Parckwart’s Computer Stuff

⟵ Home page

Published: October 11, 2015
Last updated: September 28, 2016

SSH Server as Tor Onion Service

Running a SSH server as a Tor Onion Service has mutliple advantages:

The only big disadvantage:

Configuring the server

Add the following lines to the torrc file of the machine running the SSH server:

HiddenServiceDir /var/lib/tor/os-ssh/
HiddenServicePort 22

As always, paths may vary among the different ways you might have installed and configured Tor. In this document, I am using the default paths of the Debian Tor package. Note that if you want to have different machines for SSH server and Tor, you need to replace with the LAN IP address of the machine running the SSH server.

Next, you should make sure that the SSH server only listens on the IP address, on which Tor is trying to reach it. Add to /etc/ssh/sshd_config (paths may vary):


Again, if Tor is running on another machine, replace with the LAN IP address of the machine running Tor this time.

Now, restart Tor and the SSH server. On Debian, that’s service tor restart and service ssh restart.

You can now find your Onion Service address in the file /var/lib/tor/os-ssh/hostname.

Configuring the client

You obviously need Tor running on your client. In the following examples, I use the default SOCKS port 9050.

OpenSSH client

To send all SSH connections to .onion addresses through Tor, add the following to ~/.ssh/config:

# All .onion addresses
Host *.onion
	proxyCommand torsocks nc %h %p 

Now you can connect: ssh qwertyuiopasdfgh.onion


In the Category bar on the left, select ConnectionProxy. Select SOCKS 5 as proxy type. As proxy hostname, enter and as port 9050

PuTTY Proxy Settings
PuTTY Proxy Settings

After that, you can go back to the Sessions page, enter the .onion address and connect.

PuTTY Session Page
PuTTY Session Page
Update (September 28, 2016): Switched from ncat for torifying a SSH connection with the OpenSSH client to a torsocksed nc. For me at least, performance is way better with nc.