10/04/2015
Onion Service Authorization Cookie
Tor Hidden/Onion Services include a small gem that is not so well known, there’s a way to authorize only specific clients to use an Onion Service through a cookie. It sounds a bit like .htaccess for Hidden/Onion Services.
I got asked today about how I use this authorization mechanism, so here it is:
In server’s torrc:
HiddenServiceDir /var/lib/tor/myssh HiddenServiceAuthorizeClient basic myclient HiddenServicePort 3221 12223
For those who want even more “anonymity”, there’s even a ‘stealth’ mode…just replace basic with stealth. Read Tor’s man page for more info on stealth mode.
Then in /var/lib/tor/myssh/hostname one will see something like:
# cat /var/lib/tor/myssh/hostname keesh0ahGh6lahbe.onion auliech8bu7aighaiv4aiW # client: myclient
Now on the client side just add to the client’s torrc this:
HidServAuth keesh0ahGh6lahbe.onion auliech8bu7aighaiv4aiW
That’s it…it’s extremely simple to use and can potentially protect Onion Services that are only to be used by closed groups. Anyone who doesn’t have the cookie won’t be able to connect to the onion service.
Filed by kargig at 16:48 under General
2 Comments | 18,476 views