User:HR/SSH over Tor

From Gangplank
< User:HR
Revision as of 01:31, 21 March 2021 by HR (talk | contribs)
Jump to navigation Jump to search

Create a SSH[1] connection via the Tor[2] network.

Background

Imagine you want to access a remote computer which is connected to a local network with Internet access. The remote computer has a local IP address which is not accessible from outside the local network unless the access point, where the remote computer is connected to, explicitly forwards the specific port(s) for the incoming connections to the computer.

In the case you're at home and have access to the configuration of your access point that's not so hard to archive. But if the computer is located somewhere else e.g. as part of an installation in some venue, then forwarding the port can become tricky, e.g. because of burocracy. Given you are in such a tricky situation, then putting a little computer (like a Raspberry Pi) with Tor to the mix might be a workaround to consider.

The Tor feature we want to use here is called onion service [3]. Onion services can be any networked service you would run on a regular server, like SSH or HTTP(S), but are accessible via the Tor network. Onion services have the nice property that you can directly connect to the computer running that service, even if the computer is connected to a local network (with Internet access) and has no public IP address and without the necessity to forward any ports from the access point to the computer.

In addition to that we can use this Tor enabled computer to connect to other devices in the remote local network.

Implementation

For our example setup we need:

  • Raspberry Pi [4]
  • Your computer

Raspberry Pi

Caveat: all commands are entered on the command-line interface [5].

Install & configure Tor

sudo apt install tor

Now we configure the SSH onion service by editing /etc/tor/torrc . In the location-hidden services section add:

HiddenServiceDir /var/lib/tor/ssh_onion_service/
HiddenServicePort 22 127.0.0.1:22

Then we restart Tor:

sudo systemctl restart tor.service

Enable SSH server

sudo systemctl enable ssh.service

The Raspberry is now ready to receive SSH connections via the Tor network.

Your Computer

Linux (Ubuntu)

Caveat: all commands are entered on the command-line interface.

Install tor
sudo apt install tor
Install netcat

We'll need netcat to connect our SSH session to the Tor network.

sudo apt install openbsd-netcat
Connect to Raspberry

Now we're ready to connect our computer to the Raspberry via the Tor network. When invoking SSH we have basically two options:

  1. write all required parameters in the ssh command, or
  2. have the required parameters stored in a configuration file for easier invokation.
Parameters in SSH command
ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p" -o PreferredAuthentications=password -o PubkeyAuthentication=no pi@[onion address]

You'll find the onion address on the Raspberry:

sudo cat /var/lib/tor/ssh_onion_service/hostname
Parameters in SSH config file

Add your config to ~/.ssh/config

Host raspberry-tor
    HostName [onion address]
    User pi
    PreferredAuthentications password
    PubkeyAuthentication no
    ProxyCommand nc -X 5 -x localhost:9050 %h %p

Then, to connect to the Raspberry, you just invoke your SSH session with:

ssh raspberry-tor

Mac

Todo

Windows

Todo

Expanding the functionality

Forwarding of local ports

Suppose there is also a LanBox in the remote network. We can connect to the LanBox via our Tor Raspi with our locally installed LCedit+ by forwarding a few ports towards the IP of the LanBox. Given the LanBox has the IP address 10.0.0.3, then the ssh command to forward the necessary ports is:

ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p" -o PreferredAuthentications=password -o PubkeyAuthentication=no -L 4776:10.0.0.3:777 -L 4777:10.0.0.3:4777 -L 6454:10.0.0.3:6454 pi@[onion address]

Then, when starting LCedit+, connect to localhost:4776 . We're using port 4776 instead of 777 (LanBox default) to avoid invoking ssh with root privileges. Ports below 1024 are so called system ports and require root privileges.

Or you store the parameters in the SSH config file (~/.ssh/config) for easier invokation:

Host raspberry-forward-tor
    HostName [onion address]
    User pi
    PreferredAuthentications password
    PubkeyAuthentication no
    ProxyCommand nc -X 5 -x localhost:9050 %h %p
    LocalForward 4776 10.0.0.3:777
    LocalForward 4777 10.0.0.3:4777
    LocalForward 6454 10.0.0.3:6454

Then invoke ssh with:

ssh raspberry-forward-tor

See also

References