Commit 723288a3 authored by George Kadianakis's avatar George Kadianakis
Browse files

Improve v3 client auth documentation in the man page.

parent de66bed6
Loading
Loading
Loading
Loading
+32 −21
Original line number Diff line number Diff line
@@ -1142,7 +1142,7 @@ The following options are useful only for clients (that is, if
    information) to port 80.

[[HidServAuth]] **HidServAuth** __onion-address__ __auth-cookie__ [__service-name__]::
    Client authorization for a hidden service. Valid onion addresses contain 16
    Client authorization for a v2 hidden service. Valid onion addresses contain 16
    characters in a-z2-7 plus ".onion", and valid auth cookies contain 22
    characters in A-Za-z0-9+/. The service name is only used for internal
    purposes, e.g., for Tor controllers. This option may be used multiple times
@@ -2961,7 +2961,7 @@ The next section describes the per service options that can only be set
    service. Currently, versions 2 and 3 are supported. (Default: 3)

[[HiddenServiceAuthorizeClient]] **HiddenServiceAuthorizeClient** __auth-type__ __client-name__,__client-name__,__...__::
    If configured, the hidden service is accessible for authorized clients
    If configured, the v2 hidden service is accessible for authorized clients
    only. The auth-type can either be \'basic' for a general-purpose
    authorization protocol or \'stealth' for a less scalable protocol that also
    hides service activity from unauthorized clients. Only clients that are
@@ -3105,6 +3105,8 @@ Client Authorization

(Version 3 only)

Service side:

  To configure client authorization on the service side, the
  "<HiddenServiceDir>/authorized_clients/" directory needs to exist. Each file
  in that directory should be suffixed with ".auth" (i.e. "alice.auth"; the
@@ -3128,8 +3130,17 @@ Revoking a client can be done by removing their ".auth" file, however the
  revocation will be in effect only after the tor process gets restarted even if
  a SIGHUP takes place.

See the Appendix G in the rend-spec-v3.txt file of
https://spec.torproject.org/[torspec] for more information.
Client side:

  To access a v3 onion service with client authorization as a client, make sure
  you have ClientOnionAuthDir set in your torrc. Then, in the
  <ClientOnionAuthDir> directory, create an .auth_private file for the onion
  service corresponding to this key (i.e. 'bob_onion.auth_private').  The
  contents of the <ClientOnionAuthDir>/<user>.auth_private file should look like:

      <56-char-onion-addr-without-.onion-part>:descriptor:x25519:<x25519 private key in base32>

For more information, please see https://2019.www.torproject.org/docs/tor-onion-service.html.en#ClientAuthorization .

TESTING NETWORK OPTIONS
-----------------------