wiki:doc/TorifyHOWTO/ssh

Also under TorifyHOWTO/Misc there are some older ssh instructions. This ssh article is more recent.

Wiki editors: possibly merge. (From Misc to ssh. Ssh has enough information to have it's own wiki site.)

Using netcat (does not require torsocks)

When using netcat-openbsd, you can use the ssh ProxyCommand option:

ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p" <target_host>

Or when using nmap-ncat:

ssh -o "ProxyCommand nc --proxy 127.0.0.1:9050 --proxy-type socks4 $(torsocks dig @213.73.91.35 +tcp +short %h | head -n 1) %p" <target_host>

Please keep in mind that the nmap-ncat version is not compatible with .onion addresses, as it doesn't resolve the hostname via SOCKS5!

With recent versions of ncat (7.12 was tested), it is possible to use SOCKS5 to resolve the hostname and also use separate usernames and passwords for stream isolation:

ssh -o "ProxyCommand ncat --nodns --proxy 127.0.0.1:9050 --proxy-type socks5 --proxy-auth %h:ssh_%p %h %p" <target_host>

To do it on a per host basis edit your ~/.ssh/config to look something like this:

For netcat-openbsd:

host example.com
    user bar
    port 22
    ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p

For older versions of ncat (nmap), requiring torsocks and dig (communicating with a public DNS server you trust, Chaos Computer Club Berlin given in the example):

host example.com
    user bar
    port 22
    ProxyCommand nc --proxy 127.0.0.1:9050 --proxy-type socks4 $(torsocks dig @213.73.91.35 +tcp +short %h | head -n 1) %p

For recent versions of ncat:

host example.com
    user bar
    port 22
    ProxyCommand ncat --nodns --proxy 127.0.0.1:9050 --proxy-type socks5 --proxy-auth %h:ssh_%p %h %p

Then you can just do ssh example.com and it will be torified.

If you prefer you could make an alias for this and place it in your ~/.bash_rc or ~/.bash_profile that looks like this:

alias ssh-tor='ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p"'

or

alias ssh-tor='ssh -o "ProxyCommand nc --proxy 127.0.0.1:9050 --proxy-type socks4 $(torsocks dig @213.73.91.35 +tcp +short %h | head -n 1) %p"'

The you can just do ssh-tor example.com

DNS leakage has been tested on nc from the netcat-openbsd package on Ubuntu 12.04 LTS, and nmap-ncat package on Fedora 19.

Please test other versions of netcat and see if they behave as well.

OpenSSH has a feature for looking up remote host keys in SSHFP DNS records; don't use it, or it will try to resolve hostnames before it invokes your ProxyCommand and create a leak. To make sure this doesn't happen, pass -o VerifyHostKeyDNS=no on your ssh command line.

A good command for checking for DNS leakage is

tcpdump -vvvv -i <your_device> dst port 53
netcat-openbsd ncat (nmap)
SOCK5 Y N
SOCK4a Y N
SOCK4 Y Y
DNS Leaks N N (manually resolved via torsocks and dig)
Safe M M

Y = Yes

N = No

M = Maybe. No problems were detected, but not a full an thorough analysis has been made. There may still be other anonymity leaks.

Using torsocks

torsocks ssh example.com

you may want to add an alias like so:

alias ssh-tor='torsocks ssh'
Last modified 9 months ago Last modified on Jun 8, 2016, 9:27:38 AM