Also under TorifyHOWTO/Misc there are some older ssh instructions. This ssh article is more recent.

Wiki editors: possibly merge. (From Misc to ssh. Ssh has enough information to have it's own wiki site.)

Using netcat (does not require torsocks)

When using netcat-openbsd, you can use the ssh ProxyCommand option:

ssh -o "ProxyCommand nc -X 5 -x %h %p" <target_host>

Or when using nmap-ncat:

ssh -o "ProxyCommand nc --proxy --proxy-type socks4 $(torsocks dig @ +tcp +short %h | head -n 1) %p" <target_host>

Please keep in mind that the nmap-ncat version is not compatible with .onion addresses, as it doesn't resolve the hostname via SOCKS5!

With recent versions of ncat (7.12 was tested), it is possible to use SOCKS5 to resolve the hostname and also use separate usernames and passwords for stream isolation:

ssh -o "ProxyCommand ncat --nodns --proxy --proxy-type socks5 --proxy-auth %h:ssh_%p %h %p" <target_host>

To do it on a per host basis edit your ~/.ssh/config to look something like this:

For netcat-openbsd:

    user bar
    port 22
    ProxyCommand nc -X 5 -x %h %p

For older versions of ncat (nmap), requiring torsocks and dig (communicating with a public DNS server you trust, Chaos Computer Club Berlin given in the example):

    user bar
    port 22
    ProxyCommand nc --proxy --proxy-type socks4 $(torsocks dig @ +tcp +short %h | head -n 1) %p

For recent versions of ncat:

    user bar
    port 22
    ProxyCommand ncat --nodns --proxy --proxy-type socks5 --proxy-auth %h:ssh_%p %h %p

Then you can just do ssh and it will be torified.

If you prefer you could make an alias for this and place it in your ~/.bash_rc or ~/.bash_profile that looks like this:

alias ssh-tor='ssh -o "ProxyCommand nc -X 5 -x %h %p"'


alias ssh-tor='ssh -o "ProxyCommand nc --proxy --proxy-type socks4 $(torsocks dig @ +tcp +short %h | head -n 1) %p"'

The you can just do ssh-tor

DNS leakage has been tested on nc from the netcat-openbsd package on Ubuntu 12.04 LTS, and nmap-ncat package on Fedora 19.

Please test other versions of netcat and see if they behave as well.

OpenSSH has a feature for looking up remote host keys in SSHFP DNS records; don't use it, or it will try to resolve hostnames before it invokes your ProxyCommand and create a leak. To make sure this doesn't happen, pass -o VerifyHostKeyDNS=no on your ssh command line.

A good command for checking for DNS leakage is

tcpdump -vvvv -i <your_device> dst port 53
netcat-openbsd ncat (nmap)
DNS Leaks N N (manually resolved via torsocks and dig)
Safe M M

Y = Yes

N = No

M = Maybe. No problems were detected, but not a full an thorough analysis has been made. There may still be other anonymity leaks.

Using connect-proxy

Add this to your ssh config file (~/.ssh/config):

host *-tor
     CheckHostIP  no
     Compression  yes
     Protocol     2
     ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050) %p

Then add a -tor to the server name on the commandline when you want to use tor. E.g., if your ssh config file has:

host whitehouse*
user         trump

you would run ssh whitehouse-tor to access that host over tor, or simply ssh whitehouse to go direct without tor.

Using torsocks

torsocks ssh

you may want to add an alias like so:

alias ssh-tor='torsocks ssh'
Last modified 4 months ago Last modified on Oct 17, 2017, 9:33:39 AM