Connecting To An SSH Tor Hidden Service

Table of Contents

Overview

This tutorial shows you how to connect to an SSH service exopsed as a hidden service using Tor using an SSH client. It is Debian-specific, but the instructions should mostly work on all Unix-like systems (including OS X).

Installation

In addition to an SSH package (like openssh) you also need to install the connect-proxy package. This package is required to proxy your request through the Tor network.

If you're using Debian then it's just this easy:

$ sudo apt-get install connect-proxy

Similar packages should exist for other Linux distributions. A friend of mine also said that it was very easy to compile and install on his OS X system.

Configuration

Next, add the following to your ~/.ssh/config file:

Host *.onion
    ProxyCommand connect -S localhost:9050 %h %p

This tells SSH to use that proxy every time you try to connect to a .onion address.

Testing

Believe it or not that's all you should have to do to connect to an SSH server through the Tor network. You can test it like this:

$ ssh me@somelongaddress.onion

Extra Credit

SSH Aliases

I don't know about you but I can never remember .onion addresses. To keep track I therefore add aliases to my ~/.ssh/config file like this:

host bart.onion
    HostName somelongaddress.onion
    User me

Now I just have to remember that this is the Tor version of the hostname for the bart server. To log in I just execute the following command:

$ ssh bart.onion

Easy peasy.

SOCKS5PASSWORD

One thing that's a little annoying about connect-proxy is that it prompts you for a SOCKS5 password automatically. I don't even have a SOCKS5 password when using Tor so I can bypass the prompt by just typing return. However, this is a little annoying and is incompatible with some tools that are built on top of the ssh client (like Emac's tramp mode).

To get rid of this prompt simply add the following to any file that is sourced by your shell when you login (such as .bashrc):

SOCKS5_PASSWORD=''

Now that password prompt will be removed.

Last Updated 2015-10-06.