How to SSH over Tor Onion Service

Zheng Hao Tan
Jul 9, 2017 · 2 min read

A few weeks ago, I had an amazing opportunity to learn how to use the Tor’s hidden services feature to ssh into a Raspberry Pi connected to our office WAN. Our CTO, Pat Wilbur, was kind enough to teach me how to do it, which I have summarized it below.

Installation

You’ll need to have Tor installed on both local and remote machines.

For MacOS, I recommend doing this via Homebrew:

brew install tor

On Linux Debian based distributions, you can do this by typing:

sudo apt-get install tor

Setting up Tor — Server

Go ahead and create an empty directory under /var/lib/tor/<your service folder name>. If you’re on Linux, make sure to change the user and group to debian-tor.

In other words, doing a ls -l should return something like this:

torrc Configuration

We now need to add a few more configurations in our torrcfile.

On MacOS:

This should be under /usr/local/etc/tor/torrc

On Linux:

This should be under /etc/tor/torrc

Navigate to your torrc file and add these few lines:

HiddenServiceDir basically tells tor that you have/want a hidden service directory with the proper configs based on the given path.

HiddenServicePort here should be port 22, since that’s the default port for ssh. You can change this to any other value.

HiddenServiceAuthorizeClient basically tells tor to authorize a client that wants to make a connection to the specified hidden service. The stealth command basically tells tor that you want this node to be hidden from all othertor nodes in the network.

Restart the Tor Service

Once you’ve done that, go ahead and restart the tor service. You can do this by typing:

MacOS:

brew services restart tor

Linux:

sudo /etc/init.d/tor restart

Navigate to the hidden service directory (/var/lib/tor/hidden-service-example in this tutorial) again, and you should see that tor has populated the directory with 3 files: client_keys, hostname and private_key.

Your hostname file should contain an autogenerated .onion file and a secret passphrase that looks somewhat like the one shown below:

Save this information as you’ll need it when you ssh into this server.

Setting up Tor — Client

We now need to configure the client (most probably your local machine) to be able to ssh to the specified server above. Navigate to your clienttorrc file and stick in:

This should basically be HidServAuth <whatever the hostname you have as shown above>. I stuck in the secret passphrase in my torrc for convenience so I won’t have to enter it for each login. .

You might need to restart tor for these changes to take effect.

Go ahead and run torify ssh <your-username>@abcdefghijklmnop.onion. Type in your password. If login is successful, hurray, you’re done! :)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store