

Tor Hidden Service: ssh fingerprint reveal - miduil
https://twitter.com/CharlieVedaa/status/541031447986184192

======
zaroth
So the "problem" is, exposing SSH as a Hidden Service exposes your
fingerprint. This is obvious, since the fingerprint is visibly shown before
authentication when you first connect with SSH, so should be no surprise this
is public information. Another way to reveal the server is to successfully log
into it. There may also be other ways to learn about the server through
particular ways that instance of OpenSSH responds.

So moral of the story, OpenSSH is not hardened to minimize information
disclosure. Probably 'spiped' as a first step would be a better plan.

From a comment on Reddit;

    
    
      If a user wants to hide their activity to an SSH server that is on
      the internet, there isn't a need for a hidden service. They could
      just connect to it over Tor, using an exit node to connect to the
      SSH server on the internet, and verify the fingerprint to ensure
      there was no MITM done.
    

That's an interesting perspective. But I think it also discloses too much,
because the target server is visible to the exit node, and the connection is
obviously SSH, and SSH doesn't protect keystroke timing.... so intentionally
wiring your control traffic through hostile routes which will flag your
traffic as interesting is not a good plan. Note 'spiped' will also not conceal
keystroke timing.

------
miduil
Also on:
[https://www.reddit.com/r/netsec/comments/2t21wl/use_search_b...](https://www.reddit.com/r/netsec/comments/2t21wl/use_search_by_fingerprint_to_uncloaks_ssh_servers/)
,
[https://www.reddit.com/r/TOR/comments/2t21u8/use_search_by_f...](https://www.reddit.com/r/TOR/comments/2t21u8/use_search_by_fingerprint_to_uncloaks_ssh_servers/)
and [https://blog.fefe.de/?ts=aa406804](https://blog.fefe.de/?ts=aa406804)
(german).

I wonder how to properly bind ssh to localhost...

