Home
---------------------------------------- ssh over tor April 20th, 2019 ---------------------------------------- My upcoming tilde server, tilde.black, is going to be focused on privacy, anonymity, and security. As part of that effort the tilde itself is a playground for activites and code that supports those efforts. One example of this is connecting to the server over tor. As described in a LifeHacker article [0]: HTML [0] LifeHacker article Tor is short for The Onion Router (thus the logo) and was initially a worldwide network of servers developed with the U.S. Navy that enabled people to browse the internet anonymously. Now, it's a non-profit organization whose main purpose is the research and development of online privacy tools. The Tor network disguises your identity by moving your traffic across different Tor servers, and encrypting that traffic so it isn't traced back to you. Anyone who tries would see traffic coming from random nodes on the Tor network, rather than your computer. We have tor running on tilde.black and some services are offered there directly as "onion services". You can browse the website by using a tor browser and going to http://tdblackjcbw5kc46.onion. Or you can view the gopher site at gopher://tdblackjcbw5kc46.onion. Finally, you can ssh to the machine at tdblackjcbw5kc46.onion instead of tilde.black. (Some people may note that the web link protocol above is HTTP, not HTTPS. Onion sites are already end-to-end encrypted and get no benefit from HTTPS beyond publishing their identity, which in many cases is contrary to the goals of having an onion site. Browsing non-onion sites on tor is still best done with HTTPS, though, because all traffic from an exit node to that server will need some method of encryption.) So why might we want to use tor to ssh? Anonymity of course! When you log into a shared system other users can see a lot of information about you as a user. For instance, here's just the first few lines of output from the 'w' command on cosmic.voyage: USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT tomasino pts/0 98.22.17.30- 08:27 1.00s 0.09s 0.00s tmux -u2 attach Well lookie there... my IP address. Depending on my threat model, that may not be something I want to leave lying around everywhere I go since it can be traced back to me so easily. So lets look at one small way we can incrementally help stay anonymous. PART ONE: tor on the server I've covered this process in the past [1] to show how easy it is to set up gopher over tor. Lets review the basics again anyway. DIR [1] gopher.black on tor You'll need to: - Install tor - Configure tor - Start tor - Find your hostname Step 1: Install tor Check out the install instructions on the tor website. In mos cases it's as simple as: sudo apt install tor Step 2: Configure tor Everything you need to configure in tor is located at /etc/tor/torrc. Edit that file and search for HiddenServiceDir. Uncomment or add lines as follows HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 22 127.0.0.1:22 The first line is where your hidden service will store all its secrets, like the private key it's going to auto-generate for you. We'll look there in a minute to find the hostname. NOTE: the /hidden_service/ part of the directory path is changable. If you want to run multiple different tor services by different names, you can add more of these blocks and change that /hidden_service/ to something else, like /pants/ or /web/. A cooresponding folder will be created automatically when you run tor. The HiddenServicePort line maps tor's port to your system's port. If you are running ssh on port 22, this is what you'll need. NOTE: Running ssh on another port does not add any tangible security, but can help avoid log spam from bots that hammer at port 22. Step 3: Start tor sudo service tor start # linuxy style rcctl enable tor && rcctl start tor # openbsd style Step 4: Find your hostname As a super-user, browse to the directory listed in HiddenServiceDir and you will see two files, a private key and a hostname. View the hostname file and you'll see your public onion address. Copy that for later. The private key is something you may want to back up if you want to use this onion address safely in the future. If you lose the private key you will not be able to run tor at that onion address anymore. The generation of onion addresses can be done more creatively using tools like Eschalot to hash millions of possible onion addresses until you find a pattern that matches what you like. For instance, tilde.black has the onion address: tdblackjcbw5kc46.onion PART TWO: tor on the client In order to ssh over tor, we'll need some way to make our terminal session or a terminal command run over the tor network. My favorite way to do this is with a program called 'torsocks'. This utility pushes a single command or an entire shell through a socks proxy to your tor connection. Since torsocks is just a socks proxy that means we'll need to do a couple things to get it to work. You'll need to: - Install tor - Configure tor - Install torsocks - Configure torsocks - Start tor & torsocks - ssh Step 1: Install tor Just like on the server you'll need to install tor on your local machine. Read up on the tor website to see which method works best for your operating system. It's probably a one-liner. Step 2: Configure tor We need to configure our local tor differently than we did the server. We don't need any hidden services this time, but we do need to allow local connections to use it as a SOCKS proxy. Here's the key lines you'll need to uncomment, change, or add: SOCKSPort 9050 SOCKSPolicy accept 192.168.0.0/16 SOCKSPolicy accept6 FC00::/7 ControlPort 9051 CookieAuthentication 1 Step 3: Install torsocks sudo apt install torsocks # linux pkg_add torsocks # openbsd brew install torsocks # probably works on osx? Step 4: Configure torsocks To be honest, I don't remember if this is required or if it comes like this out of the box. Edit the file /etc/tor/torsocks.conf and verify that the following lines are present and not commented out: TorAddress 127.0.0.1 TorPort 9050 Step 5: Start tor & torsocks Now that everything is all configured, whenever you want to run torsocks you'll need to first start tor in another terminal or tmux pane. Running tor is as easy as typing: $ tor You'll get some interesting output before it eventually says 100% bootstrapped. That means you're up and running. Now in your other terminal window you can start the torsocks proxy connection like so: $ . torsocks on This will respond back with: "Tor mode activated. Every command will be torified for this shell." And that's exactly it. You should be fully running now and able to try your ssh connection. Step 6: ssh $ ssh buffalo@tdblackjcbw5kc46.onion -p 1337 A connection like above will try to connect to ssh on port 1337 over tor using the user "buffalo". I'm using tilde.black's tor address as an example. So give it a try and let me know it worked for you!