diff options
| author | Nick Mathewson <nickm@torproject.org> | 2018-09-13 11:48:13 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2018-09-13 11:48:13 -0400 |
| commit | db27a70c9450495974ad0f2f5ee8c4d7454293f8 (patch) | |
| tree | 1605c89a0529a2fb220872818941fc116889d442 | |
| parent | d44eb16b23829299f154e46984bf4be0d5036dea (diff) | |
| parent | e7ab20710c0961ba82b49628c3b76a5b78b81c68 (diff) | |
| download | tor-db27a70c9450495974ad0f2f5ee8c4d7454293f8.tar.gz tor-db27a70c9450495974ad0f2f5ee8c4d7454293f8.zip | |
Merge branch 'ticket27547_035_01_squashed'
| -rw-r--r-- | changes/ticket27547 | 7 | ||||
| -rw-r--r-- | doc/tor.1.txt | 30 |
2 files changed, 37 insertions, 0 deletions
diff --git a/changes/ticket27547 b/changes/ticket27547 new file mode 100644 index 0000000000..f60d4a482e --- /dev/null +++ b/changes/ticket27547 @@ -0,0 +1,7 @@ + o Major feature (hidden service v3): + - Implement client authorization at the descriptor level. A new torrc + option was added to control this client side: ClientOnionAuthDir <path>. + On the service side, if the "authorized_clients/" directory exists in + the onion service directory path, client configuration are read from the + files within. See the manpage for more details. Closes ticket 27547. + Patch done by Suphanat Chunhapanya (haxxpop). diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 869a8cedd7..37f21742b2 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1087,6 +1087,16 @@ The following options are useful only for clients (that is, if services can be configured to require authorization using the **HiddenServiceAuthorizeClient** option. +[[ClientOnionAuthDir]] **ClientOnionAuthDir** __path__:: + Path to the directory containing the hidden service authorization file. The + files MUST have the suffix ".auth_private". Each file is for a single + onion address and their format is: + + + <onion-address>:descriptor:x25519:<base32-encoded-privkey> + + + The <onion-address> MUST NOT have the ".onion" suffix. See the + rend-spec-v3.txt Appendix G for more information. + [[LongLivedPorts]] **LongLivedPorts** __PORTS__:: A list of ports for services that tend to have long-running connections (e.g. chat and interactive shells). Circuits for streams that use these @@ -2896,6 +2906,26 @@ The following options are used to configure a hidden service. including setting SOCKSPort to "0". Can not be changed while tor is running. (Default: 0) +Client Authorization +-------------------- + +(Version 3 only) + +To configure client authorization on the service side, the +"<HiddenServiceDir>/authorized_clients/" needs to exists. Each file in that +directory should be suffixed with ".auth" (the file name is irrelevant) and +its content format MUST be: + + <auth-type>:<key-type>:<base32-encoded-public-key> + +The supported <auth-type> are: "descriptor". The supported <key-type> are: +"x25519". Each file MUST contain one line only. Any malformed file will be +ignored. + +Note that once you've configured client authorization, anyone else with the +address won't be able to access it from this point on. If no authorization is +configured, the service will be accessible to all. + TESTING NETWORK OPTIONS ----------------------- |