How to SSH over Tor Onion Service
A few weeks ago, I had an amazing opportunity to learn how to use the Tor’s hidden services feature to ssh into a Raspberry Pi connected to our office WAN. Our CTO, Pat Wilbur, was kind enough to teach me how to do it, which I have summarized it below.
You’ll need to have Tor installed on both local and remote machines.
For MacOS, I recommend doing this via Homebrew:
brew install tor
On Linux Debian based distributions, you can do this by typing:
sudo apt-get install tor
Setting up Tor — Server
Go ahead and create an empty directory under
/var/lib/tor/<your service folder name>. If you’re on Linux, make sure to change the user and group to
In other words, doing a
ls -l should return something like this:
We now need to add a few more configurations in our
This should be under
This should be under
Navigate to your
torrc file and add these few lines:
HiddenServiceDir basically tells
tor that you have/want a hidden service directory with the proper configs based on the given path.
HiddenServicePort here should be port 22, since that’s the default port for
ssh. You can change this to any other value.
HiddenServiceAuthorizeClient basically tells
tor to authorize a client that wants to make a connection to the specified hidden service. The
stealth command basically tells
tor that you want this node to be hidden from all other
tor nodes in the network.
Restart the Tor Service
Once you’ve done that, go ahead and restart the
tor service. You can do this by typing:
brew services restart tor
sudo /etc/init.d/tor restart
Navigate to the hidden service directory (
/var/lib/tor/hidden-service-example in this tutorial) again, and you should see that
tor has populated the directory with 3 files:
Your hostname file should contain an autogenerated
.onion file and a secret passphrase that looks somewhat like the one shown below:
Save this information as you’ll need it when you
ssh into this server.
Setting up Tor — Client
We now need to configure the client (most probably your local machine) to be able to ssh to the specified server above. Navigate to your client
torrc file and stick in:
This should basically be
HidServAuth <whatever the hostname you have as shown above>. I stuck in the secret passphrase in my
torrc for convenience so I won’t have to enter it for each login. .
You might need to restart
tor for these changes to take effect.
Go ahead and run
torify ssh <your-username>@abcdefghijklmnop.onion. Type in your password. If login is successful, hurray, you’re done! :)