|
|
[[TOC(noheading, depth=4)]]
|
|
|
= Torifying SSH =
|
|
|
Secure Shell (SSH) is an encrypted network protocol for utilizing network services securely over an unsecured network. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. When used in conjunction with Tor (and some small measures are taken to prevent leakage), the full functionality of SSH can be anonymized.
|
|
|
|
|
|
=== Torifying SSH on Windows ===
|
|
|
The recommended methodology for Windows users to torify SSH is by utilising PuTTY. The page outlining where to download it as well as configuration can be found [wiki:doc/TorifyHOWTO/Putty here].
|
|
|
|
|
|
=== Torifying SSH on *NIX / MacOS ===
|
|
|
'''Warning:''' 'ssh some.host' will '''leak your UNIX username'''. If you do 'ssh theloginyouwant@some.host' it will '''not''' leak your username. That is why we suggest using non-identifying usernames on your machines to prevent such leaks in the first place.
|
|
|
|
|
|
Using SSH inside Whonix should be safe.
|
|
|
|
|
|
==== Option 1: Using torsocks ====
|
|
|
More plentiful and current information on torsocks can be found [https://trac.torproject.org/projects/tor/wiki/doc/torsocks here].
|
|
|
|
|
|
To use SSH with torsocks, simply use the command:
|
|
|
|
|
|
`torsocks ssh loginname@example.com`
|
|
|
|
|
|
you may want to add an alias like so:
|
|
|
|
|
|
{{{
|
|
|
alias ssh-tor='torsocks ssh'
|
|
|
}}}
|
|
|
|
|
|
==== Option 2: Using netcat-openbsd ====
|
|
|
{{{netcat-openbsd}}} (also known as simply 'netcat' or 'nc') is a networking utility with a simple interface that is primarily used for reading or writing from TCP and UDP sockets. It is available in the repositories of most modern UNIX operating systems.
|
|
|
|
|
|
When using netcat-openbsd, you can use the ssh {{{ProxyCommand}}} option:
|
|
|
{{{
|
|
|
ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p" <target_host>
|
|
|
}}}
|
|
|
|
|
|
To do it on a per-host basis, edit your ~/.ssh/config to look something like this:
|
|
|
|
|
|
{{{
|
|
|
host example.com
|
|
|
user bar
|
|
|
port 22
|
|
|
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
|
|
|
}}}
|
|
|
|
|
|
Then you can just do {{{ssh example.com}}} and it will be torified.
|
|
|
|
|
|
If preferred, it is possible to make an alias for this and place it in your {{{~/.bash_rc}}}
|
|
|
or {{{~/.bash_profile}}} like so:
|
|
|
|
|
|
{{{
|
|
|
alias ssh-tor='ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p"'
|
|
|
|
|
|
or
|
|
|
|
|
|
alias ssh-tor='ssh -o "ProxyCommand nc --proxy 127.0.0.1:9050 --proxy-type
|
|
|
socks4 $(torsocks dig @213.73.91.35 +tcp +short %h | head -n 1) %p"'
|
|
|
}}}
|
|
|
|
|
|
Then you can simply issue the command {{{ssh-tor example.com}}}.
|
|
|
|
|
|
OpenSSH has a feature for looking up remote host keys in SSHFP DNS records; don't use it, or it will try to resolve hostnames before it invokes your ProxyCommand and creates a leak. To make sure this doesn't happen, pass {{{-o VerifyHostKeyDNS=no}}} on your ssh command line.
|
|
|
|
|
|
A good command for checking for DNS leakage is
|
|
|
|
|
|
{{{
|
|
|
tcpdump -vvvv -i <your_device> dst port 53
|
|
|
}}}
|
|
|
|
|
|
==== Option 3: Using connect-proxy ====
|
|
|
Add this to your ssh config file (`~/.ssh/config`):
|
|
|
{{{
|
|
|
host *-tor
|
|
|
CheckHostIP no
|
|
|
Compression yes
|
|
|
Protocol 2
|
|
|
ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050)
|
|
|
%p
|
|
|
}}}
|
|
|
Then add a `-tor` to the server name on the commandline when you want to use tor. E.g., if your ssh config file has:
|
|
|
{{{
|
|
|
host whitehouse*
|
|
|
hostname whitehouse.gov
|
|
|
user trump
|
|
|
}}}
|
|
|
|
|
|
you would run `ssh whitehouse-tor` to access that host over tor, or simply `ssh whitehouse` to go direct without tor. |
|
|
\ No newline at end of file |