Changes

Page history
Apply conversion script to all *.md files. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Show whitespace changes
Inline Side-by-side
doc/TorifyHOWTO/ssh.md
View page @ a1a4b621
[[TOC(noheading, depth=4)]] [[TOC(noheading, depth=4)]]
= Torifying SSH = # Torifying SSH
Secure Shell (SSH) is an encrypted network protocol for utilizing network services securely over an unsecured network. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. When used in conjunction with Tor (and some small measures are taken to prevent leakage), the full functionality of SSH can be anonymized. Secure Shell (SSH) is an encrypted network protocol for utilizing network services securely over an unsecured network. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. When used in conjunction with Tor (and some small measures are taken to prevent leakage), the full functionality of SSH can be anonymized.
=== Torifying SSH on Windows === ### Torifying SSH on Windows
The recommended methodology for Windows users to torify SSH is by utilising PuTTY. The page outlining where to download it as well as configuration can be found [wiki:doc/TorifyHOWTO/Putty here]. The recommended methodology for Windows users to torify SSH is by utilising PuTTY. The page outlining where to download it as well as configuration can be found [here](./doc/TorifyHOWTO/Putty).
=== Torifying SSH on *NIX / MacOS === ### Torifying SSH on *NIX / MacOS
'''Warning:''' 'ssh some.host' will '''leak your UNIX username'''. If you do 'ssh theloginyouwant@some.host' it will '''not''' leak your username. That is why we suggest using non-identifying usernames on your machines to prevent such leaks in the first place. **Warning:** 'ssh some.host' will **leak your UNIX username**. If you do 'ssh theloginyouwant@some.host' it will **not** leak your username. That is why we suggest using non-identifying usernames on your machines to prevent such leaks in the first place.
Using SSH inside Whonix should be safe. Using SSH inside Whonix should be safe.
==== Option 1: Using torsocks ==== #### Option 1: Using torsocks
More plentiful and current information on torsocks can be found [https://trac.torproject.org/projects/tor/wiki/doc/torsocks here]. More plentiful and current information on torsocks can be found [here](https://trac.torproject.org/projects/tor/wiki/doc/torsocks).
To use SSH with torsocks, simply use the command: To use SSH with torsocks, simply use the command:
...@@ -19,66 +19,66 @@ To use SSH with torsocks, simply use the command: ...@@ -19,66 +19,66 @@ To use SSH with torsocks, simply use the command:
you may want to add an alias like so: you may want to add an alias like so:
{{{ ```
alias ssh-tor='torsocks ssh' alias ssh-tor='torsocks ssh'
}}} ```
==== Option 2: Using netcat-openbsd ==== #### Option 2: Using netcat-openbsd
{{{netcat-openbsd}}} (also known as simply 'netcat' or 'nc') is a networking utility with a simple interface that is primarily used for reading or writing from TCP and UDP sockets. It is available in the repositories of most modern UNIX operating systems. `netcat-openbsd` (also known as simply 'netcat' or 'nc') is a networking utility with a simple interface that is primarily used for reading or writing from TCP and UDP sockets. It is available in the repositories of most modern UNIX operating systems.
When using netcat-openbsd, you can use the ssh {{{ProxyCommand}}} option: When using netcat-openbsd, you can use the ssh `ProxyCommand` option:
{{{ ```
ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p" <target_host> ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p" <target_host>
}}} ```
To do it on a per-host basis, edit your ~/.ssh/config to look something like this: To do it on a per-host basis, edit your ~/.ssh/config to look something like this:
{{{ ```
host example.com host example.com
user bar user bar
port 22 port 22
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
}}} ```
Then you can just do {{{ssh example.com}}} and it will be torified. Then you can just do `ssh example.com` and it will be torified.
If preferred, it is possible to make an alias for this and place it in your {{{~/.bash_rc}}} If preferred, it is possible to make an alias for this and place it in your `~/.bash_rc`
or {{{~/.bash_profile}}} like so: or `~/.bash_profile` like so:
{{{ ```
alias ssh-tor='ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p"' alias ssh-tor='ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p"'
or or
alias ssh-tor='ssh -o "ProxyCommand nc --proxy 127.0.0.1:9050 --proxy-type alias ssh-tor='ssh -o "ProxyCommand nc --proxy 127.0.0.1:9050 --proxy-type
socks4 $(torsocks dig @213.73.91.35 +tcp +short %h | head -n 1) %p"' socks4 $(torsocks dig @213.73.91.35 +tcp +short %h | head -n 1) %p"'
}}} ```
Then you can simply issue the command {{{ssh-tor example.com}}}. Then you can simply issue the command `ssh-tor example.com`.
OpenSSH has a feature for looking up remote host keys in SSHFP DNS records; don't use it, or it will try to resolve hostnames before it invokes your ProxyCommand and creates a leak. To make sure this doesn't happen, pass {{{-o VerifyHostKeyDNS=no}}} on your ssh command line. OpenSSH has a feature for looking up remote host keys in SSHFP DNS records; don't use it, or it will try to resolve hostnames before it invokes your ProxyCommand and creates a leak. To make sure this doesn't happen, pass `-o VerifyHostKeyDNS=no` on your ssh command line.
A good command for checking for DNS leakage is A good command for checking for DNS leakage is
{{{ ```
tcpdump -vvvv -i <your_device> dst port 53 tcpdump -vvvv -i <your_device> dst port 53
}}} ```
==== Option 3: Using connect-proxy ==== #### Option 3: Using connect-proxy
Add this to your ssh config file (`~/.ssh/config`): Add this to your ssh config file (`~/.ssh/config`):
{{{ ```
host *-tor host *-tor
CheckHostIP no CheckHostIP no
Compression yes Compression yes
Protocol 2 Protocol 2
ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050) ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050)
%p %p
}}} ```
Then add a `-tor` to the server name on the commandline when you want to use tor. E.g., if your ssh config file has: Then add a `-tor` to the server name on the commandline when you want to use tor. E.g., if your ssh config file has:
{{{ ```
host whitehouse* host whitehouse*
hostname whitehouse.gov hostname whitehouse.gov
user trump user trump
}}} ```
you would run `ssh whitehouse-tor` to access that host over tor, or simply `ssh whitehouse` to go direct without tor. you would run `ssh whitehouse-tor` to access that host over tor, or simply `ssh whitehouse` to go direct without tor.
\ No newline at end of file