Onion Service Authorization Cookie

Tor Hidden/Onion Services include a small gem that is not so well known, there’s a way to authorize only specific clients to use an Onion Service through a cookie. It sounds a bit like .htaccess for Hidden/Onion Services.
I got asked today about how I use this authorization mechanism, so here it is:

In server’s torrc:

HiddenServiceDir /var/lib/tor/myssh
HiddenServiceAuthorizeClient basic myclient
HiddenServicePort 3221 12223

For those who want even more “anonymity”, there’s even a ‘stealth’ mode…just replace basic with stealth. Read Tor’s man page for more info on stealth mode.

Then in /var/lib/tor/myssh/hostname one will see something like:

# cat /var/lib/tor/myssh/hostname  
keesh0ahGh6lahbe.onion auliech8bu7aighaiv4aiW # client: myclient

Now on the client side just add to the client’s torrc this:
HidServAuth keesh0ahGh6lahbe.onion auliech8bu7aighaiv4aiW

That’s it…it’s extremely simple to use and can potentially protect Onion Services that are only to be used by closed groups. Anyone who doesn’t have the cookie won’t be able to connect to the onion service.

2 Responses to “Onion Service Authorization Cookie”

  1. Taz
    February 3rd, 2019 | 00:08
    Using Mozilla Firefox Mozilla Firefox 64.0 on Ubuntu Linux Ubuntu Linux

    One of my most important notes…..

  2. 3vhk47gvxb
    August 31st, 2020 | 08:15
    Using Mozilla Firefox Mozilla Firefox 79.0 on Ubuntu Linux Ubuntu Linux

    I always appreciated your web posting here. No one else has illustrated what security cookies are capable of.

    Now I’m paying you back. Hope you find this snippet equally useful:

    http://127.0.0.1:43110/1DdPHedr5Tz55EtQWxqvsbEXPdc4uCVi9D/?:users/14r48CcSSyoNo1PNhy6uWriqpopMUfqfUX:tech:0

    Found: An idea for private pages on ZeroNet 3vhk47gvxb (You) 8/31/2020 05:02:14 No. 1239
    [Reply]

    An idea for private pages on ZeroNet

    Hey everyone,

    By using this library: https://github.com/jstrieb/link-lock

    You can “Lock” links and allow only the people with the password you provided to view the Zite.

    For example, for this page, the password is ZeroNet (Capital Z): https://jstrieb.github.io/link-lock/#eyJ2IjoiMC4wLjEiLCJlIjoicVF6Vkw2Q0IwUWpkN0pqZVdhaVBuWEI0WWVheFk0TlAzSjkrL00wMzdqSWpua1luam92VC9xOVZwbk9zdmc5cDF1aTREZTJSTTJKZmFzaHk2SEluREZHY2tYZHBxWVJsUGdzPSIsImgiOiJQYXNzd29yZCBpcyBaZXJvTmV0IiwiaSI6IlhGeFJHTDI0TjZ3TjhQd3cifQ==

    You can try it yourself and implement it very easily 🙂

    Try the link. Those with a security background – please critique.

    https://github.com/jstrieb/link-lock
    https://news.ycombinator.com/item?id=23242290

    Onion sites do this:

    https://www.void.gr/kargig/blog/2015/04/10/onion-service-authorization-cookie/

Leave a reply