[tor-dev] Onion Client Auth on v3 descriptor via Control port

Wed Jun 17 09:37:18 UTC 2020

Miguel Jacq <mig at mig5.net> writes:

> Hi,
>
> I'm one of the OnionShare developers, looking at what can be done to support Client Auth with v3 onions.
>
> OnionShare depends on Stem for all its interaction setting up ephemeral onions, so we need Stem to support that fierst.
>
> So I have been working on adding support for ONION_CLIENT_AUTH_ADD to Stem. I actually have it working as far as getting a 250 OK back from the controller! Nice.
>
> But I'm puzzled, because despite successfully adding the client auth, I can access my onion service *without* auth in Tor Browser.
>
> <snip>
>
> So that all looks good. But what is weird, is if I go to http://gmdo3idszymnvfbuf2fm6miepearldgwbo7qfc4lsrw2kact2ka77kqd.onion/ , I see my 'hello world', I never had to add any client auth to Tor Browser.
>
> What am I doing wrong? How do I make the onion auth actually be 'required' since I succeeded at adding it? I was under the impression that as soon as I ran ONION_CLIENT_AUTH_ADD and got a success, from that point on, client auth would be *needed*.
>
> Maybe it's a problem with how I'm generating the keys? I had a bit of trouble figuring out how to send the base64 encoded private key. Even so, it accepts the private key, and yet it allows access without auth, which surprised me...
>
> It's probably really obvious but I've been working on this a while so I'm tired :) Time to embarass myself on a public mailing list..
>
> Thanks in advance!
>

Hmm, this is a bit embarassing for both of us, but if I'm not mistaken
ONION_CLIENT_AUTH_ADD only controls the client-side of client auth
credentials. This is not obvious at all by the command name, and it only
becomes a bit clearer by reading the control-spec.txt...

We added that control port command so that the browser could present a
UX for client authorization.

AFAIK there is no control port command for adding service-side client
auth credentials. You will need to do this using the filesystem by using
the '<HiddenServiceDir>/authorized_clients/' directory as displayed by
the "CLIENT AUTHORIZATION" section of the manual... Or you will need to
implement the control port commands in tor :/

Sorry for the sad news here....... :/

PS: All this confusion stems from the name of this feature being "client
    authorization". The fact that the name includes the string "client"
    makes it confusing to specify whether functionality is client-side
    or service-side... We should rename that feature, but making it
    simply "authorization" is weird because then people are gonna wonder
    whether onion services offer no authentication by default. Perhaps
    we need to find a cooler name for this feature...