June 14, 2011, 4:38 p.m.
posted by unixgeek
Tunnel SSH Through Tor
Ensure your privacy when accessing shell accounts remotely.
"Evade Traffic Analysis" [Hack #37] shows how to set up Tor and Privoxy, with a focus on using Tor to anonymize web-browsing traffic. In this hack, we'll look at using Tor to anonymize SSH connections. This is useful if you have shell access to any Internet-facing servers but don't want the server operators to be able to build a profile of locations you might be coming from.
This hack makes use of SSH's little-used ProxyCommand option, which lets you specify a program to proxy connections though. When using this option, SSH will tunnel all traffic through to the program's standard input and output. The option takes the following form:
ProxyCommand <program> <args>
When specifying the arguments, you can make use of the %h and %p macros. SSH will expand these to be the host and port that you are connecting to when executing the command. One nice thing about implementing proxying this way is that it is incredibly flexible. Simply drop in a program that can connect to whatever type of proxy you're interested in using.
One simple program that can perform this task is connect.c (available at https://savannah.gnu.org/maintenance/connect.c), which can be used with SSH's ProxyCommand to direct SSH connections through a proxy server. Download it and compile it:
$ gcc -o connect connect.c
If that produces any errors, check the comments at the beginning of connect.c for tips on getting it to compile. Once you've done that, copy it to an appropriate place. Now, to use it with SSH to connect through Tor, run a command like this:
$ ssh -o ProxyCommand="/home/andrew/bin/connect -S localhost :9050 %h %p" \ 10.0.0.23
Replace localhost with the address or hostname of your Tor server, if you're not running one on your local machine. Also note that the previous example command uses an IP address, instead of a hostname, to specify the server to connect to. This prevents ssh from resolving the IP address using your name server before passing it to the connect program. If you were to let ssh do the resolving, it might reveal the location you are connecting to, since Tor wouldn't protect the name resolution traffic.
So, what do you do if you don't know the IP address of the host to which you want to connect? There's an easy solution. Included with the Tor distribution is a program called tor-resolve. Its purpose is to resolve hostnames to IP addresses by making DNS queries through the Tor network.
The program takes only two arguments: the hostname to resolve and the SOCKS proxy connection information (i.e., the address and port on which your Tor proxy is listening). So, if your Tor proxy is running locally, you'd use something like this to resolve www.google.com:
$ tor-resolve www.google.com localhost:9050 220.127.116.11
Then, you can use the IP address returned by tor-resolve when running ssh.