[tor-dev] Onion Client Auth on v3 descriptor via Control port

George Kadianakis desnacked at riseup.net
Wed Jun 17 10:16:01 UTC 2020


Miguel Jacq <mig at mig5.net> writes:

> Hi George,
>
> On Wed, Jun 17, 2020 at 12:37:18PM +0300, George Kadianakis wrote:
>> 
>> Hmm, this is a bit embarassing for both of us, but if I'm not mistaken
>> ONION_CLIENT_AUTH_ADD only controls the client-side of client auth
>> credentials. This is not obvious at all by the command name, and it only
>> becomes a bit clearer by reading the control-spec.txt...
>> 
>> We added that control port command so that the browser could present a
>> UX for client authorization.
>
> Ahahahah. Riiight, thanks for that clarification. This whole time I indeed thought this was a novel way for adding Client Auth for v3 onions via the control port.
>
> I had been reading the rend-spec-v3 https://github.com/torproject/torspec/blob/master/rend-spec-v3.txt 
>
> G.2.1 'Service side' says '[XXX figure out control port command format]' and I figured it just hadn't been updated to reflect the new command. I hadn't even thought to read the control spec..
>
>> 
>> AFAIK there is no control port command for adding service-side client
>> auth credentials. You will need to do this using the filesystem by using
>> the '<HiddenServiceDir>/authorized_clients/' directory as displayed by
>> the "CLIENT AUTHORIZATION" section of the manual... Or you will need to
>> implement the control port commands in tor :/
>> 
>> Sorry for the sad news here....... :/
>
> Okay, thanks for all the clarification. Indeed, OnionShare uses purely ephemeral onions, so the standard filesystem method won't work (unless we switch to that).
>

Right.... Seems like v2 supports adding client auth credentials through
the control port using the ADD_ONION command, but that's not the case
for v3...

Just a simple matter of programming as always ;)



More information about the tor-dev mailing list