Torifying SSH

Secure Shell (SSH) is an encrypted network protocol for utilizing network services securely over an unsecured network. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. When used in conjunction with Tor (and some small measures are taken to prevent leakage), the full functionality of SSH can be anonymized.

Torifying SSH on Windows

The recommended methodology for Windows users to torify SSH is by utilising PuTTY. The page outlining where to download it as well as configuration can be found here.

Torifying SSH on *NIX / MacOS

Warning: 'ssh' will leak your UNIX username. If you do 'ssh theloginyouwant@…' it will not leak your username. That is why we suggest using non-identifying usernames on your machines to prevent such leaks in the first place.

Using SSH inside Whonix should be safe.

Option 1: Using torsocks

More plentiful and current information on torsocks can be found here.

To use SSH with torsocks, simply use the command:

torsocks ssh

you may want to add an alias like so:

alias ssh-tor='torsocks ssh'

Option 2: Using netcat-openbsd

netcat-openbsd (also known as simply 'netcat' or 'nc') is a networking utility with a simple interface that is primarily used for reading or writing from TCP and UDP sockets. It is available in the repositories of most modern UNIX operating systems.

When using netcat-openbsd, you can use the ssh ProxyCommand option:

ssh -o "ProxyCommand nc -X 5 -x %h %p" <target_host>

To do it on a per-host basis, edit your ~/.ssh/config to look something like this:

    user bar
    port 22
    ProxyCommand nc -X 5 -x %h %p

Then you can just do ssh and it will be torified.

If preferred, it is possible to make an alias for this and place it in your ~/.bash_rc or ~/.bash_profile like so:

alias ssh-tor='ssh -o "ProxyCommand nc -X 5 -x %h %p"'


alias ssh-tor='ssh -o "ProxyCommand nc --proxy --proxy-type 
socks4 $(torsocks dig @ +tcp +short %h | head -n 1) %p"'

Then you can simply issue the command ssh-tor

OpenSSH has a feature for looking up remote host keys in SSHFP DNS records; don't use it, or it will try to resolve hostnames before it invokes your ProxyCommand and creates a leak. To make sure this doesn't happen, pass -o VerifyHostKeyDNS=no on your ssh command line.

A good command for checking for DNS leakage is

tcpdump -vvvv -i <your_device> dst port 53

Option 3: Using connect-proxy

Add this to your ssh config file (~/.ssh/config):

host *-tor
     CheckHostIP  no
     Compression  yes
     Protocol     2
     ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050) 

Then add a -tor to the server name on the commandline when you want to use tor. E.g., if your ssh config file has:

host whitehouse*
user         trump

you would run ssh whitehouse-tor to access that host over tor, or simply ssh whitehouse to go direct without tor.

Last modified 2 years ago Last modified on Jul 13, 2018, 7:38:43 PM