瀏覽代碼

tweak manpage bits about v3 onion svc client auth

make a couple things more explicit, like not needing to set "HiddenServiceAuthorizeClient" & etc
Mike Tigas 6 年之前
父節點
當前提交
d023de945a
共有 1 個文件被更改,包括 22 次插入12 次删除
  1. 22 12
      doc/tor.1.txt

+ 22 - 12
doc/tor.1.txt

@@ -1090,14 +1090,16 @@ The following options are useful only for clients (that is, if
     **HiddenServiceAuthorizeClient** option.
     **HiddenServiceAuthorizeClient** option.
 
 
 [[ClientOnionAuthDir]] **ClientOnionAuthDir** __path__::
 [[ClientOnionAuthDir]] **ClientOnionAuthDir** __path__::
-    Path to the directory containing the hidden service authorization file. The
+    Path to the directory containing v3 hidden service authorization files.
-    files MUST have the suffix ".auth_private". Each file is for a single
+    Each file is for a single onion address, and the files MUST have the suffix
-    onion address and their format is:
+    ".auth_private" (i.e. "bob_onion.auth_private"). The content format MUST be:
  +
  +
       <onion-address>:descriptor:x25519:<base32-encoded-privkey>
       <onion-address>:descriptor:x25519:<base32-encoded-privkey>
  +
  +
-    The <onion-address> MUST NOT have the ".onion" suffix. See the
+    The <onion-address> MUST NOT have the ".onion" suffix. The
-    rend-spec-v3.txt Appendix G for more information.
+    <base32-encoded-privkey> is the base32 representation of the raw key bytes
+    only (32 bytes for x25519). See Appendix G in the rend-spec-v3.txt file of
+    https://spec.torproject.org/[torspec] for more information.
 
 
 [[LongLivedPorts]] **LongLivedPorts** __PORTS__::
 [[LongLivedPorts]] **LongLivedPorts** __PORTS__::
     A list of ports for services that tend to have long-running connections
     A list of ports for services that tend to have long-running connections
@@ -2839,7 +2841,8 @@ The following options are used to configure a hidden service.
     clients without authorization any more. Generated authorization data can be
     clients without authorization any more. Generated authorization data can be
     found in the hostname file. Clients need to put this authorization data in
     found in the hostname file. Clients need to put this authorization data in
     their configuration file using **HidServAuth**. This option is only for v2
     their configuration file using **HidServAuth**. This option is only for v2
-    services.
+    services; v3 services configure client authentication in a subdirectory of
+    HiddenServiceDir instead (see the **Client Authorization** section).
 
 
 [[HiddenServiceAllowUnknownPorts]] **HiddenServiceAllowUnknownPorts** **0**|**1**::
 [[HiddenServiceAllowUnknownPorts]] **HiddenServiceAllowUnknownPorts** **0**|**1**::
    If set to 1, then connections to unrecognized ports do not cause the
    If set to 1, then connections to unrecognized ports do not cause the
@@ -2941,19 +2944,26 @@ Client Authorization
 (Version 3 only)
 (Version 3 only)
 
 
 To configure client authorization on the service side, the
 To configure client authorization on the service side, the
-"<HiddenServiceDir>/authorized_clients/" needs to exists. Each file in that
+"<HiddenServiceDir>/authorized_clients/" directory needs to exist. Each file
-directory should be suffixed with ".auth" (the file name is irrelevant) and
+in that directory should be suffixed with ".auth" (i.e. "alice.auth"; the
-its content format MUST be:
+file name is irrelevant) and its content format MUST be:
 
 
         <auth-type>:<key-type>:<base32-encoded-public-key>
         <auth-type>:<key-type>:<base32-encoded-public-key>
 
 
 The supported <auth-type> are: "descriptor". The supported <key-type> are:
 The supported <auth-type> are: "descriptor". The supported <key-type> are:
-"x25519". Each file MUST contain one line only. Any malformed file will be
+"x25519". The <base32-encoded-privkey> is the base32 representation of the raw
-ignored.
+key bytes only (32 bytes for x25519).
+
+Each file MUST contain one line only. Any malformed file will be
+ignored. Client authorization will only be enabled for the service if tor
+successfully loads at least one authorization file.
 
 
 Note that once you've configured client authorization, anyone else with the
 Note that once you've configured client authorization, anyone else with the
 address won't be able to access it from this point on. If no authorization is
 address won't be able to access it from this point on. If no authorization is
-configured, the service will be accessible to all.
+configured, the service will be accessible to anyone with the onion address.
+
+See the Appendix G in the rend-spec-v3.txt file of
+https://spec.torproject.org/[torspec] for more information.
 
 
 TESTING NETWORK OPTIONS
 TESTING NETWORK OPTIONS
 -----------------------
 -----------------------