There might be a case when you need to ssh to a box in an anonymous way. Either the box is under heavy surveillance or you are under surveillance or this box is doing something nasty.
We'll see how it's possible to ssh to the box in a secure and anonymous way, using ssh over tor. We assume we don't want to login to this remote box with our real IP not a single time. Finally, we'll see how to set up an ssh hidden service.
We'll use public key to ssh to remote box.
#ssh-keygen -t rsa -b 4096 -C "comment"
comment might be user@remotebox. Also you'd better use a password to keep safe you private key. After that, two files should be created in ~/.ssh/ . An id_rsa and an id_rsa.pub. You can rename them as you like. Make sure id_rsa(the private key) is readable only by your user.
Add this line to your /etc/apt/sources.list file:
deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main
where you put the codename of your distribution (i.e. squeeze, wheezy, sid ) in place of <DISTRIBUTION>.
#gpg --keyserver keys.gnupg.net --recv 886DDD89 #gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - #apt-get update #apt-get install deb.torproject.org-keyring #apt-get install tor
Note : This is different from Tor Browser Bundle. Tor Browser is the common way to use Tor to browse internet. Although it's handsome and easy, Tor Browser Bundle isn't appropriate for what we want. Instead, installing Tor as described above, gives you Tor running as daemon client at your system.
#apt-get install connect-proxy
we'll need it later on.
Edit ~/.ssh/config and add the following lines according to the details of your box :
Host alias Hostname IpAddressOfTheBox User Username IdentitiesOnly yes IdentityFile ~/.ssh/id_rsa Port PortNumber CheckHostIP no Compression yes Protocol 2 ProxyCommand connect -4 -S 127.0.0.1:9050 $(tor-resolve %h 127.0.0.1:9050) %p ServerAliveInterval 60
alias is just a shortcut name or alias you can use with the ssh command.
#scp .ssh/id_rsa.pub alias: #ssh alias "mkdir .ssh; cat id_rsa.pub >> .ssh/authorized_keys"
verify correct permissions are set to .ssh directory and key file.
Since you logged in remote box you can disable password option for little extra security. Edit /etc/ssh/sshd_config :
and restart ssh daemon.
We've successfully logged in our remote box using tor. Let's take some steps further. We can configure our remote box to have an ssh hidden service. The advantages of a hidden service is that it's slightly more secure. In the case of a hidden service, data flows encrypted end-to-end and doesn't leave Tor network. There is no need for exit nodes thus mitigating the risk of malicious nodes executing mitm attacks. What's more, hidden service's architecture hides the server. Sysadmin could potentially disable ssh over ordinary internet and let it only as hidden service.
Just follow the same steps as your local box, described previously.
Setting up hidden services for Tor is really straightforward. We need to edit /etc/tor/torrc and scroll down to Hidden Services' section. Commenting out and modifying appropriately the following lines :
HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 22 0.0.0.0:22
In the first statement we just set the directory under which all the necessary files of the hidden service will reside. With the second statement we first configure the virtual port our hidden service will listen, in the example it's 22 and secondly we declare the real socket the application listens to. In the example the ssh in our remote box listens to 0.0.0.0:22.
We can examine the applications and their listening ports by giving
If we want our remote box have ssh only as hidden service, then we might change /etc/ssh/sshd_config to listen to localhost and then /etc/tor/torrc .
HiddenServicePort 22 127.0.0.1:22
Then we restart tor daemon so as our modifications take effect:
After tor daemon is restarted we can grab the address of our hidden service:
It will be something like
So at last, you can modify your ~/.ssh/config and use that onion address to ssh to your box. Also mind the change in ProxyCommand.
Host alias Hostname someaddress.onion IdentitiesOnly yes IdentityFile ~/.ssh/id_rsa Port PortNumber CheckHostIP no Compression yes Protocol 2 ProxyCommand connect -4 -R remote -S 127.0.0.1:9050 %h %p ServerAliveInterval 60