ssh over Tor to remote debian box [Radical Tech'...

https://skytal.es/docs/tips/ssh_over_tor_to_remote...

Radical Tech's Documentation

sudo apt-get install anarchy

ssh over Tor to remote debian box

There might be a case when you need to ssh to a box in an anonymous way. Either the box is under heavy
surveillance or you are under surveillance or this box is doing something nasty.
We'll see how it's possible to ssh to the box in a secure and anonymous way, using ssh over tor. We assume we don't
want to login to this remote box with our real IP not a single time. Finally, we'll see how to set up an ssh hidden
service.

Create ssh keypair

We'll use public key to ssh to remote box.
#ssh-keygen -t rsa -b 4096 -C "comment"

comment might be user@remotebox. Also you'd better use a password to keep safe you private key. After that, two
files should be created in ~/.ssh/ . An id_rsa and an id_rsa.pub. You can rename them as you like. Make sure
id_rsa(the private key) is readable only by your user.

Install Tor at you local box

Add this line to your /etc/apt/sources.list file:
deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main

where you put the codename of your distribution (i.e. squeeze, wheezy, sid ) in place of <DISTRIBUTION>.
#gpg --keyserver keys.gnupg.net --recv 886DDD89
#gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add #apt-get update
#apt-get install deb.torproject.org-keyring
#apt-get install tor

more : https://www.torproject.org/docs/debian.html.en [https://www.torproject.org/docs/debian.html.en]

Note : This is different from Tor Browser Bundle. Tor Browser is the common way to use Tor to browse internet.
Although it's handsome and easy, Tor Browser Bundle isn't appropriate for what we want. Instead, installing Tor as
described above, gives you Tor running as daemon client at your system.

Install connect-proxy
#apt-get install connect-proxy

we'll need it later on.

1 of 3

12/03/2015 05:25 AM

ssh over Tor to remote debian box [Radical Tech'...

https://skytal.es/docs/tips/ssh_over_tor_to_remote...

Configure ssh to use Tor for specific host

Edit ~/.ssh/config and add the following lines according to the details of your box :
Host alias
Hostname IpAddressOfTheBox
User Username
IdentitiesOnly yes
IdentityFile ~/.ssh/id_rsa
Port PortNumber
CheckHostIP no
Compression yes
Protocol 2
ProxyCommand connect -4 -S 127.0.0.1:9050 $(tor-resolve %h 127.0.0.1:9050) %p
ServerAliveInterval 60

alias is just a shortcut name or alias you can use with the ssh command.

Upload you public ssh key to remote box

#scp .ssh/id_rsa.pub alias:
#ssh alias "mkdir .ssh; cat id_rsa.pub >> .ssh/authorized_keys"

verify correct permissions are set to .ssh directory and key file.

Disable password ssh login

Since you logged in remote box you can disable password option for little extra security. Edit /etc/ssh/sshd_config :
PasswordAuthentication no

and restart ssh daemon.

How about ssh as Tor hidden service ?

We've successfully logged in our remote box using tor. Let's take some steps further. We can configure our remote
box to have an ssh hidden service. The advantages of a hidden service is that it's slightly more secure. In the case of
a hidden service, data flows encrypted end-to-end and doesn't leave Tor network. There is no need for exit nodes
thus mitigating the risk of malicious nodes executing mitm attacks. What's more, hidden service's architecture hides
the server. Sysadmin could potentially disable ssh over ordinary internet and let it only as hidden service.

Install Tor at remote box

Just follow the same steps as your local box, described previously.

ssh as hidden service

Setting up hidden services for Tor is really straightforward. We need to edit /etc/tor/torrc and scroll down to Hidden
Services' section. Commenting out and modifying appropriately the following lines :
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 0.0.0.0:22

2 of 3

12/03/2015 05:25 AM

ssh over Tor to remote debian box [Radical Tech'...

https://skytal.es/docs/tips/ssh_over_tor_to_remote...

In the first statement we just set the directory under which all the necessary files of the hidden service will reside.
With the second statement we first configure the virtual port our hidden service will listen, in the example it's 22 and
secondly we declare the real socket the application listens to. In the example the ssh in our remote box listens to
0.0.0.0:22.
We can examine the applications and their listening ports by giving
#nestat -ntpl

If we want our remote box have ssh only as hidden service, then we might change /etc/ssh/sshd_config to listen to
localhost and then /etc/tor/torrc .
HiddenServicePort 22 127.0.0.1:22

Then we restart tor daemon so as our modifications take effect:

#/etc/init.d/tor restart

Find the onion address

After tor daemon is restarted we can grab the address of our hidden service:
#cat /var/lib/tor/hidden_service/hostname

It will be something like

ieadib3i6xtc7w4b.onion

So at last, you can modify your ~/.ssh/config and use that onion address to ssh to your box. Also mind the change in
ProxyCommand.
Host alias
Hostname someaddress.onion
IdentitiesOnly yes
IdentityFile ~/.ssh/id_rsa
Port PortNumber
CheckHostIP no
Compression yes
Protocol 2
ProxyCommand connect -4 -R remote -S 127.0.0.1:9050 %h %p
ServerAliveInterval 60

tips/ssh_over_tor_to_remote_debian_box.txt Last modified: 28/03/2015 16:05 by luigi

3 of 3

12/03/2015 05:25 AM