How to SSH over Tor Onion Service

A few weeks ago, I had an amazing opportunity to learn how to use the Tor’s hidden services feature to ssh into a Raspberry Pi connected to our office WAN. Our CTO, Pat Wilbur, was kind enough to teach me how to do it, which I have summarized it below.

Installation

You’ll need to have Tor installed on both local and remote machines.

For MacOS, I recommend doing this via Homebrew:

brew install tor

On Linux Debian based distributions, you can do this by typing:

sudo apt-get install tor

Setting up Tor — Server

Go ahead and create an empty directory under /var/lib/tor/<your service folder name>. If you’re on Linux, make sure to change the user and group to debian-tor.

In other words, doing a ls -l should return something like this:

torrc Configuration

We now need to add a few more configurations in our torrcfile.

On MacOS:

This should be under /usr/local/etc/tor/torrc

On Linux:

This should be under /etc/tor/torrc

Navigate to your torrc file and add these few lines:

HiddenServiceDir basically tells tor that you have/want a hidden service directory with the proper configs based on the given path.

HiddenServicePort here should be port 22, since that’s the default port for ssh. You can change this to any other value.

HiddenServiceAuthorizeClient basically tells tor to authorize a client that wants to make a connection to the specified hidden service. The stealth command basically tells tor that you want this node to be hidden from all othertor nodes in the network.

Restart the Tor Service

Once you’ve done that, go ahead and restart the tor service. You can do this by typing:

MacOS:

brew services restart tor

Linux:

sudo /etc/init.d/tor restart

Navigate to the hidden service directory (/var/lib/tor/hidden-service-example in this tutorial) again, and you should see that tor has populated the directory with 3 files: client_keys, hostname and private_key.

Your hostname file should contain an autogenerated .onion file and a secret passphrase that looks somewhat like the one shown below:

Save this information as you’ll need it when you ssh into this server.

Setting up Tor — Client

We now need to configure the client (most probably your local machine) to be able to ssh to the specified server above. Navigate to your clienttorrc file and stick in:

This should basically be HidServAuth <whatever the hostname you have as shown above>. I stuck in the secret passphrase in my torrc for convenience so I won’t have to enter it for each login. .

You might need to restart tor for these changes to take effect.

Go ahead and run torify ssh <your-username>@abcdefghijklmnop.onion. Type in your password. If login is successful, hurray, you’re done! :)

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.