mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
Merge branch 'maint-0.3.5'
This commit is contained in:
commit
1c5c3f353a
3
changes/ticket28026
Normal file
3
changes/ticket28026
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
o Documentation (hidden service manpage):
|
||||||
|
- Improve HSv3 client authorization by making some options more explicit
|
||||||
|
and detailed. Closes ticket 28026. Patch by "mtigas".
|
@ -1090,14 +1090,16 @@ The following options are useful only for clients (that is, if
|
|||||||
**HiddenServiceAuthorizeClient** option.
|
**HiddenServiceAuthorizeClient** option.
|
||||||
|
|
||||||
[[ClientOnionAuthDir]] **ClientOnionAuthDir** __path__::
|
[[ClientOnionAuthDir]] **ClientOnionAuthDir** __path__::
|
||||||
Path to the directory containing the hidden service authorization file. The
|
Path to the directory containing v3 hidden service authorization files.
|
||||||
files MUST have the suffix ".auth_private". Each file is for a single
|
Each file is for a single onion address, and the files MUST have the suffix
|
||||||
onion address and their format is:
|
".auth_private" (i.e. "bob_onion.auth_private"). The content format MUST be:
|
||||||
+
|
+
|
||||||
<onion-address>:descriptor:x25519:<base32-encoded-privkey>
|
<onion-address>:descriptor:x25519:<base32-encoded-privkey>
|
||||||
+
|
+
|
||||||
The <onion-address> MUST NOT have the ".onion" suffix. See the
|
The <onion-address> MUST NOT have the ".onion" suffix. The
|
||||||
rend-spec-v3.txt Appendix G for more information.
|
<base32-encoded-privkey> is the base32 representation of the raw key bytes
|
||||||
|
only (32 bytes for x25519). See Appendix G in the rend-spec-v3.txt file of
|
||||||
|
https://spec.torproject.org/[torspec] for more information.
|
||||||
|
|
||||||
[[LongLivedPorts]] **LongLivedPorts** __PORTS__::
|
[[LongLivedPorts]] **LongLivedPorts** __PORTS__::
|
||||||
A list of ports for services that tend to have long-running connections
|
A list of ports for services that tend to have long-running connections
|
||||||
@ -2840,7 +2842,8 @@ The following options are used to configure a hidden service.
|
|||||||
clients without authorization any more. Generated authorization data can be
|
clients without authorization any more. Generated authorization data can be
|
||||||
found in the hostname file. Clients need to put this authorization data in
|
found in the hostname file. Clients need to put this authorization data in
|
||||||
their configuration file using **HidServAuth**. This option is only for v2
|
their configuration file using **HidServAuth**. This option is only for v2
|
||||||
services.
|
services; v3 services configure client authentication in a subdirectory of
|
||||||
|
HiddenServiceDir instead (see the **Client Authorization** section).
|
||||||
|
|
||||||
[[HiddenServiceAllowUnknownPorts]] **HiddenServiceAllowUnknownPorts** **0**|**1**::
|
[[HiddenServiceAllowUnknownPorts]] **HiddenServiceAllowUnknownPorts** **0**|**1**::
|
||||||
If set to 1, then connections to unrecognized ports do not cause the
|
If set to 1, then connections to unrecognized ports do not cause the
|
||||||
@ -2942,19 +2945,26 @@ Client Authorization
|
|||||||
(Version 3 only)
|
(Version 3 only)
|
||||||
|
|
||||||
To configure client authorization on the service side, the
|
To configure client authorization on the service side, the
|
||||||
"<HiddenServiceDir>/authorized_clients/" needs to exists. Each file in that
|
"<HiddenServiceDir>/authorized_clients/" directory needs to exist. Each file
|
||||||
directory should be suffixed with ".auth" (the file name is irrelevant) and
|
in that directory should be suffixed with ".auth" (i.e. "alice.auth"; the
|
||||||
its content format MUST be:
|
file name is irrelevant) and its content format MUST be:
|
||||||
|
|
||||||
<auth-type>:<key-type>:<base32-encoded-public-key>
|
<auth-type>:<key-type>:<base32-encoded-public-key>
|
||||||
|
|
||||||
The supported <auth-type> are: "descriptor". The supported <key-type> are:
|
The supported <auth-type> are: "descriptor". The supported <key-type> are:
|
||||||
"x25519". Each file MUST contain one line only. Any malformed file will be
|
"x25519". The <base32-encoded-privkey> is the base32 representation of the raw
|
||||||
ignored.
|
key bytes only (32 bytes for x25519).
|
||||||
|
|
||||||
|
Each file MUST contain one line only. Any malformed file will be
|
||||||
|
ignored. Client authorization will only be enabled for the service if tor
|
||||||
|
successfully loads at least one authorization file.
|
||||||
|
|
||||||
Note that once you've configured client authorization, anyone else with the
|
Note that once you've configured client authorization, anyone else with the
|
||||||
address won't be able to access it from this point on. If no authorization is
|
address won't be able to access it from this point on. If no authorization is
|
||||||
configured, the service will be accessible to all.
|
configured, the service will be accessible to anyone with the onion address.
|
||||||
|
|
||||||
|
See the Appendix G in the rend-spec-v3.txt file of
|
||||||
|
https://spec.torproject.org/[torspec] for more information.
|
||||||
|
|
||||||
TESTING NETWORK OPTIONS
|
TESTING NETWORK OPTIONS
|
||||||
-----------------------
|
-----------------------
|
||||||
|
Loading…
Reference in New Issue
Block a user