---------------------------------------- | |
ssh over tor | |
April 20th, 2019 | |
---------------------------------------- | |
My upcoming tilde server, tilde.black, is going to be focused on | |
privacy, anonymity, and security. As part of that effort the tilde | |
itself is a playground for activites and code that supports those | |
efforts. One example of this is connecting to the server over tor. | |
As described in a LifeHacker article [0]: | |
[0] LifeHacker article | |
Tor is short for The Onion Router (thus the logo) and was | |
initially a worldwide network of servers developed with the | |
U.S. Navy that enabled people to browse the internet | |
anonymously. Now, it's a non-profit organization whose main | |
purpose is the research and development of online privacy | |
tools. | |
The Tor network disguises your identity by moving your traffic | |
across different Tor servers, and encrypting that traffic so | |
it isn't traced back to you. Anyone who tries would see | |
traffic coming from random nodes on the Tor network, rather | |
than your computer. | |
We have tor running on tilde.black and some services are offered | |
there directly as "onion services". You can browse the website by | |
using a tor browser and going to http://tdblackjcbw5kc46.onion. Or | |
you can view the gopher site at gopher://tdblackjcbw5kc46.onion. | |
Finally, you can ssh to the machine at tdblackjcbw5kc46.onion | |
instead of tilde.black. | |
(Some people may note that the web link protocol above is | |
HTTP, not HTTPS. Onion sites are already end-to-end encrypted | |
and get no benefit from HTTPS beyond publishing their | |
identity, which in many cases is contrary to the goals of | |
having an onion site. Browsing non-onion sites on tor is still | |
best done with HTTPS, though, because all traffic from an exit | |
node to that server will need some method of encryption.) | |
So why might we want to use tor to ssh? Anonymity of course! When | |
you log into a shared system other users can see a lot of | |
information about you as a user. For instance, here's just the | |
first few lines of output from the 'w' command on cosmic.voyage: | |
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT | |
tomasino pts/0 98.22.17.30- 08:27 1.00s 0.09s 0.00s tmux -u2 attach | |
Well lookie there... my IP address. Depending on my threat model, | |
that may not be something I want to leave lying around everywhere | |
I go since it can be traced back to me so easily. So lets look at | |
one small way we can incrementally help stay anonymous. | |
PART ONE: tor on the server | |
I've covered this process in the past [1] to show how easy it is | |
to set up gopher over tor. Lets review the basics again anyway. | |
[1] gopher.black on tor | |
You'll need to: | |
- Install tor | |
- Configure tor | |
- Start tor | |
- Find your hostname | |
Step 1: Install tor | |
Check out the install instructions on the tor website. In mos | |
cases it's as simple as: | |
sudo apt install tor | |
Step 2: Configure tor | |
Everything you need to configure in tor is located at | |
/etc/tor/torrc. Edit that file and search for HiddenServiceDir. | |
Uncomment or add lines as follows | |
HiddenServiceDir /var/lib/tor/hidden_service/ | |
HiddenServicePort 22 127.0.0.1:22 | |
The first line is where your hidden service will store all its | |
secrets, like the private key it's going to auto-generate for you. | |
We'll look there in a minute to find the hostname. NOTE: the | |
/hidden_service/ part of the directory path is changable. If you | |
want to run multiple different tor services by different names, | |
you can add more of these blocks and change that /hidden_service/ | |
to something else, like /pants/ or /web/. A cooresponding folder | |
will be created automatically when you run tor. | |
The HiddenServicePort line maps tor's port to your system's port. | |
If you are running ssh on port 22, this is what you'll need. NOTE: | |
Running ssh on another port does not add any tangible security, | |
but can help avoid log spam from bots that hammer at port 22. | |
Step 3: Start tor | |
sudo service tor start # linuxy style | |
rcctl enable tor && rcctl start tor # openbsd style | |
Step 4: Find your hostname | |
As a super-user, browse to the directory listed in | |
HiddenServiceDir and you will see two files, a private key and | |
a hostname. View the hostname file and you'll see your public | |
onion address. Copy that for later. The private key is something | |
you may want to back up if you want to use this onion address | |
safely in the future. If you lose the private key you will not be | |
able to run tor at that onion address anymore. The generation of | |
onion addresses can be done more creatively using tools like | |
Eschalot to hash millions of possible onion addresses until you | |
find a pattern that matches what you like. For instance, | |
tilde.black has the onion address: | |
tdblackjcbw5kc46.onion | |
PART TWO: tor on the client | |
In order to ssh over tor, we'll need some way to make our terminal | |
session or a terminal command run over the tor network. My | |
favorite way to do this is with a program called 'torsocks'. This | |
utility pushes a single command or an entire shell through a socks | |
proxy to your tor connection. Since torsocks is just a socks proxy | |
that means we'll need to do a couple things to get it to work. | |
You'll need to: | |
- Install tor | |
- Configure tor | |
- Install torsocks | |
- Configure torsocks | |
- Start tor & torsocks | |
- ssh | |
Step 1: Install tor | |
Just like on the server you'll need to install tor on your local | |
machine. Read up on the tor website to see which method works best | |
for your operating system. It's probably a one-liner. | |
Step 2: Configure tor | |
We need to configure our local tor differently than we did the | |
server. We don't need any hidden services this time, but we do | |
need to allow local connections to use it as a SOCKS proxy. Here's | |
the key lines you'll need to uncomment, change, or add: | |
SOCKSPort 9050 | |
SOCKSPolicy accept 192.168.0.0/16 | |
SOCKSPolicy accept6 FC00::/7 | |
ControlPort 9051 | |
CookieAuthentication 1 | |
Step 3: Install torsocks | |
sudo apt install torsocks # linux | |
pkg_add torsocks # openbsd | |
brew install torsocks # probably works on osx? | |
Step 4: Configure torsocks | |
To be honest, I don't remember if this is required or if it comes | |
like this out of the box. Edit the file /etc/tor/torsocks.conf and | |
verify that the following lines are present and not commented out: | |
TorAddress 127.0.0.1 | |
TorPort 9050 | |
Step 5: Start tor & torsocks | |
Now that everything is all configured, whenever you want to run | |
torsocks you'll need to first start tor in another terminal or | |
tmux pane. Running tor is as easy as typing: | |
$ tor | |
You'll get some interesting output before it eventually says 100% | |
bootstrapped. That means you're up and running. Now in your other | |
terminal window you can start the torsocks proxy connection like | |
so: | |
$ . torsocks on | |
This will respond back with: "Tor mode activated. Every command | |
will be torified for this shell." And that's exactly it. You | |
should be fully running now and able to try your ssh connection. | |
Step 6: ssh | |
$ ssh [email protected] -p 1337 | |
A connection like above will try to connect to ssh on port 1337 | |
over tor using the user "buffalo". I'm using tilde.black's tor | |
address as an example. | |
So give it a try and let me know it worked for you! |