SSH as a Hidden Service

It is relatively easy to make your SSH server available as a hidden service accessible only through the Tor network. There are several reasons you might want to do this.

  1. You can access your server anonymously.

  2. You can access your server from the open internet even if it is hidden behind a firewall and it has a dynamically assigned IP address.

The downside to using the Tor network to access your server is that the network is not particularly fast.

Tor

On a server, you can run tor as a always-on service. Typically tor acts as a socks proxy, allowing you anonymous access to the tor network from your server. Running it as an always-on service means that it is always available as an anonymous proxy. In this case, it will also be configured to provide access to your SSH server as a hidden service as well. In this case, your hidden service is always available.

Alternatively, you can run tor on demand. You typically do this on a workstation. In this case you would run tor whenever you want to hidden service to be available.

Tor as Service

To install tor on a Fedora system, as root run:

yum install tor

You would configure it by editing the file /etc/tor/torrc, but for now it can be left as is. Start tor with:

systemctl start tor

You should not be able to use it as a socks proxy. The default proxy port is 9050, so you should be able to configure your browser to use a socks5 proxy with address localhost:9050 to test it.

If you would like a GUI tool to monitor and control your tor server, install vidalia:

yum install vidalia

Normally vidalia will start and control its own copy of tor. If you want to use it to control the system tor, you will need to configure vidalia and tor accordingly (in /etc/tor/torrc you will need to set HashedControlPassword, and in ~/.vidalia/vidalia.conf you need to set ControlPassword).

Tor on Demand

If you instead plan to run tor on demand, install both tor and vidalia as root:

yum install tor vidalia

Once you do this, you no longer need be root, you can run vidalia and tor as a normal user.

You would start tor by running vidalia. When you do so, vidalia will open a window that shows the status of tor, but you can close it. You would reopen it as needed by clicking on the onion in your status bar.

You should not be able to use tor as a socks proxy now. The default proxy port is 9050, so you should be able to configure your browser to use a socks5 proxy with address localhost:9050 to test it.

In this situation, the tor configuration file, torrc, is found in ~/.vidalia.

Configuring Your Hidden Service

To configure SSH as a hidden service, simply add the following to your torrc file and restart tor:

HiddenServiceDir <directory>
HiddenServicePort 22 127.0.0.1:22

where <directory> should be set to something like /var/lib/tor/ssh if you are running tor as a service and should be set to something like .vidalia/ssh if you are running tor on demand.

Once you restart tor, you should visit the directory you specified. In it will find the file hostname and private_key. Keep private_key secure. If a bad guy got a hold of this file, they could spoof your hidden service. The address of your hidden service is contained in hostname.

Once you create a hidden service, it will be listed in a directory that is publicly available. If you want to keep it really hidden, so nobody else could possibly find or use it, add the following to you hidden service description:

HiddenServiceDir <directory>
HiddenServicePort 22 127.0.0.1:22
HiddenServiceAuthorizeClient stealth clientname1,clientname2,clientname3

In this case, you can specify as many clients as you wish. Each client will get its own address and a password that allows access from that client. These addresses are not published in to directory. They can be found in <directory>/hostname.

Using Your Hidden Service

Accessing your hidden service requires two things. First, you must be running tor on your client machine as well. Then, you must tell your ssh client to proxy through tor. Starting tor is as simple as running vidalia. To tell your ssh client to use tor as a proxy requires that you specify that it use:

ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p

as the proxy command. The easiest was of doing that is to configure a host entry in ~/.ssh/config for you hidden service. To do so, add something like the following:

# Media host as Tor hidden service
host hidden
   hostname 7ei66g5djlymzxqb.onion
   proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p

Then simply running:

ssh hidden

should get you access to your server.

If you took the extra step of hiding your hidden service using HiddenServiceAuthorizeClient, you will need to add an entry to your torrc file before you will allowed access:

HidServAuth 7ei66g5djlymzxqb.onion op6npnLTq2NtpQVZqLJilB

This line contains the address of your hidden service, and the authorization string that was found in <directory>/hostname.