⟵ Home page
October 11, 2015
Last updated: September 28, 2016
SSH Server as Tor Onion Service
Running a SSH server as a Tor Onion Service has mutliple advantages:
- Unfindable: If I’m not mistaken, the probability to randomly find your Onion Service is 3216 to 1. The normal internet is being scanned 24/7 for vulnerabilities, but no one will find your Onion Service. At 32c3’s talk Tor onion services: more useful than you think, it was announced that it is planned to move from 16 characters long addresses to 52 characters long addresses. So, in the future it’s going to be even much more unfindable.
- Poor man’s DynDNS: You don’t have to worry about your provider changing your IP address or some port forwardings in your firewall or all the other trouble you can encounter when hosting something with your home internet connection. As long as your machine can somehow reach the Tor network, the Onion Service is up and running.
- Super anonymity: The most obvious advantage: No "man in the middle" could ever see, where and when you SSH somewhere.
The only big disadvantage:
- It is slooooooow!
Configuring the server
Add the following lines to the torrc file of the machine running the SSH server:
HiddenServiceDir /var/lib/tor/os-ssh/ HiddenServicePort 22 127.0.0.1:22
As always, paths may vary among the different ways you might have installed and configured Tor. In this document, I am using the default paths of the Debian Tor package. Note that if you want to have different machines for SSH server and Tor, you need to replace
127.0.0.1 with the LAN IP address of the machine running the SSH server.
Next, you should make sure that the SSH server only listens on the IP address, on which Tor is trying to reach it. Add to /etc/ssh/sshd_config (paths may vary):
Again, if Tor is running on another machine, replace
127.0.0.1 with the LAN IP address of the machine running Tor this time.
Now, restart Tor and the SSH server. On Debian, that’s
service tor restart and
service ssh restart.
You can now find your Onion Service address in the file /var/lib/tor/os-ssh/hostname.
Configuring the client
You obviously need Tor running on your client. In the following examples, I use the default SOCKS port 9050.
To send all SSH connections to .onion addresses through Tor, add the following to ~/.ssh/config:
# All .onion addresses Host *.onion proxyCommand torsocks nc %h %p
Now you can connect:
In the Category bar on the left, select Connection → Proxy. Select SOCKS 5 as proxy type. As proxy hostname, enter 127.0.0.1 and as port 9050
After that, you can go back to the Sessions page, enter the .onion address and connect.Update (September 28, 2016): Switched from ncat for torifying a SSH connection with the OpenSSH client to a torsocksed nc. For me at least, performance is way better with nc.