Re: [tor-talk] Tor over SSH (torsocks) (?)
blo...@openmailbox.org: Is torsocks still a safe way to do this? I can't say anything interesting about torsocks as a program, and am a happy user. But there are some interesting gotchas, mostly caused by the convenient but unnecessary *magic* in modern interactive shells. One example: Type $ torsocks git push local_brach:remote_br into a bash prompt on a stock Debian system (with real branch names and the name of the remote branch not complete). Then press tab for auto-completion. The branch name will actually be auto-completed, but the connection to the repository needed to get the list of branche names won't use torsocks and Tor. Die ich rief, die Geister, / Werd' ich nun nicht los. There are ways to solve such problems though, like `man iptables` and a lot of free time. Or just using Tails. I have no idea if similar problems also apply to ssh. Cheers! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
On 16 Feb (00:27:40), James Murphy wrote: On 02/15/2015 03:22 PM, blo...@openmailbox.org wrote: I want to login to my VPS over SSH. Is torsocks still a safe way to do this? A lot of the documentation (such as it is) is several years old. I would also like to know this. SSH hidden service setup and use are easy with torsocks. /etc/tor/torrc HiddenServiceDir /var/lib/tor/ssh_service/ HiddenServicePort 22 127.0.0.1:22 Then torsocks ssh user@xxx.onion works like a charm. Can anyone comment on security of torsocks? (So yeah I sent that a week ago and didn't notice that I used the wrong email address for the list so here it is) Torsocks was rewritten alost from scratch due to design issues and the code was unmaintained since 2009. This new version is 2.0 and is now packaged by most Linux distros. https://people.torproject.org/~dgoulet/torsocks/ git: https://gitweb.torproject.org/torsocks.git Now, that effort did improved the safety of it I would say quite a bit. I won't go in the technical details but it's better and maintained now. That being said, know this, torsocks is a best effort, it's not a silver bullet and it's easy to design an application that will bypass torsocks. However, you can be confident with a bunch of stuff such as ssh, wget, netcat, etc... It's extensively used with those applications on a daily basis. Tails and Whonix for instance rely on torsocks for some applications (note that their firewall gives them extra protection). I know that people are using torsocks with postfix and it works well. I would be happy to detail technical details of torsocks if someone would like to, maybe a blog post? Cheers! David -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk signature.asc Description: Digital signature -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
Just some clarification: sycamoreone: But there are some interesting gotchas, mostly caused by the convenient but unnecessary *magic* in modern interactive shells. unnecessary is probably the wrong word. I meant not strictly necessary and not useless. $ torsocks git push local_brach:remote_br This should be $ torsocks git push repository local_brach:remote_br And looking into /etc/bash_completion.d/ (or the zsh equivalent) might be enough to see if there is any magic for the program you want to use. Cheers! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
Lars Luthman:
[...]
Step 5: Read the hidden service address from
/var/lib/tor/ssh-hs/hostname, write it down somewhere.
Once Tor has had a couple of minutes to get the service descriptor onto the
network, try to connect ('usewithtor ssh your_hs_address.onion').
And once you a sure you can connect to the hidden service and won't lose
the onion address, you might want to add
ListenAddress 127.0.0.1
to your /etc/ssh/sshd_config to disable regular connections.
--
sycamoreone
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
Hi, It sounds like you need to do a little introspection on why you want to torify your ssh. You've already confessed to having a lack of faith in your own technical ability. You need to ask yourself the question--what is my threat model? You want to connect to a VPS--how did you pay for this VPS? If you didn't pay for it using anonymous currency then you might consider that torifying your ssh access will provide limited anonymity if a (digital) paper trail exists. Without using a hidden service you need to consider that the port you use on your VPS will influence the choice of exit relay. Even if you use a hidden service you need to trust the HS guard. If you use a hidden service and your guards come under attack you may end up being unable to connect to your VPS. In any case you may experience dropped connections or the limited ability to connect. Which means you'll need fallback connection methods or a server setup to detect-correct faults. tl;dr Based on Roger's response you could use torsocks just fine. That won't change needing to secure access (ie key-based auth). So you'll need to read the man pages irregardless. Focusing on access via tor before knowing how to secure your VPS will come back to haunt you. That's why I recommend netcat via proxycommand. Why use torsocks if you don't have to. It's not like you won't be editing the config files anyway. --leeroy -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
On 2015-02-16 22:56, Dave Warren wrote: On 2015-02-16 03:30, blo...@openmailbox.org wrote: On 2015-02-16 02:31, Dave Warren wrote: On 2015-02-15 16:35, Mirimir wrote: On 02/15/2015 02:22 PM, blo...@openmailbox.org wrote: I want to login to my VPS over SSH. Is torsocks still a safe way to do this? A lot of the documentation (such as it is) is several years old. I prefer to run an SSH hidden service on the VPS. I'd tend to agree; if you control the endpoint, set it up as a hidden service rather than having Tor exit node involved at all. While running hidden services alongside non-hidden services introduces some risks, most of these are less significant when connecting to SSH on a server that you control. I don't think I phrased my question very well. I'm not running a hidden server. I'm just logging in to a shared VPS to ftp. etc, rather than logging in to a control panel over HTTPS. I just want a simple way to do ssh IP port but with Tor. Understood. But the suggestion is that you SHOULD run a hidden server to listen for SSH connections over Tor as this will be far more reliable and secure than having to rely on an exit node. The rest of the server doesn't need to be a hidden server, and SSH can still listen as both a Tor hidden server and a regular public server, but by making it a hidden server within Tor, you remove one of the major risk factors of using Tor: The exit node. Thanks for the advice. I understand what you are saying. My point is that, to me at this moment, setting up a hidden service on my VPS sounds somewhat intimidating. I realise that to you and most technical people on this list, it's something trivial. I am not a naturally technical person (if we can divide people up into technical and non-technical segments). Hence, to you and your ilk, what is normal and easy, appears complicated and demanding to people like me. At the same time, perhaps I'm wrong and it's easy to set-up a hidden server to look for SSH connections? Perhaps I'm assuming that things are harder than they are in order to persuade myself not to learn. I'm also time poor at the moment which doesn't help! -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
The rest of the server doesn't need to be a hidden server, and SSH can still listen as both a Tor hidden server and a regular public server, but by making it a hidden server within Tor, you remove one of the major risk factors of using Tor: The exit node. How about running torsocks via a VPN so the content is encrypted after it exists the exit node? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
On Wed, 2015-02-18 at 14:12 +, blo...@openmailbox.org wrote:
At the same time, perhaps I'm wrong and it's easy to set-up a hidden
server to look for SSH connections? Perhaps I'm assuming that things are
harder than they are in order to persuade myself not to learn. I'm also
time poor at the moment which doesn't help!
Step 1: Install Tor ('apt-get install tor' on Debian)
Step 2: Create a directory where the HS data will be stored
('mkdir /var/lib/tor/ssh-hs chown debian-tor.debian-tor
/var/lib/tor/ssh-hs'
on Debian, as root)
Step 3: Add the following lines to the Tor configuration file:
(/etc/tor/torrc on Debian):
HiddenServiceDir /var/lib/tor/ssh-hs/
HiddenServicePort 22 127.0.0.1:22
Step 4: Make Tor reload its configuration file ('service tor reload') or
simply restart Tor ('service tor restart').
Step 5: Read the hidden service address from
/var/lib/tor/ssh-hs/hostname, write it down somewhere.
Once Tor has had a couple of minutes to get the service descriptor onto the
network, try to connect ('usewithtor ssh your_hs_address.onion').
It's definitely not more complicated than setting up a VPN or much more
complicated than using SSH in general.
--ll
signature.asc
Description: This is a digitally signed message part
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
On Sun, Feb 15, 2015 at 09:22:25PM +, blo...@openmailbox.org wrote: I want to login to my VPS over SSH. Is torsocks still a safe way to do this? A lot of the documentation (such as it is) is several years old. I believe many people happily use torsocks and rely on it. It's just as safe now as it was then -- probably needs some audits, but probably works pretty well. You'll likely be happiest using torsocks 2, which might not be the version that comes in your distro yet. --Roger -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
perhaps use stealth authenticated tor hidden service for your ssh to mitigate the ssh 0-day(s); obviously this is not just a tin foil hat practice anymore. On Mon, Feb 16, 2015 at 10:56 PM, Dave Warren da...@hireahit.com wrote: On 2015-02-16 03:30, blo...@openmailbox.org wrote: On 2015-02-16 02:31, Dave Warren wrote: On 2015-02-15 16:35, Mirimir wrote: On 02/15/2015 02:22 PM, blo...@openmailbox.org wrote: I want to login to my VPS over SSH. Is torsocks still a safe way to do this? A lot of the documentation (such as it is) is several years old. I prefer to run an SSH hidden service on the VPS. I'd tend to agree; if you control the endpoint, set it up as a hidden service rather than having Tor exit node involved at all. While running hidden services alongside non-hidden services introduces some risks, most of these are less significant when connecting to SSH on a server that you control. I don't think I phrased my question very well. I'm not running a hidden server. I'm just logging in to a shared VPS to ftp. etc, rather than logging in to a control panel over HTTPS. I just want a simple way to do ssh IP port but with Tor. Understood. But the suggestion is that you SHOULD run a hidden server to listen for SSH connections over Tor as this will be far more reliable and secure than having to rely on an exit node. The rest of the server doesn't need to be a hidden server, and SSH can still listen as both a Tor hidden server and a regular public server, but by making it a hidden server within Tor, you remove one of the major risk factors of using Tor: The exit node. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
On 2015-02-16 03:30, blo...@openmailbox.org wrote: On 2015-02-16 02:31, Dave Warren wrote: On 2015-02-15 16:35, Mirimir wrote: On 02/15/2015 02:22 PM, blo...@openmailbox.org wrote: I want to login to my VPS over SSH. Is torsocks still a safe way to do this? A lot of the documentation (such as it is) is several years old. I prefer to run an SSH hidden service on the VPS. I'd tend to agree; if you control the endpoint, set it up as a hidden service rather than having Tor exit node involved at all. While running hidden services alongside non-hidden services introduces some risks, most of these are less significant when connecting to SSH on a server that you control. I don't think I phrased my question very well. I'm not running a hidden server. I'm just logging in to a shared VPS to ftp. etc, rather than logging in to a control panel over HTTPS. I just want a simple way to do ssh IP port but with Tor. Understood. But the suggestion is that you SHOULD run a hidden server to listen for SSH connections over Tor as this will be far more reliable and secure than having to rely on an exit node. The rest of the server doesn't need to be a hidden server, and SSH can still listen as both a Tor hidden server and a regular public server, but by making it a hidden server within Tor, you remove one of the major risk factors of using Tor: The exit node. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
On 2015-02-16 02:31, Dave Warren wrote: On 2015-02-15 16:35, Mirimir wrote: On 02/15/2015 02:22 PM, blo...@openmailbox.org wrote: I want to login to my VPS over SSH. Is torsocks still a safe way to do this? A lot of the documentation (such as it is) is several years old. I prefer to run an SSH hidden service on the VPS. I'd tend to agree; if you control the endpoint, set it up as a hidden service rather than having Tor exit node involved at all. While running hidden services alongside non-hidden services introduces some risks, most of these are less significant when connecting to SSH on a server that you control. I don't think I phrased my question very well. I'm not running a hidden server. I'm just logging in to a shared VPS to ftp. etc, rather than logging in to a control panel over HTTPS. I just want a simple way to do ssh IP port but with Tor. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
On 02/15/2015 02:22 PM, blo...@openmailbox.org wrote: I want to login to my VPS over SSH. Is torsocks still a safe way to do this? A lot of the documentation (such as it is) is several years old. I prefer to run an SSH hidden service on the VPS. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
I want to login to my VPS over SSH. Is torsocks still a safe way to do this? A lot of the documentation (such as it is) is several years old. Hi, I cannot comment on using torsocks but you can achieve the same result using netcat and the proxycommand of ssh/ssh_config. I found a Tor Wiki related article here [0]. More info can be located in the man pages for ssh_config, and ssh. [0] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/ssh --leeroy -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
On 2015-02-15 16:35, Mirimir wrote: On 02/15/2015 02:22 PM, blo...@openmailbox.org wrote: I want to login to my VPS over SSH. Is torsocks still a safe way to do this? A lot of the documentation (such as it is) is several years old. I prefer to run an SSH hidden service on the VPS. I'd tend to agree; if you control the endpoint, set it up as a hidden service rather than having Tor exit node involved at all. While running hidden services alongside non-hidden services introduces some risks, most of these are less significant when connecting to SSH on a server that you control. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor over SSH (torsocks) (?)
On 02/15/2015 03:22 PM, blo...@openmailbox.org wrote: I want to login to my VPS over SSH. Is torsocks still a safe way to do this? A lot of the documentation (such as it is) is several years old. I would also like to know this. SSH hidden service setup and use are easy with torsocks. /etc/tor/torrc HiddenServiceDir /var/lib/tor/ssh_service/ HiddenServicePort 22 127.0.0.1:22 Then torsocks ssh user@xxx.onion works like a charm. Can anyone comment on security of torsocks? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
