49 lines
1.4 KiB
Markdown
49 lines
1.4 KiB
Markdown
Simple tool to generate keypairs for onion service client auth (also known as
|
||
restricted discovery).
|
||
|
||
See [Tor project doc][0].
|
||
|
||
### Usage
|
||
|
||
```bash
|
||
❯ go run go.balki.me/onion-auth-gen@latest
|
||
private key : KPNW2PPM4EZRNUWYDXRYBUB2D5G73RLVQTELWBT7RDYELTOSBESA
|
||
public descriptor : descriptor:x25519:DBOQW4FQU6XFTELGIFTJCOK3S4NIV4H5LU64R2SJ3NF7VUEIOBHA
|
||
```
|
||
No go?
|
||
|
||
```
|
||
❯ docker run --rm golang go run go.balki.me/onion-auth-gen@latest
|
||
go: downloading go.balki.me/onion-auth-gen v0.1.0
|
||
private key : 2R7T75LJ2KRVNAXFDXJN4CNKSMAEQ22MDXWFPRL2TR2XUCV5LFMQ
|
||
public descriptor : descriptor:x25519:LXSR6HYCYJ7MDFY2AU2NQO4QQUSGJCHFEXZBIGYYZKPFMGZWPNVQ
|
||
```
|
||
|
||
Add public descriptor to the onion service server configuration and enter the
|
||
private key when prompted in the tor browser
|
||
|
||
### FAQ
|
||
|
||
#### Why add client auth for onion service?
|
||
|
||
When you have an onion service for private use, adding client auth makes it
|
||
completely secure against DDOS even when the service's URL is leaked. Even if
|
||
you don't explicitly share the onion address, it can leak via HTTP `Referrer`
|
||
or `Origin` headers or accidental copy paste.
|
||
|
||
#### Why this tool?
|
||
|
||
The [official way][0] requires to install packages and run multiple long shell
|
||
command lines. This is a zero dependency pure go mini tool that is quick and
|
||
easy to use.
|
||
|
||
|
||
### Related
|
||
|
||
* [onionshare][1]
|
||
|
||
---
|
||
|
||
[0]: https://community.torproject.org/onion-services/advanced/client-auth/
|
||
[1]: https://onionshare.org
|