SSH and Tor
You may be asking yourself: Why? One reason is obviously because I can! Another reason is that I have several machines that are NATed, on dynamic IP addresses, etc. Running an sshd over Tor means that the machine only needs to connect to the Tor network for me to reach it. There's no need for any additional network setup.
Why not? Tor is obviously slower as your traffic gets routed through multiple hosts. In practice this is not a problem for me as Tor only supplements clearnet connections. When I need a better connection I'll go the extra mile and set it up.
Configuring the sshd is trivial, there are no additional steps required over your normal setup. Once it is running you need to configure a hidden service.
~# apt install tor
I encourage you to read the official documentation, but basically you have to install tor and add two lines like below to your torrc and restart the tor service.
HiddenServiceDir /var/lib/tor/sshd/ HiddenServicePort 22 127.0.0.1:22
This will create some configuration files in the HiddenServiceDir, the important one right now is the hostname file. Once you have the .onion hostname of your hidden sshd you can configure a client to connect to it.
~# ls /var/lib/tor/sshd/ authorized_clients/ hostname hs_ed25519_public_key hs_ed25519_secret_key
ssh client configuration
On the client machine you will have to install Tor, but you don't need to configure a hidden service. You also need to configure your ssh client to route traffic through the tor network, for this netcat is used.
~# apt install tor netcat-openbsd
With the dependencies installed, you can configure your ssh client like in the example ~/.ssh/config below:
# Generic configuration for all .onion hosts that proxies onion traffic through the local tor service Host *.onion ProxyCommand /bin/nc -xlocalhost:9050 -X5 %h %p Host example.onion User mysshuser Hostname som3long0nionHostname.onion Port 22
That's all! Now you can simply type ssh example.onion to connect to som3long0nionHostname.onion. Configuring individual hosts is optional, but I find it more convenient as I don't want to memorize long onion hostnames.