2023-03-27

SSH With Keys Over Tor Setup

If you want to securely and anonymously access a machine, this may be for you. You may not want to do this if you want a very responsive experience. This is done on debian so change commands to what is required to make it work on your own system whether with different package manager than apt, different init system than systemd, etc. This does not require opening any ports on your router. Use doas instead of sudo if you need.

A few important programs used in this are below.

• tor
• ssh
• torsocks

Before you go through with this, you should know that protecting these ssh keys is very important. If your client system gets pwned, your server that you have ssh access to may be as well. This is easy to do in Qubes by creating a separate VM only for SSH. If it is a whonix workstation, you don’t need to use torsocks when using ssh as long as network is set to sys-whonix. There is plenty you can do on other systems. Use a strong passphrase to protect your keys, do not store your keys online and restrict privileges. You should also keep backups of your keys.

To use the latest version of the tor package, I am following this.

#package managers using the libapt-pkg library to access metadata and packages available in sources accessible over https
sudo apt install apt-transport-https
#edit sources file
sudo nano /etc/apt/sources.list.d/tor.list
**
deb     [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main
**
#Replace <DISTRIBUTION> with your operating system codename. Run lsb_release -c or cat /etc/debian_version to check the operating system version.
#add GPG key
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null
sudo apt update
sudo apt install tor deb.torproject.org-keyring

You now need to configure ssh and tor.

sudo apt install tor ssh
#start services on boot
sudo systemctl enable tor ssh
sudo nano /etc/tor/torrc
**
HiddenServiceDir /var/lib/tor/ssh/
HiddenServicePort 22 127.0.0.1:22
**
sudo systemctl restart tor
#Get your onion address name
sudo cat /var/lib/tor/ssh/hostname
example.onion
#if directory doesn't exist
mkdir -p $HOME/.ssh
chmod 0700 $HOME/.ssh
#key generation. Set to RSA 4096. Use whatever type you want. You should generate these keys on your client.
ssh-keygen -t rsa -b 4096 -C "Tor SSH key"
#when prompted for a password, you should set one. Go to the location you chose to save the key to. Once generated, you should keep a record of your fingerprint.
# You should keep the public key on the server and keep the private key on the client. If you have generated keys on the client, transfer the public key to the server (inside ~/.ssh/).
#If .ssh folder doesn't exist on server, you should create it first like before.
mkdir -p $HOME/.ssh
chmod 0700 $HOME/.ssh
#If authorized_keys doesn't exist, create it.
touch .ssh/authorized_keys
chmod 644 .ssh/authorized_keys
#Adding public key
cat id_rsa.pub >> .ssh/authorized_keys
#If you want the SSH service to only be available as a tor hidden service, you can limit the server to only listen to the loopback address. This is not required.
sudo nano /etc/ssh/sshd_config
**
ListenAddress 127.0.0.1
**
sudo systemctl restart ssh

It is a good idea to disable root login on your system so you should do that if it isn’t already set to this by default.

sudo nano /etc/ssh/sshd_config
#find PermitRootLogin and make sure it is uncommented and set to 'no'.
PermitRootLogin no

Connect to your system.

torsocks ssh username@example.onion

You should now have a connection. See my testing example below.

$ torsocks ssh user@w4cdderlbwvbss4svvgympa4wefajc54wwlzkmgcig45tvifuqcwpeid.onion
The authenticity of host 'w4cdderlbwvbss4svvgympa4wefajc54wwlzkmgcig45tvifuqcwpeid.onion (127.42.42.0)' can't be established.
ECDSA key fingerprint is SHA256:sOeY2CRubwPxKy32hQYvF05NHfwoC5RyyNU+KNVCLU4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'w4cdderlbwvbss4svvgympa4wefajc54wwlzkmgcig45tvifuqcwpeid.onion' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/myusername/.ssh/id_rsa': 
Linux debian 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
user@debian:~$ echo "Hello, World!"
Hello, World!

After you have this setup, you should disable ssh password login on the server. Modify /etc/ssh/sshd_config and set PasswordAuthentication no, ChallengeResponseAuthentication no, UsePAM no and run sudo systemctl restart ssh after. Make sure that it was uncommented.