10/04/2015
Onion Service Authorization Cookie
Tor Hidden/Onion Services include a small gem that is not so well known, there’s a way to authorize only specific clients to use an Onion Service through a cookie. It sounds a bit like .htaccess for Hidden/Onion Services.
I got asked today about how I use this authorization mechanism, so here it is:
In server’s torrc:
HiddenServiceDir /var/lib/tor/myssh HiddenServiceAuthorizeClient basic myclient HiddenServicePort 3221 12223
For those who want even more “anonymity”, there’s even a ‘stealth’ mode…just replace basic with stealth. Read Tor’s man page for more info on stealth mode.
Then in /var/lib/tor/myssh/hostname one will see something like:
# cat /var/lib/tor/myssh/hostname keesh0ahGh6lahbe.onion auliech8bu7aighaiv4aiW # client: myclient
Now on the client side just add to the client’s torrc this:
HidServAuth keesh0ahGh6lahbe.onion auliech8bu7aighaiv4aiW
That’s it…it’s extremely simple to use and can potentially protect Onion Services that are only to be used by closed groups. Anyone who doesn’t have the cookie won’t be able to connect to the onion service.
Filed by kargig at 16:48 under General
2 Comments | 18,201 views
One of my most important notes…..
I always appreciated your web posting here. No one else has illustrated what security cookies are capable of.
Now I’m paying you back. Hope you find this snippet equally useful:
http://127.0.0.1:43110/1DdPHedr5Tz55EtQWxqvsbEXPdc4uCVi9D/?:users/14r48CcSSyoNo1PNhy6uWriqpopMUfqfUX:tech:0
Found: An idea for private pages on ZeroNet 3vhk47gvxb (You) 8/31/2020 05:02:14 No. 1239
[Reply]
An idea for private pages on ZeroNet
Hey everyone,
By using this library: https://github.com/jstrieb/link-lock
You can “Lock” links and allow only the people with the password you provided to view the Zite.
For example, for this page, the password is ZeroNet (Capital Z): https://jstrieb.github.io/link-lock/#eyJ2IjoiMC4wLjEiLCJlIjoicVF6Vkw2Q0IwUWpkN0pqZVdhaVBuWEI0WWVheFk0TlAzSjkrL00wMzdqSWpua1luam92VC9xOVZwbk9zdmc5cDF1aTREZTJSTTJKZmFzaHk2SEluREZHY2tYZHBxWVJsUGdzPSIsImgiOiJQYXNzd29yZCBpcyBaZXJvTmV0IiwiaSI6IlhGeFJHTDI0TjZ3TjhQd3cifQ==
You can try it yourself and implement it very easily 🙂
Try the link. Those with a security background – please critique.
https://github.com/jstrieb/link-lock
https://news.ycombinator.com/item?id=23242290
Onion sites do this:
https://www.void.gr/kargig/blog/2015/04/10/onion-service-authorization-cookie/