Radical Tech's Documentation

sudo apt-get install anarchy

User Tools

Site Tools


ssh over Tor to remote debian box

There might be a case when you need to ssh to a box in an anonymous way. Either the box is under heavy surveillance or you are under surveillance or this box is doing something nasty. 8-)

We'll see how it's possible to ssh to the box in a secure and anonymous way, using ssh over tor. We assume we don't want to login to this remote box with our real IP not a single time. Finally, we'll see how to set up an ssh hidden service.

Create ssh keypair

We'll use public key to ssh to remote box.

#ssh-keygen -t rsa -b 4096 -C "comment"

comment might be user@remotebox. Also you'd better use a password to keep safe you private key. After that, two files should be created in ~/.ssh/ . An id_rsa and an id_rsa.pub. You can rename them as you like. Make sure id_rsa(the private key) is readable only by your user.

Install Tor at you local box

Add this line to your /etc/apt/sources.list file:

deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main

where you put the codename of your distribution (i.e. squeeze, wheezy, sid ) in place of <DISTRIBUTION>.

#gpg --keyserver keys.gnupg.net --recv 886DDD89
#gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

#apt-get update
#apt-get install deb.torproject.org-keyring
#apt-get install tor

more : https://www.torproject.org/docs/debian.html.en

Note : This is different from Tor Browser Bundle. Tor Browser is the common way to use Tor to browse internet. Although it's handsome and easy, Tor Browser Bundle isn't appropriate for what we want. Instead, installing Tor as described above, gives you Tor running as daemon client at your system.

Install connect-proxy

#apt-get install connect-proxy

we'll need it later on.

Configure ssh to use Tor for specific host

Edit ~/.ssh/config and add the following lines according to the details of your box :

Host alias
   Hostname IpAddressOfTheBox
   User Username
   IdentitiesOnly yes
   IdentityFile ~/.ssh/id_rsa 
   Port PortNumber
   CheckHostIP no
   Compression yes
   Protocol 2
   ProxyCommand connect -4 -S $(tor-resolve %h %p
   ServerAliveInterval 60

alias is just a shortcut name or alias you can use with the ssh command.

Upload you public ssh key to remote box

#scp .ssh/id_rsa.pub alias:
#ssh alias "mkdir .ssh; cat id_rsa.pub >> .ssh/authorized_keys"

verify correct permissions are set to .ssh directory and key file.

Disable password ssh login

Since you logged in remote box you can disable password option for little extra security. Edit /etc/ssh/sshd_config :

PasswordAuthentication no

and restart ssh daemon.

How about ssh as Tor hidden service ?

We've successfully logged in our remote box using tor. Let's take some steps further. We can configure our remote box to have an ssh hidden service. The advantages of a hidden service is that it's slightly more secure. In the case of a hidden service, data flows encrypted end-to-end and doesn't leave Tor network. There is no need for exit nodes thus mitigating the risk of malicious nodes executing mitm attacks. What's more, hidden service's architecture hides the server. Sysadmin could potentially disable ssh over ordinary internet and let it only as hidden service.

Install Tor at remote box

Just follow the same steps as your local box, described previously.

ssh as hidden service

Setting up hidden services for Tor is really straightforward. We need to edit /etc/tor/torrc and scroll down to Hidden Services' section. Commenting out and modifying appropriately the following lines :

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22

In the first statement we just set the directory under which all the necessary files of the hidden service will reside. With the second statement we first configure the virtual port our hidden service will listen, in the example it's 22 and secondly we declare the real socket the application listens to. In the example the ssh in our remote box listens to

We can examine the applications and their listening ports by giving

#nestat -ntpl

If we want our remote box have ssh only as hidden service, then we might change /etc/ssh/sshd_config to listen to localhost and then /etc/tor/torrc .

HiddenServicePort 22

Then we restart tor daemon so as our modifications take effect:

 #/etc/init.d/tor restart

Find the onion address

After tor daemon is restarted we can grab the address of our hidden service:

 #cat /var/lib/tor/hidden_service/hostname

It will be something like


So at last, you can modify your ~/.ssh/config and use that onion address to ssh to your box. Also mind the change in ProxyCommand.

Host alias
   Hostname someaddress.onion
   IdentitiesOnly yes
   IdentityFile ~/.ssh/id_rsa 
   Port PortNumber
   CheckHostIP no
   Compression yes
   Protocol 2
   ProxyCommand connect -4 -R remote -S %h %p
   ServerAliveInterval 60
tips/ssh_over_tor_to_remote_debian_box.txt · Last modified: 28/03/2015 17:05 by luigi