Merge branch 'maint-0.3.5'

This commit is contained in:
David Goulet 2018-10-30 11:29:30 -04:00
commit 1c5c3f353a
2 changed files with 25 additions and 12 deletions

3
changes/ticket28026 Normal file
View File

@ -0,0 +1,3 @@
o Documentation (hidden service manpage):
- Improve HSv3 client authorization by making some options more explicit
and detailed. Closes ticket 28026. Patch by "mtigas".

View File

@ -1090,14 +1090,16 @@ The following options are useful only for clients (that is, if
**HiddenServiceAuthorizeClient** option.
[[ClientOnionAuthDir]] **ClientOnionAuthDir** __path__::
Path to the directory containing the hidden service authorization file. The
files MUST have the suffix ".auth_private". Each file is for a single
onion address and their format is:
Path to the directory containing v3 hidden service authorization files.
Each file is for a single onion address, and the files MUST have the suffix
".auth_private" (i.e. "bob_onion.auth_private"). The content format MUST be:
+
<onion-address>:descriptor:x25519:<base32-encoded-privkey>
+
The <onion-address> MUST NOT have the ".onion" suffix. See the
rend-spec-v3.txt Appendix G for more information.
The <onion-address> MUST NOT have the ".onion" suffix. The
<base32-encoded-privkey> is the base32 representation of the raw key bytes
only (32 bytes for x25519). See Appendix G in the rend-spec-v3.txt file of
https://spec.torproject.org/[torspec] for more information.
[[LongLivedPorts]] **LongLivedPorts** __PORTS__::
A list of ports for services that tend to have long-running connections
@ -2840,7 +2842,8 @@ The following options are used to configure a hidden service.
clients without authorization any more. Generated authorization data can be
found in the hostname file. Clients need to put this authorization data in
their configuration file using **HidServAuth**. This option is only for v2
services.
services; v3 services configure client authentication in a subdirectory of
HiddenServiceDir instead (see the **Client Authorization** section).
[[HiddenServiceAllowUnknownPorts]] **HiddenServiceAllowUnknownPorts** **0**|**1**::
If set to 1, then connections to unrecognized ports do not cause the
@ -2942,19 +2945,26 @@ Client Authorization
(Version 3 only)
To configure client authorization on the service side, the
"<HiddenServiceDir>/authorized_clients/" needs to exists. Each file in that
directory should be suffixed with ".auth" (the file name is irrelevant) and
its content format MUST be:
"<HiddenServiceDir>/authorized_clients/" directory needs to exist. Each file
in that directory should be suffixed with ".auth" (i.e. "alice.auth"; the
file name is irrelevant) and its content format MUST be:
<auth-type>:<key-type>:<base32-encoded-public-key>
The supported <auth-type> are: "descriptor". The supported <key-type> are:
"x25519". Each file MUST contain one line only. Any malformed file will be
ignored.
"x25519". The <base32-encoded-privkey> is the base32 representation of the raw
key bytes only (32 bytes for x25519).
Each file MUST contain one line only. Any malformed file will be
ignored. Client authorization will only be enabled for the service if tor
successfully loads at least one authorization file.
Note that once you've configured client authorization, anyone else with the
address won't be able to access it from this point on. If no authorization is
configured, the service will be accessible to all.
configured, the service will be accessible to anyone with the onion address.
See the Appendix G in the rend-spec-v3.txt file of
https://spec.torproject.org/[torspec] for more information.
TESTING NETWORK OPTIONS
-----------------------