++++++++++++++++++


2 files changed, 37 insertions(+), 0 deletions(-)

diff --git a/changes/ticket27547 b/changes/ticket27547
@@ -0,0 +1,7 @@
+  o Major feature (hidden service v3):
+    - Implement client authorization at the descriptor level. A new torrc
+      option was added to control this client side: ClientOnionAuthDir <path>.
+      On the service side, if the "authorized_clients/" directory exists in
+      the onion service directory path, client configuration are read from the
+      files within. See the manpage for more details. Closes ticket 27547.
+      Patch done by Suphanat Chunhapanya (haxxpop).
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
@@ -1087,6 +1087,16 @@ The following options are useful only for clients (that is, if
     services can be configured to require authorization using the
     **HiddenServiceAuthorizeClient** option.
 
+[[ClientOnionAuthDir]] **ClientOnionAuthDir** __path__::
+    Path to the directory containing the hidden service authorization file. The
+    files MUST have the suffix ".auth_private". Each file is for a single
+    onion address and their format is:
+ +
+      <onion-address>:descriptor:x25519:<base32-encoded-privkey>
+ +
+    The <onion-address> MUST NOT have the ".onion" suffix. See the
+    rend-spec-v3.txt Appendix G for more information.
+
 [[LongLivedPorts]] **LongLivedPorts** __PORTS__::
     A list of ports for services that tend to have long-running connections
     (e.g. chat and interactive shells). Circuits for streams that use these
@@ -2896,6 +2906,26 @@ The following options are used to configure a hidden service.
     including setting SOCKSPort to "0". Can not be changed while tor is
     running. (Default: 0)
 
+Client Authorization
+--------------------
+
+(Version 3 only)
+
+To configure client authorization on the service side, the
+"<HiddenServiceDir>/authorized_clients/" needs to exists. Each file in that
+directory should be suffixed with ".auth" (the file name is irrelevant) and
+its content format MUST be:
+
+        <auth-type>:<key-type>:<base32-encoded-public-key>
+
+The supported <auth-type> are: "descriptor". The supported <key-type> are:
+"x25519". Each file MUST contain one line only. Any malformed file will be
+ignored.
+
+Note that once you've configured client authorization, anyone else with the
+address won't be able to access it from this point on. If no authorization is
+configured, the service will be accessible to all.
+
 TESTING NETWORK OPTIONS
 -----------------------