Opened 2 years ago

Closed 19 months ago

#27680 closed enhancement (fixed)

Explain how to use auth cookie for onion services

Reported by: traumschule Owned by: traumschule
Priority: Medium Milestone: Tor: 0.4.1.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: hs-auth
Cc: mtigas, dgoulet, asn, haxxpop Actual Points:
Parent ID: #30000 Points:
Reviewer: asn Sponsor: Sponsor27-must

Child Tickets

Attachments (1)

hsv3clientkey.sh (2.2 KB) - added by traumschule 2 years ago.
This script generates client auth keys for a given v3 onion service directory. It is free software, use, modify, or copy it at your own risk; based on work by mtigas: https://gist.github.com/mtigas/9c2386adf65345be34045dace134140b

Download all attachments as: .zip

Change History (21)

comment:2 Changed 2 years ago by traumschule

Owner: set to traumschule
Status: newassigned

asn told on IRC that this is not implemented for v3 onion services, but it may be good to have it in the FAQ and the onion page at
http://expyuzz4wqqyqhjn.onion/docs/tor-onion-service.html.en

comment:3 Changed 2 years ago by traumschule

Status: assignedneeds_review

comment:4 Changed 2 years ago by traumschule

just learned that it has been implemented for v3 onion services (#20700) and updated the PR.

comment:5 Changed 2 years ago by traumschule

#4700 might be worth a hint

comment:6 Changed 2 years ago by traumschule

Status: needs_reviewneeds_revision

IRC: why isn't HiddenServiceAuthorizeClient supported on onion 3 addresses

asn:
it actually is, but it works differently
we might want to add a blurb when someone starts up v3 with HiddenServiceAuthorizeClient to point out to the way it should be done
you need to use latest master and check the man page for 'authorized_clients'
it's in the last part of it "Client Authorization" marked as "(Version 3 only)"
it's still experimental, so you need to generate the keys yourself :)
see https://github.com/haxxpop/torkeygen

mtigas:
i'm going to try to submit a patch/pr for some man page rewording about that this weekend.
if you're using 0.3.5.x by having an authorized_clients dir with valid .auth files in the hiddenservicedir, tor will enable auth for that onion. i've got an alternate key generating script here; at worst it has some more explicit instructions for setup: https://gist.github.com/mtigas/9c2386adf65345be34045dace134140b

#28026 is related.

Last edited 2 years ago by traumschule (previous) (diff)

comment:7 Changed 2 years ago by mtigas

Cc: mtigas added

comment:8 Changed 2 years ago by traumschule

Keywords: hs-auth added

Let onion service authorization related tickets know of each other.

https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n615

[TODO: Also specify stealth client authorization.]
(NOTE: client authorization is not implemented as of 0.3.2.1-alpha.)

comment:10 Changed 2 years ago by traumschule

Cc: dgoulet asc haxxpop added; traumschule removed
Status: needs_revisionneeds_review
Last edited 19 months ago by traumschule (previous) (diff)

Changed 2 years ago by traumschule

Attachment: hsv3clientkey.sh added

This script generates client auth keys for a given v3 onion service directory. It is free software, use, modify, or copy it at your own risk; based on work by mtigas: https://gist.github.com/mtigas/9c2386adf65345be34045dace134140b

comment:11 Changed 19 months ago by gk

Cc: asn added; asc removed
Sponsor: Sponsor27

comment:12 Changed 19 months ago by gk

Sponsor: Sponsor27Sponsor27-must

Add Sponsor27-must items for Objective 2

comment:13 Changed 19 months ago by asn

Component: Webpages/WebsiteCore Tor/Tor

Changing this to our component, so it gets some review next week.

comment:14 Changed 19 months ago by pili

Parent ID: #30000

comment:15 Changed 19 months ago by asn

Reviewer: asn

comment:16 Changed 19 months ago by nickm

Milestone: Tor: 0.4.1.x-final

comment:17 Changed 19 months ago by asn

Status: needs_reviewmerge_ready

This is a definite improvement over the current situation, so let's get this merged! :)

We could in the future improve further by giving examples, etc. but let's roll with what we have now!

comment:18 Changed 19 months ago by traumschule

Resolution: fixed
Status: merge_readyclosed

merged

comment:19 Changed 19 months ago by asn

Resolution: fixed
Status: closedreopened

Thanks for merging but is this somewhere visible right now? I don't see it in https://2019.www.torproject.org/docs/faq.html.en

comment:20 Changed 19 months ago by asn

Resolution: fixed
Status: reopenedclosed
Note: See TracTickets for help on using tickets.