159 lines
4.7 KiB
Markdown
159 lines
4.7 KiB
Markdown
# SSH over Tor
|
|
|
|
One of the best ways to maintain your anonymity on Tilde Black is
|
|
to connect to ssh using tor. Your home IP address will be hidden
|
|
from other users.
|
|
|
|
## Recommended: ~/.ssh/config
|
|
|
|
Add something like this in your `~/.ssh/config`:
|
|
|
|
```
|
|
# tilde.black
|
|
|
|
# create entries like these for all the usernames you want to use:
|
|
Host black-aaa
|
|
User aaa
|
|
|
|
Host black-bbb
|
|
User bbb
|
|
|
|
Host black*
|
|
Port 2222
|
|
# always connect over Tor
|
|
HostName black6kfjetfuzaeozz7fs53whh7xtd4e27telrf5fg5kgdt5ah5plad.onion
|
|
ProxyCommand nc -x 127.0.0.1:9050 -X 5 %h %p
|
|
VerifyHostKeyDNS no
|
|
# use a key created just for tilde.black
|
|
IdentityFile ~/.ssh/id_black
|
|
# optionally, set a default username
|
|
User ccc
|
|
```
|
|
|
|
Then connect with `ssh black` or `ssh black-<username>`. This way you can never accidentally connect through plain TCP.
|
|
|
|
Requirements for this to work are that the `tor` daemon is running and netcat (`nc`) is installed.
|
|
|
|
|
|
## Easy Mode
|
|
|
|
Before trying the rest of this document, you can try the easy-mode
|
|
for ssh over tor:
|
|
|
|
- Install tor
|
|
- Run tor
|
|
- torify ssh <username>@black6kfjetfuzaeozz7fs53whh7xtd4e27telrf5fg5kgdt5ah5plad.onion -p 2222
|
|
|
|
If that doesn't work for you for any reason, the process below is
|
|
more explicit and will likely solve your problems.
|
|
|
|
## Detail Mode
|
|
|
|
### Overview
|
|
|
|
In order to ssh over tor, we'll need some way to make our terminal
|
|
session or a terminal command run over the tor network. My
|
|
favorite way to do this is with a program called `torsocks`. This
|
|
utility pushes a single command or an entire shell through a socks
|
|
proxy to your tor connection. Since `torsocks` is just a socks
|
|
proxy that means we'll need to do a couple things to get it to
|
|
work.
|
|
|
|
You'll need to:
|
|
|
|
- Install tor
|
|
- Configure tor
|
|
- Install torsocks
|
|
- Configure torsocks
|
|
- Start tor & torsocks
|
|
- ssh
|
|
|
|
### Step 1: Install tor
|
|
|
|
Just like on the server you'll need to install tor on your local
|
|
machine. Read up on the tor website to see which method works best
|
|
for your operating system. It's probably a one-liner.
|
|
|
|
### Step 2: Configure tor
|
|
|
|
We need to configure our local tor differently than we did the
|
|
server. We don't need any hidden services this time, but we do
|
|
need to allow local connections to use it as a SOCKS proxy. Here's
|
|
the key lines you'll need to uncomment, change, or add:
|
|
|
|
SOCKSPort 9050
|
|
SOCKSPolicy accept 192.168.0.0/16
|
|
SOCKSPolicy accept6 FC00::/7
|
|
ControlPort 9051
|
|
CookieAuthentication 1
|
|
|
|
### Step 3: Install torsocks
|
|
|
|
sudo apt install torsocks # linux
|
|
pkg_add torsocks # openbsd
|
|
brew install torsocks # probably works on osx?
|
|
|
|
### Step 4: Configure torsocks
|
|
|
|
To be honest, I don't remember if this is required or if it comes
|
|
like this out of the box. Edit the file /etc/tor/torsocks.conf and
|
|
verify that the following lines are present and not commented out:
|
|
|
|
TorAddress 127.0.0.1
|
|
TorPort 9050
|
|
|
|
### Step 5: Start tor & torsocks
|
|
|
|
Now that everything is all configured, whenever you want to run
|
|
torsocks you'll need to first start tor in another terminal or
|
|
tmux pane. Running tor is as easy as typing:
|
|
|
|
$ tor
|
|
|
|
You'll get some interesting output before it eventually says 100%
|
|
bootstrapped. That means you're up and running. Now in your other
|
|
terminal window you can start the torsocks proxy connection like
|
|
so:
|
|
|
|
$ . torsocks on
|
|
|
|
This will respond back with: _"Tor mode activated. Every command
|
|
will be torified for this shell."_ And that's exactly it. You
|
|
should be fully running now and able to try your ssh connection.
|
|
|
|
### Step 6: ssh
|
|
|
|
$ ssh <username>@black6kfjetfuzaeozz7fs53whh7xtd4e27telrf5fg5kgdt5ah5plad.onion -p 2222
|
|
|
|
|
|
### Step 7: Verify fingerprints
|
|
|
|
The Tilde.Black ssh fingerprints are listed below. Please verify your connection the first time you handshake with the server.
|
|
|
|
2048 SHA256:607+v+LKU8JMu3IBZ5TybQoU/R8kKsamYvtbEnW/LwA [tilde.black]:2222 (RSA)
|
|
256 SHA256:9WydxCE5fOFWfrOwZrJEKIm8OFhi+7vt5VsF7CGBDxg [tilde.black]:2222 (ECDSA)
|
|
256 SHA256:kCUXtju61+hD0wLZ0lb6OisP2Qf2K7hwyxTSvz5VoFM [tilde.black]:2222 (ED25519)
|
|
|
|
### Optional: Configure SSH to Handle .onion Addresses
|
|
|
|
Adding the following lines to `~/.ssh/config` will allow `ssh(1)` to connect to
|
|
onion addresses using the Tor daemon's SOCKS proxy:
|
|
|
|
Host *.onion
|
|
ProxyCommand /usr/bin/nc -xlocalhost:9050 -X5 %h %p
|
|
|
|
Now that `ssh(1)` knows how to connect to onion addresses,
|
|
a convenient shortcut can be added for tilde.black's onion address:
|
|
|
|
Host tilde.black.onion
|
|
HostName black6kfjetfuzaeozz7fs53whh7xtd4e27telrf5fg5kgdt5ah5plad.onion
|
|
Port 2222
|
|
<your-normal-configuration>
|
|
|
|
With those two additions `ssh(1)` can connect to tilde.black's onion address
|
|
though a much more memorable name:
|
|
|
|
ssh user@tilde.black.onion
|
|
|
|
For more information about configuring SSH, see [Configuring SSH](ssh-config.md)
|