mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
hs-v3: Add changes file and man page for client authorization
Closes #27547 Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit is contained in:
parent
b4f20ec8a6
commit
e7ab20710c
7
changes/ticket27547
Normal file
7
changes/ticket27547
Normal file
@ -0,0 +1,7 @@
|
||||
o Major feature (hidden service v3):
|
||||
- Implement client authorization at the descriptor level. A new torrc
|
||||
option was added to control this client side: ClientOnionAuthDir <path>.
|
||||
On the service side, if the "authorized_clients/" directory exists in
|
||||
the onion service directory path, client configuration are read from the
|
||||
files within. See the manpage for more details. Closes ticket 27547.
|
||||
Patch done by Suphanat Chunhapanya (haxxpop).
|
@ -1087,6 +1087,16 @@ The following options are useful only for clients (that is, if
|
||||
services can be configured to require authorization using the
|
||||
**HiddenServiceAuthorizeClient** option.
|
||||
|
||||
[[ClientOnionAuthDir]] **ClientOnionAuthDir** __path__::
|
||||
Path to the directory containing the hidden service authorization file. The
|
||||
files MUST have the suffix ".auth_private". Each file is for a single
|
||||
onion address and their format is:
|
||||
+
|
||||
<onion-address>:descriptor:x25519:<base32-encoded-privkey>
|
||||
+
|
||||
The <onion-address> MUST NOT have the ".onion" suffix. See the
|
||||
rend-spec-v3.txt Appendix G for more information.
|
||||
|
||||
[[LongLivedPorts]] **LongLivedPorts** __PORTS__::
|
||||
A list of ports for services that tend to have long-running connections
|
||||
(e.g. chat and interactive shells). Circuits for streams that use these
|
||||
@ -2896,6 +2906,26 @@ The following options are used to configure a hidden service.
|
||||
including setting SOCKSPort to "0". Can not be changed while tor is
|
||||
running. (Default: 0)
|
||||
|
||||
Client Authorization
|
||||
--------------------
|
||||
|
||||
(Version 3 only)
|
||||
|
||||
To configure client authorization on the service side, the
|
||||
"<HiddenServiceDir>/authorized_clients/" needs to exists. Each file in that
|
||||
directory should be suffixed with ".auth" (the file name is irrelevant) and
|
||||
its content format MUST be:
|
||||
|
||||
<auth-type>:<key-type>:<base32-encoded-public-key>
|
||||
|
||||
The supported <auth-type> are: "descriptor". The supported <key-type> are:
|
||||
"x25519". Each file MUST contain one line only. Any malformed file will be
|
||||
ignored.
|
||||
|
||||
Note that once you've configured client authorization, anyone else with the
|
||||
address won't be able to access it from this point on. If no authorization is
|
||||
configured, the service will be accessible to all.
|
||||
|
||||
TESTING NETWORK OPTIONS
|
||||
-----------------------
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user