[tor-dev] Client identification for authenticated onions

cho8jeiv4aus at paperboats.net cho8jeiv4aus at paperboats.net
Mon Aug 23 20:56:35 UTC 2021


Hi there. I had an idea recently for an onion service to improve the UX 
of sites that require a login. The site would have two onions: one for 
those who want to use onion auth and another for those who don't or are 
still setting it up. A user would first sign in with a username+password 
on the unauthenticated onion and click a button to generate a 
certificate associated with their account. Then they would add the 
public key to their browser and visit the authenticated onion. The 
application server would then match the pubkey used to authenticate with 
an account in the database, and log them in automatically.

I've looked in the mailing list archives and `man 1 tor` but didn't find 
anything that would facilitate this. The closest, it seems, is 
HiddenServiceExportCircuitID, but that is for *circuit* IDs, not 
*client* IDs. Is this possible to implement, either as an operator or as 
a Tor developer?

As an operator, an alternative would be to generate one (authenticated) 
onion service per user and route them all to the same place with 
different Host headers, but that seems rather inefficient, and I don't 
know how well the tor daemon scales up to hundreds of onion services anyway.

P.S. I didn't find an easy way to do full text search on the mailing 
list archives, so I wrote a little script to download them all. I've 
attached it in case it ends up useful. It requires python3.8+ and you'll 
need to `pip install aiohttp anyio BeautifulSoup4` first. After that you 
can run `./pipermail_fetch.py 
https://lists.torproject.org/pipermail/tor-dev/` and then something like 
`rg --context 3 --search-zip '^[^>].*search term here'` will do the trick.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pipermail_fetch.py
Type: text/x-python
Size: 2340 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20210823/b52bffaa/attachment.py>


More information about the tor-dev mailing list