Onion Service Authorization Cookie

Tor Hidden/Onion Services include a small gem that is not so well known, there’s a way to authorize only specific clients to use an Onion Service through a cookie. It sounds a bit like .htaccess for Hidden/Onion Services.
I got asked today about how I use this authorization mechanism, so here it is:

In server’s torrc:

HiddenServiceDir /var/lib/tor/myssh
HiddenServiceAuthorizeClient basic myclient
HiddenServicePort 3221 12223

For those who want even more “anonymity”, there’s even a ‘stealth’ mode…just replace basic with stealth. Read Tor’s man page for more info on stealth mode.

Then in /var/lib/tor/myssh/hostname one will see something like:

# cat /var/lib/tor/myssh/hostname  
keesh0ahGh6lahbe.onion auliech8bu7aighaiv4aiW # client: myclient

Now on the client side just add to the client’s torrc this:
HidServAuth keesh0ahGh6lahbe.onion auliech8bu7aighaiv4aiW

That’s it…it’s extremely simple to use and can potentially protect Onion Services that are only to be used by closed groups. Anyone who doesn’t have the cookie won’t be able to connect to the onion service.