Opened 14 months ago

Closed 7 months ago

#27680 closed enhancement (fixed)

Explain how to use auth cookie for onion services

Reported by: traumschule Owned by: traumschule
Priority: Medium Milestone: Tor: 0.4.1.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: hs-auth
Cc: mtigas, dgoulet, asn, haxxpop Actual Points:
Parent ID: #30000 Points:
Reviewer: asn Sponsor: Sponsor27-must

Child Tickets

Attachments (1)

hsv3clientkey.sh (2.2 KB) - added by traumschule 12 months ago.
This script generates client auth keys for a given v3 onion service directory. It is free software, use, modify, or copy it at your own risk; based on work by mtigas: https://gist.github.com/mtigas/9c2386adf65345be34045dace134140b

Download all attachments as: .zip

Change History (21)

comment:2 Changed 14 months ago by traumschule

Owner: set to traumschule
Status: newassigned

asn told on IRC that this is not implemented for v3 onion services, but it may be good to have it in the FAQ and the onion page at
http://expyuzz4wqqyqhjn.onion/docs/tor-onion-service.html.en

comment:3 Changed 14 months ago by traumschule

Status: assignedneeds_review

comment:4 Changed 14 months ago by traumschule

just learned that it has been implemented for v3 onion services (#20700) and updated the PR.

comment:5 Changed 14 months ago by traumschule

#4700 might be worth a hint

comment:6 Changed 13 months ago by traumschule

Status: needs_reviewneeds_revision

IRC: why isn't HiddenServiceAuthorizeClient supported on onion 3 addresses

asn:
it actually is, but it works differently
we might want to add a blurb when someone starts up v3 with HiddenServiceAuthorizeClient to point out to the way it should be done
you need to use latest master and check the man page for 'authorized_clients'
it's in the last part of it "Client Authorization" marked as "(Version 3 only)"
it's still experimental, so you need to generate the keys yourself :)
see https://github.com/haxxpop/torkeygen

mtigas:
i'm going to try to submit a patch/pr for some man page rewording about that this weekend.
if you're using 0.3.5.x by having an authorized_clients dir with valid .auth files in the hiddenservicedir, tor will enable auth for that onion. i've got an alternate key generating script here; at worst it has some more explicit instructions for setup: https://gist.github.com/mtigas/9c2386adf65345be34045dace134140b

#28026 is related.

Last edited 13 months ago by traumschule (previous) (diff)

comment:7 Changed 13 months ago by mtigas

Cc: mtigas added

comment:8 Changed 13 months ago by traumschule

Keywords: hs-auth added

Let onion service authorization related tickets know of each other.

https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n615

[TODO: Also specify stealth client authorization.]
(NOTE: client authorization is not implemented as of 0.3.2.1-alpha.)

comment:10 Changed 12 months ago by traumschule

Cc: dgoulet asc haxxpop added; traumschule removed
Status: needs_revisionneeds_review
Last edited 7 months ago by traumschule (previous) (diff)

Changed 12 months ago by traumschule

Attachment: hsv3clientkey.sh added

This script generates client auth keys for a given v3 onion service directory. It is free software, use, modify, or copy it at your own risk; based on work by mtigas: https://gist.github.com/mtigas/9c2386adf65345be34045dace134140b

comment:11 Changed 8 months ago by gk

Cc: asn added; asc removed
Sponsor: Sponsor27

comment:12 Changed 8 months ago by gk

Sponsor: Sponsor27Sponsor27-must

Add Sponsor27-must items for Objective 2

comment:13 Changed 8 months ago by asn

Component: Webpages/WebsiteCore Tor/Tor

Changing this to our component, so it gets some review next week.

comment:14 Changed 7 months ago by pili

Parent ID: #30000

comment:15 Changed 7 months ago by asn

Reviewer: asn

comment:16 Changed 7 months ago by nickm

Milestone: Tor: 0.4.1.x-final

comment:17 Changed 7 months ago by asn

Status: needs_reviewmerge_ready

This is a definite improvement over the current situation, so let's get this merged! :)

We could in the future improve further by giving examples, etc. but let's roll with what we have now!

comment:18 Changed 7 months ago by traumschule

Resolution: fixed
Status: merge_readyclosed

merged

comment:19 Changed 7 months ago by asn

Resolution: fixed
Status: closedreopened

Thanks for merging but is this somewhere visible right now? I don't see it in https://2019.www.torproject.org/docs/faq.html.en

comment:20 Changed 7 months ago by asn

Resolution: fixed
Status: reopenedclosed
Note: See TracTickets for help on using tickets.