Update: Merged. Old information originally on TorifyHOWTO/Misc can now be found under #ssh_old. (Jaruga)

Torifying SSH

Secure Shell (SSH) is an encrypted network protocol for utilizing network services securely over an unsecured network. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. When used in conjunction with Tor (and some small measures are taken to prevent leakage), the full functionality of SSH can be anonymized.


Warning: 'ssh' will leak your UNIX username. If you do 'ssh theloginyouwant@…' it will not leak your username. That is why we suggest using non-identifying usernames on your machines to prevent such leaks in the first place.

Using SSH inside Whonix should be safe.

Using netcat-openbsd (does not require torsocks)

netcat-openbsd (also known as simply 'netcat' or 'nc') is a networking utility with a simple interface that is primarily used for reading or writing from TCP and UDP sockets. It is available in the repositories of most modern UNIX operating systems.

When using netcat-openbsd, you can use the ssh ProxyCommand option:

ssh -o "ProxyCommand nc -X 5 -x %h %p" <target_host>

To do it on a per-host basis, edit your ~/.ssh/config to look something like this:

    user bar
    port 22
    ProxyCommand nc -X 5 -x %h %p

Then you can just do ssh and it will be torified.

If preferred, it is possible to make an alias for this and place it in your ~/.bash_rc or ~/.bash_profile like so:

alias ssh-tor='ssh -o "ProxyCommand nc -X 5 -x %h %p"'


alias ssh-tor='ssh -o "ProxyCommand nc --proxy --proxy-type 
socks4 $(torsocks dig @ +tcp +short %h | head -n 1) %p"'

Then you can simply issue the command ssh-tor

OpenSSH has a feature for looking up remote host keys in SSHFP DNS records; don't use it, or it will try to resolve hostnames before it invokes your ProxyCommand and creates a leak. To make sure this doesn't happen, pass -o VerifyHostKeyDNS=no on your ssh command line.

A good command for checking for DNS leakage is

tcpdump -vvvv -i <your_device> dst port 53

Using connect-proxy

Add this to your ssh config file (~/.ssh/config):

host *-tor
     CheckHostIP  no
     Compression  yes
     Protocol     2
     ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050) 

Then add a -tor to the server name on the commandline when you want to use tor. E.g., if your ssh config file has:

host whitehouse*
user         trump

you would run ssh whitehouse-tor to access that host over tor, or simply ssh whitehouse to go direct without tor.

Using torsocks

More plentiful and current information on torsocks can be found here.

To use SSH with torsocks, simply use the command:

torsocks ssh

you may want to add an alias like so:

alias ssh-tor='torsocks ssh'

Older SSH Instructions

Below are older instructions pertaining to torifying SSH. They should be followed with caution as they may be depreciated.

SSH: Method 1 (torify)

Simply run torify ssh <parameters> host if the host is not on a local network and you're done. You could additional use tor-resolve to transform the hostname into the IP address. Just use torify ssh <parameters> $(tor-resolve host).

SSH: Method 2 (connect)

These instructions should work on most *nix systems. Tested on Mac OS X 10.3.x and Debian GNU/Linux.

1 - Upgrade your SSH to an OpenSSH version that has Socks 5 support. The OpenSSH client that is shipped with Mac OS X 10.3 (aka Panther) - OpenSSH_3.6.1p1 - will not work correctly. Download, build and install the current stable version of the OpenSSH website. If you're using Mac OS X, using MacPorts may be easier for you.

2 - Download and build the Connect source code, - Connect will allow socket connections using SOCKS4/5 and HTTP tunnels. For detailed information on Connect, please visit

A pre-compiled version of connect for Mac OS X is available at (md5sum: b5180cb789813fc958209c58b99039fa)

Install connect into the /usr/local/bin directory.

3 - Add the following line to your ssh_config file located at: /etc/ssh/ssh_config (system-wide) or $HOME/.ssh/config (on a per-user basis). If you used fink to install OpenSSH, it is located at /sw/etc/ssh/ssh_config.

Host <PRIVATE_IPADDRESS> ProxyCommand none Host * ProxyCommand /usr/local/bin/connect -4 -S %h %p

You should replace <PRIVATE_IPADDRESS> by those address which is defined in RFC 1918. This avoids it, that local IP addresses are sent through Tor. The last two lines instruct SSH to use connect as proxy and connect uses a SOCKS-server (-S) with SOCKS-version 4 (-4) to relay to port 9050 at localhost.

You may want to look up your SSH server's IP with tor-resolve and use the IP in place of a hostname; see the note on torsocks and DNS above.

SSH: Method 3 (socat)

Use as described above. One way to access an SSH server via Tor is to socat to make a tcp4 listener and relay to your local Tor client, then ssh to it. It's not the nicest way. Using OpenSSH, then you can use the ProxyCommand option in your ~/.ssh/config file, as follows:

Host MyHost-tor
ProxyCommand socat -,socksport=9050

Now you can simply use ssh MyHost-tor.

Similarly, if you have an SSH server running as a hidden service, then you will wish to ssh to it with minimal fuss.

Host MyHost-tor
ProxyCommand socat - SOCKS4A:localhost:MyHost.onion:22,socksport=9050

This method is more secure than using torsocks ssh MyHost.onion because ssh will first resolve the hostname, and then try to connect to it. This means that you lose by giving away your IP address during the DNS lookup.

Using wildcards and parameter expansions features of SSH you can put a single configuration for all .onion addresses:

Host *.onion
ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050

If you want every SSH communication to go through Tor, you can even say :

Host *
ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050

SSH: Method 4 (over HTTP using corkscrew)

Install the corkscrew TCP tunnel program and any HTTP proxy (Privoxy, Polipo, 3proxy) configured to go through Tor, as described in the Tor documentation or, in the case of 3proxy, in the doc/TorifyHOWTO/EMail section of this HOW-TO (substituting "pop3p" with "proxy" in the last line). The add the ProxyCommand option to the right host's section (or to the Host * section) in your configuration file, usually {{~/.ssh/config}}}:

ProxyCommand corkscrew 8118 %h %p

Change 8118 to the port number on which your HTTP proxy is listening.

Last modified 5 weeks ago Last modified on Mar 16, 2018, 1:48:47 AM