 |
---------------------------------------- |
|
ssh over tor |
|
April 20th, 2019 |
|
---------------------------------------- |
|
|
|
My upcoming tilde server, tilde.black, is going to be focused on |
|
privacy, anonymity, and security. As part of that effort the tilde |
|
itself is a playground for activites and code that supports those |
|
efforts. One example of this is connecting to the server over tor. |
|
|
|
As described in a LifeHacker article [0]: |
 |
[0] LifeHacker article |
|
|
|
Tor is short for The Onion Router (thus the logo) and was |
|
initially a worldwide network of servers developed with the |
|
U.S. Navy that enabled people to browse the internet |
|
anonymously. Now, it's a non-profit organization whose main |
|
purpose is the research and development of online privacy |
|
tools. |
|
|
|
The Tor network disguises your identity by moving your traffic |
|
across different Tor servers, and encrypting that traffic so |
|
it isn't traced back to you. Anyone who tries would see |
|
traffic coming from random nodes on the Tor network, rather |
|
than your computer. |
|
|
|
We have tor running on tilde.black and some services are offered |
|
there directly as "onion services". You can browse the website by |
|
using a tor browser and going to http://tdblackjcbw5kc46.onion. Or |
|
you can view the gopher site at gopher://tdblackjcbw5kc46.onion. |
|
Finally, you can ssh to the machine at tdblackjcbw5kc46.onion |
|
instead of tilde.black. |
|
|
|
(Some people may note that the web link protocol above is |
|
HTTP, not HTTPS. Onion sites are already end-to-end encrypted |
|
and get no benefit from HTTPS beyond publishing their |
|
identity, which in many cases is contrary to the goals of |
|
having an onion site. Browsing non-onion sites on tor is still |
|
best done with HTTPS, though, because all traffic from an exit |
|
node to that server will need some method of encryption.) |
|
|
|
So why might we want to use tor to ssh? Anonymity of course! When |
|
you log into a shared system other users can see a lot of |
|
information about you as a user. For instance, here's just the |
|
first few lines of output from the 'w' command on cosmic.voyage: |
|
|
|
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT |
|
tomasino pts/0 98.22.17.30- 08:27 1.00s 0.09s 0.00s tmux -u2 attach |
|
|
|
Well lookie there... my IP address. Depending on my threat model, |
|
that may not be something I want to leave lying around everywhere |
|
I go since it can be traced back to me so easily. So lets look at |
|
one small way we can incrementally help stay anonymous. |
|
|
|
PART ONE: tor on the server |
|
|
|
I've covered this process in the past [1] to show how easy it is |
|
to set up gopher over tor. Lets review the basics again anyway. |
 |
[1] gopher.black on tor |
|
|
|
You'll need to: |
|
- Install tor |
|
- Configure tor |
|
- Start tor |
|
- Find your hostname |
|
|
|
|
|
Step 1: Install tor |
|
|
|
Check out the install instructions on the tor website. In mos |
|
cases it's as simple as: |
|
|
|
sudo apt install tor |
|
|
|
Step 2: Configure tor |
|
|
|
Everything you need to configure in tor is located at |
|
/etc/tor/torrc. Edit that file and search for HiddenServiceDir. |
|
Uncomment or add lines as follows |
|
|
|
HiddenServiceDir /var/lib/tor/hidden_service/ |
|
HiddenServicePort 22 127.0.0.1:22 |
|
|
|
The first line is where your hidden service will store all its |
|
secrets, like the private key it's going to auto-generate for you. |
|
We'll look there in a minute to find the hostname. NOTE: the |
|
/hidden_service/ part of the directory path is changable. If you |
|
want to run multiple different tor services by different names, |
|
you can add more of these blocks and change that /hidden_service/ |
|
to something else, like /pants/ or /web/. A cooresponding folder |
|
will be created automatically when you run tor. |
|
|
|
The HiddenServicePort line maps tor's port to your system's port. |
|
If you are running ssh on port 22, this is what you'll need. NOTE: |
|
Running ssh on another port does not add any tangible security, |
|
but can help avoid log spam from bots that hammer at port 22. |
|
|
|
Step 3: Start tor |
|
|
|
sudo service tor start # linuxy style |
|
rcctl enable tor && rcctl start tor # openbsd style |
|
|
|
Step 4: Find your hostname |
|
|
|
As a super-user, browse to the directory listed in |
|
HiddenServiceDir and you will see two files, a private key and |
|
a hostname. View the hostname file and you'll see your public |
|
onion address. Copy that for later. The private key is something |
|
you may want to back up if you want to use this onion address |
|
safely in the future. If you lose the private key you will not be |
|
able to run tor at that onion address anymore. The generation of |
|
onion addresses can be done more creatively using tools like |
|
Eschalot to hash millions of possible onion addresses until you |
|
find a pattern that matches what you like. For instance, |
|
tilde.black has the onion address: |
|
|
|
tdblackjcbw5kc46.onion |
|
|
|
PART TWO: tor on the client |
|
|
|
In order to ssh over tor, we'll need some way to make our terminal |
|
session or a terminal command run over the tor network. My |
|
favorite way to do this is with a program called 'torsocks'. This |
|
utility pushes a single command or an entire shell through a socks |
|
proxy to your tor connection. Since torsocks is just a socks proxy |
|
that means we'll need to do a couple things to get it to work. |
|
|
|
You'll need to: |
|
- Install tor |
|
- Configure tor |
|
- Install torsocks |
|
- Configure torsocks |
|
- Start tor & torsocks |
|
- ssh |
|
|
|
Step 1: Install tor |
|
|
|
Just like on the server you'll need to install tor on your local |
|
machine. Read up on the tor website to see which method works best |
|
for your operating system. It's probably a one-liner. |
|
|
|
Step 2: Configure tor |
|
|
|
We need to configure our local tor differently than we did the |
|
server. We don't need any hidden services this time, but we do |
|
need to allow local connections to use it as a SOCKS proxy. Here's |
|
the key lines you'll need to uncomment, change, or add: |
|
|
|
SOCKSPort 9050 |
|
SOCKSPolicy accept 192.168.0.0/16 |
|
SOCKSPolicy accept6 FC00::/7 |
|
ControlPort 9051 |
|
CookieAuthentication 1 |
|
|
|
Step 3: Install torsocks |
|
|
|
sudo apt install torsocks # linux |
|
pkg_add torsocks # openbsd |
|
brew install torsocks # probably works on osx? |
|
|
|
Step 4: Configure torsocks |
|
|
|
To be honest, I don't remember if this is required or if it comes |
|
like this out of the box. Edit the file /etc/tor/torsocks.conf and |
|
verify that the following lines are present and not commented out: |
|
|
|
TorAddress 127.0.0.1 |
|
TorPort 9050 |
|
|
|
Step 5: Start tor & torsocks |
|
|
|
Now that everything is all configured, whenever you want to run |
|
torsocks you'll need to first start tor in another terminal or |
|
tmux pane. Running tor is as easy as typing: |
|
|
|
$ tor |
|
|
|
You'll get some interesting output before it eventually says 100% |
|
bootstrapped. That means you're up and running. Now in your other |
|
terminal window you can start the torsocks proxy connection like |
|
so: |
|
|
|
$ . torsocks on |
|
|
|
This will respond back with: "Tor mode activated. Every command |
|
will be torified for this shell." And that's exactly it. You |
|
should be fully running now and able to try your ssh connection. |
|
|
|
Step 6: ssh |
|
|
|
$ ssh [email protected] -p 1337 |
|
|
|
A connection like above will try to connect to ssh on port 1337 |
|
over tor using the user "buffalo". I'm using tilde.black's tor |
|
address as an example. |
|
|
|
So give it a try and let me know it worked for you! |
