Secure Shell (SSH) is an encrypted network protocol for utilizing network services securely over an unsecured network. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. When used in conjunction with Tor (and some small measures are taken to prevent leakage), the full functionality of SSH can be anonymized.
Torifying SSH on Windows
The recommended methodology for Windows users to torify SSH is by utilising PuTTY. The page outlining where to download it as well as configuration can be found here.
Torifying SSH on *NIX / MacOS
Warning: 'ssh some.host' will leak your UNIX username. If you do 'ssh firstname.lastname@example.org' it will not leak your username. That is why we suggest using non-identifying usernames on your machines to prevent such leaks in the first place.
Using SSH inside Whonix should be safe.
Option 1: Using torsocks
More plentiful and current information on torsocks can be found here.
To use SSH with torsocks, simply use the command:
torsocks ssh email@example.com
you may want to add an alias like so:
alias ssh-tor='torsocks ssh'
Option 2: Using netcat-openbsd
netcat-openbsd (also known as simply 'netcat' or 'nc') is a networking utility with a simple interface that is primarily used for reading or writing from TCP and UDP sockets. It is available in the repositories of most modern UNIX operating systems.
When using netcat-openbsd, you can use the ssh
ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p" <target_host>
To do it on a per-host basis, edit your ~/.ssh/config to look something like this:
host example.com user bar port 22 ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
Then you can just do
ssh example.com and it will be torified.
If preferred, it is possible to make an alias for this and place it in your
~/.bash_profile like so:
alias ssh-tor='ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p"' or alias ssh-tor='ssh -o "ProxyCommand nc --proxy 127.0.0.1:9050 --proxy-type socks4 $(torsocks dig @220.127.116.11 +tcp +short %h | head -n 1) %p"'
Then you can simply issue the command
OpenSSH has a feature for looking up remote host keys in SSHFP DNS records; don't use it, or it will try to resolve hostnames before it invokes your ProxyCommand and creates a leak. To make sure this doesn't happen, pass
-o VerifyHostKeyDNS=no on your ssh command line.
A good command for checking for DNS leakage is
tcpdump -vvvv -i <your_device> dst port 53
Option 3: Using connect-proxy
Add this to your ssh config file (
host *-tor CheckHostIP no Compression yes Protocol 2 ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050) %p
Then add a
-tor to the server name on the commandline when you want to use tor. E.g., if your ssh config file has:
host whitehouse* hostname whitehouse.gov user trump
you would run
ssh whitehouse-tor to access that host over tor, or simply
ssh whitehouse to go direct without tor.