Changes

Page history
Raw import from Trac using Trac markup language. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Show whitespace changes
Inline Side-by-side
doc/TorifyHOWTO/ssh.md 0 → 100644
View page @ 53a16e3a
[[TOC(noheading, depth=4)]]
= Torifying SSH =
Secure Shell (SSH) is an encrypted network protocol for utilizing network services securely over an unsecured network. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. When used in conjunction with Tor (and some small measures are taken to prevent leakage), the full functionality of SSH can be anonymized.
=== Torifying SSH on Windows ===
The recommended methodology for Windows users to torify SSH is by utilising PuTTY. The page outlining where to download it as well as configuration can be found [wiki:doc/TorifyHOWTO/Putty here].
=== Torifying SSH on *NIX / MacOS ===
'''Warning:''' 'ssh some.host' will '''leak your UNIX username'''. If you do 'ssh theloginyouwant@some.host' it will '''not''' leak your username. That is why we suggest using non-identifying usernames on your machines to prevent such leaks in the first place.
Using SSH inside Whonix should be safe.
==== Option 1: Using torsocks ====
More plentiful and current information on torsocks can be found [https://trac.torproject.org/projects/tor/wiki/doc/torsocks here].
To use SSH with torsocks, simply use the command:
`torsocks ssh loginname@example.com`
you may want to add an alias like so:
{{{
alias ssh-tor='torsocks ssh'
}}}
==== Option 2: Using netcat-openbsd ====
{{{netcat-openbsd}}} (also known as simply 'netcat' or 'nc') is a networking utility with a simple interface that is primarily used for reading or writing from TCP and UDP sockets. It is available in the repositories of most modern UNIX operating systems.
When using netcat-openbsd, you can use the ssh {{{ProxyCommand}}} option:
{{{
ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p" <target_host>
}}}
To do it on a per-host basis, edit your ~/.ssh/config to look something like this:
{{{
host example.com
user bar
port 22
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
}}}
Then you can just do {{{ssh example.com}}} and it will be torified.
If preferred, it is possible to make an alias for this and place it in your {{{~/.bash_rc}}}
or {{{~/.bash_profile}}} like so:
{{{
alias ssh-tor='ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p"'
or
alias ssh-tor='ssh -o "ProxyCommand nc --proxy 127.0.0.1:9050 --proxy-type
socks4 $(torsocks dig @213.73.91.35 +tcp +short %h | head -n 1) %p"'
}}}
Then you can simply issue the command {{{ssh-tor example.com}}}.
OpenSSH has a feature for looking up remote host keys in SSHFP DNS records; don't use it, or it will try to resolve hostnames before it invokes your ProxyCommand and creates a leak. To make sure this doesn't happen, pass {{{-o VerifyHostKeyDNS=no}}} on your ssh command line.
A good command for checking for DNS leakage is
{{{
tcpdump -vvvv -i <your_device> dst port 53
}}}
==== Option 3: Using connect-proxy ====
Add this to your ssh config file (`~/.ssh/config`):
{{{
host *-tor
CheckHostIP no
Compression yes
Protocol 2
ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050)
%p
}}}
Then add a `-tor` to the server name on the commandline when you want to use tor. E.g., if your ssh config file has:
{{{
host whitehouse*
hostname whitehouse.gov
user trump
}}}
you would run `ssh whitehouse-tor` to access that host over tor, or simply `ssh whitehouse` to go direct without tor.
\ No newline at end of file