To access a version 3 Onion Service with client authorization as a client, make sure you have ClientOnionAuthDir set in your torrc.įor example, add this line to /etc/tor/torrc: ClientOnionAuthDir /var/lib/tor/onion_auth Important: Revoking a client can be done by removing their ".auth" file, however the revocation will be in effect only after the tor process gets restarted. Restart the tor service: $ sudo systemctl reload tor
If you are planning to have more authenticated clients, each file must contain one line only. The is the base32 representation of the raw key bytes only (32 bytes for x25519).įor example, the file /var/lib/tor/hidden_service/authorized_clients/th should look like: descriptor:x25519:N2NU7BSRL6YODZCYPN4CREB54TYLKGIE2KYOQWLFYC23ZJVCE5DQ The supported values for are: "descriptor". "th" the file name is irrelevant) and its content format must be: :: Create an authorized client file:įormat the client authentication and create a new file in /authorized_clients/ directory.Įach file in that directory should be suffixed with ".auth" (i.e. Copy the public key: $ cat /tmp/k1.pub.key Public key $ openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail -bytes=32 | base32 | sed 's/=//g' > /tmp/k1.pub.key Private key $ cat /tmp/k1.prv.pem | grep -v " PRIVATE KEY" | base64pem -d | tail -bytes=32 | base32 | sed 's/=//g' > /tmp/k1.prv.key If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. Generate a key using the algorithm x25519: $ openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem
#Onion cookie install
To manually generate the keys, you need to install openssl version 1.1+ and basez. Following the instructions described in the section Setup will automatically create this directory.Ĭlient authorization will only be enabled for the service if tor successfully loads at least one authorization file.įor now, you need to create the keys yourself with a script (like these written in Bash, Rust or Python) or manually. To configure client authorization on the service side, the /authorized_clients/ directory needs to exist. Configuring v3 Onion Services Service side If no authorization is configured, the service will be accessible to anyone with the onion address. Note: Once you have configured client authorization, anyone with the address will not be able to access it from this point on. The service side is configured with a public key and the client can only access it with a private key.
It requires Tor clients to provide an authentication credential in order to connect to the Onion Service.įor v3 Onion Services, this method works with a pair of keys (a public and a private). Client authorization is a method to make an Onion Service private and authenticated.
0 kommentar(er)
