Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

hs-v3: Add changes file and man page for client authorization

Closes #27547

Signed-off-by: David Goulet <dgoulet@torproject.org>
David Goulet 5 years ago
parent
b4f20ec8a6
commit
e7ab20710c
2 changed files with 37 additions and 0 deletions
Split View Show Diff Stats
  1. 7 0
      changes/ticket27547
  2. 30 0
      doc/tor.1.txt

+ 7 - 0
changes/ticket27547
View File 

@@ -0,0 +1,7 @@
 
+  o Major feature (hidden service v3):
 
+    - Implement client authorization at the descriptor level. A new torrc
 
+      option was added to control this client side: ClientOnionAuthDir <path>.
 
+      On the service side, if the "authorized_clients/" directory exists in
 
+      the onion service directory path, client configuration are read from the
 
+      files within. See the manpage for more details. Closes ticket 27547.
 
+      Patch done by Suphanat Chunhapanya (haxxpop).

+ 30 - 0
doc/tor.1.txt
View File 

@@ -1087,6 +1087,16 @@ The following options are useful only for clients (that is, if
 
     services can be configured to require authorization using the
 
     **HiddenServiceAuthorizeClient** option.
 
 
+[[ClientOnionAuthDir]] **ClientOnionAuthDir** __path__::
 
+    Path to the directory containing the hidden service authorization file. The
 
+    files MUST have the suffix ".auth_private". Each file is for a single
 
+    onion address and their format is:
 
+ +
 
+      <onion-address>:descriptor:x25519:<base32-encoded-privkey>
 
+ +
 
+    The <onion-address> MUST NOT have the ".onion" suffix. See the
 
+    rend-spec-v3.txt Appendix G for more information.
 
+
 
 [[LongLivedPorts]] **LongLivedPorts** __PORTS__::
 
     A list of ports for services that tend to have long-running connections
 
     (e.g. chat and interactive shells). Circuits for streams that use these
 
@@ -2896,6 +2906,26 @@ The following options are used to configure a hidden service.
 
     including setting SOCKSPort to "0". Can not be changed while tor is
 
     running. (Default: 0)
 
 
+Client Authorization
 
+--------------------
 
+
 
+(Version 3 only)
 
+
 
+To configure client authorization on the service side, the
 
+"<HiddenServiceDir>/authorized_clients/" needs to exists. Each file in that
 
+directory should be suffixed with ".auth" (the file name is irrelevant) and
 
+its content format MUST be:
 
+
 
+        <auth-type>:<key-type>:<base32-encoded-public-key>
 
+
 
+The supported <auth-type> are: "descriptor". The supported <key-type> are:
 
+"x25519". Each file MUST contain one line only. Any malformed file will be
 
+ignored.
 
+
 
+Note that once you've configured client authorization, anyone else with the
 
+address won't be able to access it from this point on. If no authorization is
 
+configured, the service will be accessible to all.
 
+
 
 TESTING NETWORK OPTIONS
 
 -----------------------