User:HR/SSH over Tor: Difference between revisions
mNo edit summary |
|||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Create a SSH<ref>[[wikipedia:SSH_(Secure_Shell)]]</ref> connection via the Tor<ref>[[wikipedia:Tor_(anonymity_network)]]</ref> network. |
Create a SSH <ref>[[wikipedia:SSH_(Secure_Shell)]]</ref> connection via the Tor <ref>[[wikipedia:Tor_(anonymity_network)]]</ref> network. |
||
== Background == |
== Background == |
||
Imagine you want to access a remote computer which is connected to a local network with Internet access. The remote computer has a local IP address which is not accessible from the |
Imagine you want to access a remote computer which is connected to a local network with Internet access. The remote computer has a local IP address which is not accessible from outside the local network unless the access point, where the remote computer is connected to, explicitly forwards the specific port(s) for the incoming connections to the computer. |
||
In the case you're at home and have access to the configuration of your access point that's not so hard to archive. But if the computer is located somewhere else e.g. as part of an installation in some venue, then forwarding the port can become tricky, e.g. because of burocracy. Given you are in such a tricky situation, then putting a little computer (like a Raspberry Pi) with Tor to the mix might be a workaround to consider. |
In the case you're at home and have access to the configuration of your access point that's not so hard to archive. But if the computer is located somewhere else e.g. as part of an installation in some venue, then forwarding the port can become tricky, e.g. because of burocracy. Given you are in such a tricky situation, then putting a little computer (like a Raspberry Pi) with Tor to the mix might be a workaround to consider. |
||
Line 12: | Line 12: | ||
== Implementation == |
== Implementation == |
||
For our example setup we |
For our example setup we use: |
||
* Raspberry Pi <ref>[[wikipedia:Raspberry_Pi]]</ref> |
* Raspberry Pi <ref>[[wikipedia:Raspberry_Pi]]</ref> |
||
* Your computer |
* Your computer |
||
Line 18: | Line 18: | ||
=== Raspberry Pi === |
=== Raspberry Pi === |
||
'''Caveat:''' all commands are entered on the command-line interface <ref>[[wikipedia:Command-line_interface]]</ref>. |
'''''Caveat:''' all commands are entered on the command-line interface <ref>[[wikipedia:Command-line_interface]]</ref>.'' |
||
==== Install & configure Tor ==== |
==== Install & configure Tor ==== |
||
Line 33: | Line 33: | ||
sudo systemctl restart tor.service |
sudo systemctl restart tor.service |
||
==== |
==== Install & configure SSH server ==== |
||
sudo apt install openssh-server |
|||
sudo systemctl enable ssh.service |
sudo systemctl enable ssh.service |
||
The Raspberry is now ready to receive SSH connections via the Tor network. |
The Raspberry is now ready to receive SSH connections via the Tor network. |
||
==== Onion address ==== |
|||
Later we'll need the Raspberry's .onion address to connect to our onion service. To display it just type: |
|||
⚫ | |||
=== Your Computer === |
=== Your Computer === |
||
Line 43: | Line 50: | ||
==== Linux (Ubuntu) ==== |
==== Linux (Ubuntu) ==== |
||
'''Caveat:''' all commands are entered on the command-line interface. |
'''''Caveat:''' all commands are entered on the command-line interface.'' |
||
===== Install tor ===== |
===== Install tor ===== |
||
Line 49: | Line 56: | ||
sudo apt install tor |
sudo apt install tor |
||
===== Install |
===== Install socat ===== |
||
We'll need |
We'll need socat to connect our SSH session to the Tor network. |
||
sudo apt install |
sudo apt install socat |
||
===== Connect to Raspberry ===== |
===== Connect to Raspberry ===== |
||
Line 64: | Line 71: | ||
====== Parameters in SSH command ====== |
====== Parameters in SSH command ====== |
||
ssh -o "ProxyCommand |
ssh -o "ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050" -o PreferredAuthentications=password -o PubkeyAuthentication=no pi@[onion address] |
||
You'll find the onion address on the Raspberry: |
|||
⚫ | |||
====== Parameters in SSH config file ====== |
====== Parameters in SSH config file ====== |
||
Add your config to ~/.ssh/config |
Add your config to ''~/.ssh/config'' . Create the file if it doesn't exist. |
||
Host raspberry-tor |
Host raspberry-tor |
||
Line 79: | Line 82: | ||
PreferredAuthentications password |
PreferredAuthentications password |
||
PubkeyAuthentication no |
PubkeyAuthentication no |
||
ProxyCommand |
ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050 |
||
Then, to connect to the Raspberry, you |
Then, to connect to the Raspberry, you invoke your SSH session with: |
||
ssh raspberry-tor |
ssh raspberry-tor |
||
Line 94: | Line 97: | ||
=== Forwarding of local ports === |
=== Forwarding of local ports === |
||
Suppose there is also a LanBox in the remote network. We can connect to the LanBox via our Tor |
Suppose there is also a LanBox <ref>[[https://www.lanbox.com]]</ref> in the remote network. We can connect to the LanBox via our Tor-Raspi with our locally installed LCedit+ (LanBox's software suite) by forwarding a few ports towards the IP of the LanBox. Given the LanBox has the IP address 10.0.0.3, then the ssh command to forward the necessary ports is: |
||
ssh -o "ProxyCommand |
ssh -o "ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050" -o PreferredAuthentications=password -o PubkeyAuthentication=no -L 4776:10.0.0.3:777 -L 4777:10.0.0.3:4777 -L 6454:10.0.0.3:6454 pi@[onion address] |
||
Then, when starting LCedit+, connect to ''localhost:4776'' . |
Then, when starting LCedit+, connect to ''localhost:4776'' . By default the LanBox is using port 777 for the authentication but by using port 4776 instead we avoid invoking ssh with root privileges. Ports below 1024 are so called ''system ports'' and require root privileges to temper with. |
||
'''''Caveat:''' because the Lanbox's authentication channel isn't encrypted, it's a good idea to use at least a SSH port forward if you're connecting to your LanBox via a possibly hostile network, like the Internet. Otherwise your LanBox's password can be scooped in transit and ghosts might enter your machine.'' |
|||
⚫ | |||
⚫ | |||
Host raspberry-forward-tor |
Host raspberry-forward-tor |
||
Line 107: | Line 112: | ||
PreferredAuthentications password |
PreferredAuthentications password |
||
PubkeyAuthentication no |
PubkeyAuthentication no |
||
ProxyCommand |
ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050 |
||
LocalForward 4776 10.0.0.3:777 |
LocalForward 4776 10.0.0.3:777 |
||
LocalForward 4777 10.0.0.3:4777 |
LocalForward 4777 10.0.0.3:4777 |
||
LocalForward 6454 10.0.0.3:6454 |
LocalForward 6454 10.0.0.3:6454 |
||
And invoke ssh with: |
|||
ssh raspberry-forward-tor |
|||
== See also == |
|||
*[[UDP over SSH]] (UDP over SSH over Tor is also possible) |
|||
== References == |
== References == |
||
<div class="references-small"><references /></div> |
<div class="references-small"><references /></div> |
||
[[Category:Networking]] |
Latest revision as of 11:47, 21 March 2021
Create a SSH [1] connection via the Tor [2] network.
Background
Imagine you want to access a remote computer which is connected to a local network with Internet access. The remote computer has a local IP address which is not accessible from outside the local network unless the access point, where the remote computer is connected to, explicitly forwards the specific port(s) for the incoming connections to the computer.
In the case you're at home and have access to the configuration of your access point that's not so hard to archive. But if the computer is located somewhere else e.g. as part of an installation in some venue, then forwarding the port can become tricky, e.g. because of burocracy. Given you are in such a tricky situation, then putting a little computer (like a Raspberry Pi) with Tor to the mix might be a workaround to consider.
The Tor feature we want to use here is called onion service [3]. Onion services can be any networked service you would run on a regular server, like SSH or HTTP(S), but are accessible via the Tor network. Onion services have the nice property that you can directly connect to the computer running that service, even if the computer is connected to a local network (with Internet access) and has no public IP address and without the necessity to forward any ports from the access point to the computer.
In addition to that we can use this Tor enabled computer to connect to other devices in the remote local network.
Implementation
For our example setup we use:
- Raspberry Pi [4]
- Your computer
Raspberry Pi
Caveat: all commands are entered on the command-line interface [5].
Install & configure Tor
sudo apt install tor
Now we configure the SSH onion service by editing /etc/tor/torrc . In the location-hidden services section add:
HiddenServiceDir /var/lib/tor/ssh_onion_service/ HiddenServicePort 22 127.0.0.1:22
Then we restart Tor:
sudo systemctl restart tor.service
Install & configure SSH server
sudo apt install openssh-server sudo systemctl enable ssh.service
The Raspberry is now ready to receive SSH connections via the Tor network.
Onion address
Later we'll need the Raspberry's .onion address to connect to our onion service. To display it just type:
sudo cat /var/lib/tor/ssh_onion_service/hostname
Your Computer
Linux (Ubuntu)
Caveat: all commands are entered on the command-line interface.
Install tor
sudo apt install tor
Install socat
We'll need socat to connect our SSH session to the Tor network.
sudo apt install socat
Connect to Raspberry
Now we're ready to connect our computer to the Raspberry via the Tor network. When invoking SSH we have basically two options:
- write all required parameters in the ssh command, or
- have the required parameters stored in a configuration file for easier invokation.
Parameters in SSH command
ssh -o "ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050" -o PreferredAuthentications=password -o PubkeyAuthentication=no pi@[onion address]
Parameters in SSH config file
Add your config to ~/.ssh/config . Create the file if it doesn't exist.
Host raspberry-tor HostName [onion address] User pi PreferredAuthentications password PubkeyAuthentication no ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050
Then, to connect to the Raspberry, you invoke your SSH session with:
ssh raspberry-tor
Mac
Todo
Windows
Todo
Expanding the functionality
Forwarding of local ports
Suppose there is also a LanBox [6] in the remote network. We can connect to the LanBox via our Tor-Raspi with our locally installed LCedit+ (LanBox's software suite) by forwarding a few ports towards the IP of the LanBox. Given the LanBox has the IP address 10.0.0.3, then the ssh command to forward the necessary ports is:
ssh -o "ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050" -o PreferredAuthentications=password -o PubkeyAuthentication=no -L 4776:10.0.0.3:777 -L 4777:10.0.0.3:4777 -L 6454:10.0.0.3:6454 pi@[onion address]
Then, when starting LCedit+, connect to localhost:4776 . By default the LanBox is using port 777 for the authentication but by using port 4776 instead we avoid invoking ssh with root privileges. Ports below 1024 are so called system ports and require root privileges to temper with.
Caveat: because the Lanbox's authentication channel isn't encrypted, it's a good idea to use at least a SSH port forward if you're connecting to your LanBox via a possibly hostile network, like the Internet. Otherwise your LanBox's password can be scooped in transit and ghosts might enter your machine.
Or you store the parameters in the SSH config file (~/.ssh/config) for easier invokation:
Host raspberry-forward-tor HostName [onion address] User pi PreferredAuthentications password PubkeyAuthentication no ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050 LocalForward 4776 10.0.0.3:777 LocalForward 4777 10.0.0.3:4777 LocalForward 6454 10.0.0.3:6454
And invoke ssh with:
ssh raspberry-forward-tor
See also
- UDP over SSH (UDP over SSH over Tor is also possible)