----------------------------------------
ssh over tor
April 20th, 2019
----------------------------------------
My upcoming tilde server, tilde.black, is going to be focused on
privacy, anonymity, and security. As part of that effort the tilde
itself is a playground for activites and code that supports those
efforts. One example of this is connecting to the server over tor.
As described in a LifeHacker article [0]:
(HTM) [0] LifeHacker article
Tor is short for The Onion Router (thus the logo) and was
initially a worldwide network of servers developed with the
U.S. Navy that enabled people to browse the internet
anonymously. Now, it's a non-profit organization whose main
purpose is the research and development of online privacy
tools.
The Tor network disguises your identity by moving your traffic
across different Tor servers, and encrypting that traffic so
it isn't traced back to you. Anyone who tries would see
traffic coming from random nodes on the Tor network, rather
than your computer.
We have tor running on tilde.black and some services are offered
there directly as "onion services". You can browse the website by
using a tor browser and going to http://tdblackjcbw5kc46.onion. Or
you can view the gopher site at gopher://tdblackjcbw5kc46.onion.
Finally, you can ssh to the machine at tdblackjcbw5kc46.onion
instead of tilde.black.
(Some people may note that the web link protocol above is
HTTP, not HTTPS. Onion sites are already end-to-end encrypted
and get no benefit from HTTPS beyond publishing their
identity, which in many cases is contrary to the goals of
having an onion site. Browsing non-onion sites on tor is still
best done with HTTPS, though, because all traffic from an exit
node to that server will need some method of encryption.)
So why might we want to use tor to ssh? Anonymity of course! When
you log into a shared system other users can see a lot of
information about you as a user. For instance, here's just the
first few lines of output from the 'w' command on cosmic.voyage:
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
tomasino pts/0 98.22.17.30- 08:27 1.00s 0.09s 0.00s tmux -u2 attach
Well lookie there... my IP address. Depending on my threat model,
that may not be something I want to leave lying around everywhere
I go since it can be traced back to me so easily. So lets look at
one small way we can incrementally help stay anonymous.
PART ONE: tor on the server
I've covered this process in the past [1] to show how easy it is
to set up gopher over tor. Lets review the basics again anyway.
(DIR) [1] gopher.black on tor
You'll need to:
- Install tor
- Configure tor
- Start tor
- Find your hostname
Step 1: Install tor
Check out the install instructions on the tor website. In mos
cases it's as simple as:
sudo apt install tor
Step 2: Configure tor
Everything you need to configure in tor is located at
/etc/tor/torrc. Edit that file and search for HiddenServiceDir.
Uncomment or add lines as follows
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22
The first line is where your hidden service will store all its
secrets, like the private key it's going to auto-generate for you.
We'll look there in a minute to find the hostname. NOTE: the
/hidden_service/ part of the directory path is changable. If you
want to run multiple different tor services by different names,
you can add more of these blocks and change that /hidden_service/
to something else, like /pants/ or /web/. A cooresponding folder
will be created automatically when you run tor.
The HiddenServicePort line maps tor's port to your system's port.
If you are running ssh on port 22, this is what you'll need. NOTE:
Running ssh on another port does not add any tangible security,
but can help avoid log spam from bots that hammer at port 22.
Step 3: Start tor
sudo service tor start # linuxy style
rcctl enable tor && rcctl start tor # openbsd style
Step 4: Find your hostname
As a super-user, browse to the directory listed in
HiddenServiceDir and you will see two files, a private key and
a hostname. View the hostname file and you'll see your public
onion address. Copy that for later. The private key is something
you may want to back up if you want to use this onion address
safely in the future. If you lose the private key you will not be
able to run tor at that onion address anymore. The generation of
onion addresses can be done more creatively using tools like
Eschalot to hash millions of possible onion addresses until you
find a pattern that matches what you like. For instance,
tilde.black has the onion address:
tdblackjcbw5kc46.onion
PART TWO: tor on the client
In order to ssh over tor, we'll need some way to make our terminal
session or a terminal command run over the tor network. My
favorite way to do this is with a program called 'torsocks'. This
utility pushes a single command or an entire shell through a socks
proxy to your tor connection. Since torsocks is just a socks proxy
that means we'll need to do a couple things to get it to work.
You'll need to:
- Install tor
- Configure tor
- Install torsocks
- Configure torsocks
- Start tor & torsocks
- ssh
Step 1: Install tor
Just like on the server you'll need to install tor on your local
machine. Read up on the tor website to see which method works best
for your operating system. It's probably a one-liner.
Step 2: Configure tor
We need to configure our local tor differently than we did the
server. We don't need any hidden services this time, but we do
need to allow local connections to use it as a SOCKS proxy. Here's
the key lines you'll need to uncomment, change, or add:
SOCKSPort 9050
SOCKSPolicy accept 192.168.0.0/16
SOCKSPolicy accept6 FC00::/7
ControlPort 9051
CookieAuthentication 1
Step 3: Install torsocks
sudo apt install torsocks # linux
pkg_add torsocks # openbsd
brew install torsocks # probably works on osx?
Step 4: Configure torsocks
To be honest, I don't remember if this is required or if it comes
like this out of the box. Edit the file /etc/tor/torsocks.conf and
verify that the following lines are present and not commented out:
TorAddress 127.0.0.1
TorPort 9050
Step 5: Start tor & torsocks
Now that everything is all configured, whenever you want to run
torsocks you'll need to first start tor in another terminal or
tmux pane. Running tor is as easy as typing:
$ tor
You'll get some interesting output before it eventually says 100%
bootstrapped. That means you're up and running. Now in your other
terminal window you can start the torsocks proxy connection like
so:
$ . torsocks on
This will respond back with: "Tor mode activated. Every command
will be torified for this shell." And that's exactly it. You
should be fully running now and able to try your ssh connection.
Step 6: ssh
$ ssh buffalo@tdblackjcbw5kc46.onion -p 1337
A connection like above will try to connect to ssh on port 1337
over tor using the user "buffalo". I'm using tilde.black's tor
address as an example.
So give it a try and let me know it worked for you!