Changes

Page history
Apply conversion script to all *.md files. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Show whitespace changes
Inline Side-by-side
doc/TorifyHOWTO/ssh.md
View page @ a1a4b621
[[TOC(noheading, depth=4)]]
= Torifying SSH =
# Torifying SSH
Secure Shell (SSH) is an encrypted network protocol for utilizing network services securely over an unsecured network. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. When used in conjunction with Tor (and some small measures are taken to prevent leakage), the full functionality of SSH can be anonymized.
=== Torifying SSH on Windows ===
The recommended methodology for Windows users to torify SSH is by utilising PuTTY. The page outlining where to download it as well as configuration can be found [wiki:doc/TorifyHOWTO/Putty here].
### Torifying SSH on Windows
The recommended methodology for Windows users to torify SSH is by utilising PuTTY. The page outlining where to download it as well as configuration can be found [here](./doc/TorifyHOWTO/Putty).
=== Torifying SSH on *NIX / MacOS ===
'''Warning:''' 'ssh some.host' will '''leak your UNIX username'''. If you do 'ssh theloginyouwant@some.host' it will '''not''' leak your username. That is why we suggest using non-identifying usernames on your machines to prevent such leaks in the first place.
### Torifying SSH on *NIX / MacOS
**Warning:** 'ssh some.host' will **leak your UNIX username**. If you do 'ssh theloginyouwant@some.host' it will **not** leak your username. That is why we suggest using non-identifying usernames on your machines to prevent such leaks in the first place.
Using SSH inside Whonix should be safe.
==== Option 1: Using torsocks ====
More plentiful and current information on torsocks can be found [https://trac.torproject.org/projects/tor/wiki/doc/torsocks here].
#### Option 1: Using torsocks
More plentiful and current information on torsocks can be found [here](https://trac.torproject.org/projects/tor/wiki/doc/torsocks).
To use SSH with torsocks, simply use the command:
......@@ -19,66 +19,66 @@ To use SSH with torsocks, simply use the command:
you may want to add an alias like so:
{{{
```
alias ssh-tor='torsocks ssh'
}}}
```
==== Option 2: Using netcat-openbsd ====
{{{netcat-openbsd}}} (also known as simply 'netcat' or 'nc') is a networking utility with a simple interface that is primarily used for reading or writing from TCP and UDP sockets. It is available in the repositories of most modern UNIX operating systems.
#### Option 2: Using netcat-openbsd
`netcat-openbsd` (also known as simply 'netcat' or 'nc') is a networking utility with a simple interface that is primarily used for reading or writing from TCP and UDP sockets. It is available in the repositories of most modern UNIX operating systems.
When using netcat-openbsd, you can use the ssh {{{ProxyCommand}}} option:
{{{
When using netcat-openbsd, you can use the ssh `ProxyCommand` option:
```
ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p" <target_host>
}}}
```
To do it on a per-host basis, edit your ~/.ssh/config to look something like this:
{{{
```
host example.com
user bar
port 22
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
}}}
```
Then you can just do {{{ssh example.com}}} and it will be torified.
Then you can just do `ssh example.com` and it will be torified.
If preferred, it is possible to make an alias for this and place it in your {{{~/.bash_rc}}}
or {{{~/.bash_profile}}} like so:
If preferred, it is possible to make an alias for this and place it in your `~/.bash_rc`
or `~/.bash_profile` like so:
{{{
```
alias ssh-tor='ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p"'
or
alias ssh-tor='ssh -o "ProxyCommand nc --proxy 127.0.0.1:9050 --proxy-type
socks4 $(torsocks dig @213.73.91.35 +tcp +short %h | head -n 1) %p"'
}}}
```
Then you can simply issue the command {{{ssh-tor example.com}}}.
Then you can simply issue the command `ssh-tor example.com`.
OpenSSH has a feature for looking up remote host keys in SSHFP DNS records; don't use it, or it will try to resolve hostnames before it invokes your ProxyCommand and creates a leak. To make sure this doesn't happen, pass {{{-o VerifyHostKeyDNS=no}}} on your ssh command line.
OpenSSH has a feature for looking up remote host keys in SSHFP DNS records; don't use it, or it will try to resolve hostnames before it invokes your ProxyCommand and creates a leak. To make sure this doesn't happen, pass `-o VerifyHostKeyDNS=no` on your ssh command line.
A good command for checking for DNS leakage is
{{{
```
tcpdump -vvvv -i <your_device> dst port 53
}}}
```
==== Option 3: Using connect-proxy ====
#### Option 3: Using connect-proxy
Add this to your ssh config file (`~/.ssh/config`):
{{{
```
host *-tor
CheckHostIP no
Compression yes
Protocol 2
ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050)
%p
}}}
```
Then add a `-tor` to the server name on the commandline when you want to use tor. E.g., if your ssh config file has:
{{{
```
host whitehouse*
hostname whitehouse.gov
user trump
}}}
```
you would run `ssh whitehouse-tor` to access that host over tor, or simply `ssh whitehouse` to go direct without tor.
\ No newline at end of file