Client authorization is a method to make an onion service private and authenticated. It requires Tor clients to provide an authentication credential in order to connect to the onion service. For v3 onion services, this method works with a pair of keys (a public and a private). The service side is configured with a public key and the client can only access it with a private key.

Note: Once you have configured client authorization, anyone with the address will not be able to access it from this point on. Se nenhuma autorização for configurada, o serviço estará acessível a qualquer pessoa com o endereço onion.

Configurando Serviços Cebola v3

Service side

To configure client authorization on the service side, the <HiddenServiceDir>/authorized_clients/ directory needs to exist. Following the instructions described in the section Setup will automatically create this directory. Client authorization will only be enabled for the service if tor successfully loads at least one authorization file.

For now, you need to create the keys yourself with a script (like these written in Bash, Rust or Python) or manually.

Para gerar manualmente as chaves, você precisa instalar o openssl versão 1.1+ ebasez.

Passo 1. Gere uma chave usando o algoritmo x25519:

 $ openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem

If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work.

Step 2. Format the keys into base32:

Chave privada

$ cat /tmp/k1.prv.pem | grep -v " PRIVATE KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > /tmp/k1.prv.key

Chave pública

$ openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > /tmp/k1.pub.key

Step 3. Copy the public key:

 $ cat /tmp/k1.pub.key

Step 4. Create an authorized client file:

Format the client authentication and create a new file in <HiddenServiceDir>/authorized_clients/ directory. Each file in that directory should be suffixed with ".auth" (i.e. "alice.auth"; the file name is irrelevant) and its content format must be:

 <auth-type>:<key-type>:<base32-encoded-public-key>

The supported values for <auth-type> are: "descriptor".

The supported values for <key-type> are: "x25519".

The <base32-encoded-public-key> is the base32 representation of the raw key bytes only (32 bytes for x25519).

For example, the file /var/lib/tor/hidden_service/authorized_clients/alice.auth should look like:

 descriptor:x25519:N2NU7BSRL6YODZCYPN4CREB54TYLKGIE2KYOQWLFYC23ZJVCE5DQ

Se você planeja ter mais clientes autenticados, cada arquivo deve conter apenas uma linha. Qualquer arquivo malformado será ignorado.

Passo 5. Reinicie o serviço Tor:

 $ sudo systemctl reload tor

If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work.

Important: Revoking a client can be done by removing their ".auth" file, however the revocation will be in effect only after the tor process gets restarted.

Lado do cliente

Para acessar uma versão 3 do serviço cebola com autorização de cliente como um cliente, tenha certeza que você configurou ClientOnionAuthDir no seu torrc. Por exemplo, adicione esta linha no /etc/tor/torrc:

 ClientOnionAuthDir /var/lib/tor/onion_auth

Then, in the <ClientOnionAuthDir> directory, create an .auth_private file for the onion service corresponding to this key (i.e. 'bob_onion.auth_private'). The content of the <ClientOnionAuthDir>/<user>.auth_private file should look like this:

 <56-char-onion-addr-without-.onion-part>:descriptor:x25519:<x25519 private key in base32>

Por exemplo:

 rh5d6reakhpvuxe2t3next6um6iiq4jf43m7gmdrphfhopfpnoglzcyd:descriptor:x25519:ZDUVQQ7IKBXSGR2WWOBNM3VP5ELNOYSSINDK7CAUN2WD7A3EKZWQ

If you manually generated the key pair following the instructions in this page, you can copy and use the private key created in Step 2. Then restart tor and you should be able to connect to the onion service address.

Se você estiver gerando uma chave privada para um site onion, o usuário não precisa necessariamente editar o torrc do navegador Tor. É possível inserir a chave privada diretamente na interface do Tor Browser.

For more information about client authentication, please see Tor manual.

Configurando Serviços Cebola v2

To set up Cookie Authentication for v2 services, see the entries for the HidServAuth and HiddenServiceAuthorizeClient options in the tor manual. First add the following line to the torrc file of your onion service:

 HiddenServiceAuthorizeClient [auth-type] [service-name]

Restart tor and read the cookie from the hostname file of your onion service, for example in /var/lib/tor/hidden_service_path/hostname. To access it with a tor client, add following line to torrc and restart tor:

 HidServAuth [onion-address] [auth-cookie] [service-name]

You can now connect to the onion service address.