hs-v3: Add changes file and man page for client authorization

Closes #27547

Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
David Goulet 2018-09-12 13:23:06 -04:00 committed by Nick Mathewson
parent b4f20ec8a6
commit e7ab20710c
2 changed files with 37 additions and 0 deletions

7
changes/ticket27547 Normal file
View File

@ -0,0 +1,7 @@
o Major feature (hidden service v3):
- Implement client authorization at the descriptor level. A new torrc
option was added to control this client side: ClientOnionAuthDir <path>.
On the service side, if the "authorized_clients/" directory exists in
the onion service directory path, client configuration are read from the
files within. See the manpage for more details. Closes ticket 27547.
Patch done by Suphanat Chunhapanya (haxxpop).

View File

@ -1087,6 +1087,16 @@ The following options are useful only for clients (that is, if
services can be configured to require authorization using the
**HiddenServiceAuthorizeClient** option.
[[ClientOnionAuthDir]] **ClientOnionAuthDir** __path__::
Path to the directory containing the hidden service authorization file. The
files MUST have the suffix ".auth_private". Each file is for a single
onion address and their format is:
+
<onion-address>:descriptor:x25519:<base32-encoded-privkey>
+
The <onion-address> MUST NOT have the ".onion" suffix. See the
rend-spec-v3.txt Appendix G for more information.
[[LongLivedPorts]] **LongLivedPorts** __PORTS__::
A list of ports for services that tend to have long-running connections
(e.g. chat and interactive shells). Circuits for streams that use these
@ -2896,6 +2906,26 @@ The following options are used to configure a hidden service.
including setting SOCKSPort to "0". Can not be changed while tor is
running. (Default: 0)
Client Authorization
--------------------
(Version 3 only)
To configure client authorization on the service side, the
"<HiddenServiceDir>/authorized_clients/" needs to exists. Each file in that
directory should be suffixed with ".auth" (the file name is irrelevant) and
its content format MUST be:
<auth-type>:<key-type>:<base32-encoded-public-key>
The supported <auth-type> are: "descriptor". The supported <key-type> are:
"x25519". Each file MUST contain one line only. Any malformed file will be
ignored.
Note that once you've configured client authorization, anyone else with the
address won't be able to access it from this point on. If no authorization is
configured, the service will be accessible to all.
TESTING NETWORK OPTIONS
-----------------------