[[TOC(noheading, depth=4)]] = Torifying SSH = Secure Shell (SSH) is an encrypted network protocol for utilizing network services securely over an unsecured network. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. When used in conjunction with Tor (and some small measures are taken to prevent leakage), the full functionality of SSH can be anonymized. === Torifying SSH on Windows === The recommended methodology for Windows users to torify SSH is by utilising PuTTY. The page outlining where to download it as well as configuration can be found [wiki:doc/TorifyHOWTO/Putty here]. === Torifying SSH on *NIX / MacOS === '''Warning:''' 'ssh some.host' will '''leak your UNIX username'''. If you do 'ssh theloginyouwant@some.host' it will '''not''' leak your username. That is why we suggest using non-identifying usernames on your machines to prevent such leaks in the first place. Using SSH inside Whonix should be safe. ==== Option 1: Using torsocks ==== More plentiful and current information on torsocks can be found [https://trac.torproject.org/projects/tor/wiki/doc/torsocks here]. To use SSH with torsocks, simply use the command: `torsocks ssh loginname@example.com` you may want to add an alias like so: {{{ alias ssh-tor='torsocks ssh' }}} ==== Option 2: Using netcat-openbsd ==== {{{netcat-openbsd}}} (also known as simply 'netcat' or 'nc') is a networking utility with a simple interface that is primarily used for reading or writing from TCP and UDP sockets. It is available in the repositories of most modern UNIX operating systems. When using netcat-openbsd, you can use the ssh {{{ProxyCommand}}} option: {{{ ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p" }}} To do it on a per-host basis, edit your ~/.ssh/config to look something like this: {{{ host example.com user bar port 22 ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p }}} Then you can just do {{{ssh example.com}}} and it will be torified. If preferred, it is possible to make an alias for this and place it in your {{{~/.bash_rc}}} or {{{~/.bash_profile}}} like so: {{{ alias ssh-tor='ssh -o "ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p"' or alias ssh-tor='ssh -o "ProxyCommand nc --proxy 127.0.0.1:9050 --proxy-type socks4 $(torsocks dig @213.73.91.35 +tcp +short %h | head -n 1) %p"' }}} Then you can simply issue the command {{{ssh-tor example.com}}}. OpenSSH has a feature for looking up remote host keys in SSHFP DNS records; don't use it, or it will try to resolve hostnames before it invokes your ProxyCommand and creates a leak. To make sure this doesn't happen, pass {{{-o VerifyHostKeyDNS=no}}} on your ssh command line. A good command for checking for DNS leakage is {{{ tcpdump -vvvv -i dst port 53 }}} ==== Option 3: Using connect-proxy ==== Add this to your ssh config file (`~/.ssh/config`): {{{ host *-tor CheckHostIP no Compression yes Protocol 2 ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050) %p }}} Then add a `-tor` to the server name on the commandline when you want to use tor. E.g., if your ssh config file has: {{{ host whitehouse* hostname whitehouse.gov user trump }}} you would run `ssh whitehouse-tor` to access that host over tor, or simply `ssh whitehouse` to go direct without tor.