SSH over tor


Using SSH over tor has some benefits, and some downsides. I'll try to explain what they are and how to implement SSH over tor.

SSH and Tor

You may be asking yourself: Why? One reason is obviously because I can! Another reason is that I have several machines that are NATed, on dynamic IP addresses, etc. Running an sshd over Tor means that the machine only needs to connect to the Tor network for me to reach it. There's no need for any additional network setup.

Why not? Tor is obviously slower as your traffic gets routed through multiple hosts. In practice this is not a problem for me as Tor only supplements clearnet connections. When I need a better connection I'll go the extra mile and set it up.


Configuring the sshd is trivial, there are no additional steps required over your normal setup. Once it is running you need to configure a hidden service.

~# apt install tor

I encourage you to read the official documentation, but basically you have to install tor and add two lines like below to your torrc and restart the tor service.

HiddenServiceDir /var/lib/tor/sshd/
HiddenServicePort 22

This will create some configuration files in the HiddenServiceDir, the important one right now is the hostname file. Once you have the .onion hostname of your hidden sshd you can configure a client to connect to it.

~# ls /var/lib/tor/sshd/
authorized_clients/  hostname  hs_ed25519_public_key  hs_ed25519_secret_key

ssh client configuration

On the client machine you will have to install Tor, but you don't need to configure a hidden service. You also need to configure your ssh client to route traffic through the tor network, for this netcat is used.

~# apt install tor netcat-openbsd

With the dependencies installed, you can configure your ssh client like in the example ~/.ssh/config below:

# Generic configuration for all .onion hosts that proxies onion traffic through the local tor service
Host *.onion
        ProxyCommand /bin/nc -xlocalhost:9050 -X5 %h %p

Host example.onion
        User mysshuser
        Hostname som3long0nionHostname.onion
        Port 22

That's all! Now you can simply type ssh example.onion to connect to som3long0nionHostname.onion. Configuring individual hosts is optional, but I find it more convenient as I don't want to memorize long onion hostnames.



Cancel reply
Markdown. Syntax highlighting with <code lang="php"><?php echo "Hello, world!"; ?></code> etc.
DjangoPythonBitcoinTuxDebianHTML5 badgeSaltStackUpset confused bugMoneyHackerUpset confused bugX.OrggitFirefoxWindowMakerBashIs it worth the time?i3 window managerWagtailContainerIrssiNginxSilenceUse a maskWorldInternet securityPianoFontGnuPGThunderbirdJenkinshome-assistant-logo