Onion Services - Whonix wiki is outdated.
Dec 09 13:32:40 host tor[14798]: Dec 09 13:32:40.800 [warn] Hidden service option HiddenServiceAuthorizeClient is incompatible with version 3 of service in /var/lib/tor/hidden_service/
Dunno what still applies nowadays. Will copy old contents here.
=== Introduction ===
By default Onion Service names are known to the public as they are broadcast to Onion Service directories. This information becomes sequestered in search crawlers allowing anyone to try and connect and probe your Hidden Server even if this wasn't your intention.
To set up a Hidden service in a private mode, only accessible by just you or additionally your trusted associates, there is a little known feature in Tor feature known as Onion Services Authentication. <ref>http://tor.stackexchange.com/questions/219/how-to-use-hidden-service-authentication How to use Onion Service Authentication?</ref><ref>https://gitweb.torproject.org/torspec.git/tree/proposals/121-hidden-service-authentication.txt</ref> When activated, no one (not even the Onion Service Directories) can derive your <code>.onion</code> address from the descriptors nor can they know the introduction points to your server and consequently will not be able to connect to you.
This feature allows the HS operator to generate multiple shared secrets - giving access to different parties which is revocable. Configurable with the <code>stealth</code> auth type used with <code>HiddenServiceAuthorizeClient</code>. Meaning that clients who are banned will no longer know about the HS' introduction points anymore.
<code>HiddenServiceAuthorizeClient</code>:
<blockquote>
This option is only for v2 services; v3 services configure client authentication in a subdirectory of HiddenServiceDir instead (see the Client Authorization section).
</blockquote>
[https://www.torproject.org/docs/tor-manual.html.en Tor manual]
=== Server Setup ===
On {{gateway_product_name}}.
{{Open /usr/local/etc/torrc.d/50_user.conf}}
See the following example. Adjust it for your purposes and add it.
{{CodeSelect|code=
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22
HiddenServicePort 5900 127.0.0.1:5900
HiddenServiceVersion 3
## syntax:
## HiddenServiceAuthorizeClient auth-type client-name,client-name,…
## The auth-type can either be 'basic' for a general-purpose authorization protocol or 'stealth' for a less scalable protocol that also hides service activity from unauthorized clients.
## Valid client names are 1 to 16 characters long and only use characters in A-Za-z0-9+-_ (no spaces).
HiddenServiceAuthorizeClient stealth 1234567890123456
}}
Save.
{{Reload Tor}}
To get your Tor onion service url and password, run.
{{CodeSelect|code=
sudo cat /var/lib/tor/hidden_service/hostname
}}
Should show something like this.
<pre>
xxxxxxxxxxxxxxxx.onion 0123456789012345678901 # client: 1234567890123456
</pre>
This is the authentication cookie that was generated by Tor that should be shared with the one supposed being allowed to connect,
* preferably face-to-face or,
* or via OpenPGP encrypted e-mail or OTR encrypted chat over Tor involving both parties.
Note that you can generate a unique authentication cookie for every individual or group you grant access to. This gives you the ability to revoke access if the need arises. It is an all or none rule for granting access to an onion service. If you want to limit that on a subdomain level you are advised to implement it by compartmentalizing your services under different onion service addresses running on a Multiple Workstation setup.