Difference between revisions of "HowTo/SecureShell"

From I2P Wiki
Jump to navigation Jump to search
m (category)
m (extend note about preventing traffic-watchers from ssh-i2p-routing)
 
(2 intermediate revisions by 2 users not shown)
Line 2: Line 2:
   
 
<!--T:2-->
  
<!--T:2-->
SSH can be made to act as an encrypted proxy, forwarding packets sent to some special port at your computer to some other remote computer through an encrypted tunnel. This is good if you dont have I2P (or [[Tor]], or [[HowTo/FreeNet|FreeNet]], see below) installed in your local computer, but still wants to have the anonymity and security that these networks provide.
 +
SSH can be made to act as an encrypted proxy, forwarding packets sent a port at your computer to a remote computer through an encrypted tunnel. This is good if you don't (or can't) have I2P/[[Tor]]/[[HowTo/FreeNet|FreeNet]] installed in your local computer, but still want to have the anonymity and security that these networks provide.
   
 
<!--T:3-->
  
<!--T:3-->
* local computer &lt;-A-&gt; remote computer &lt;-B-&gt; the I2P-network
 +
* local computer &lt;--SSH--&gt; remote computer &lt;--I2P--&gt; the I2P-network
   
 
<!--T:4-->
  
<!--T:4-->
  +
Both SSH and I2P heavily encrypts the data passing through.
(tunnel A will be encrypted by SSH, and tunnel B will be encrypted by I2P. There is nothing that is not heavily encrypted.)
  
   
 
<!--T:5-->
  
<!--T:5-->
Because the link between your computer and your remote computer will be encrypted by SSH, noone will really be able tell what you are doing on your remote unless they have compromised any of the two computers in the ssh-tunnel. The ideal case is when you own both computers: The remote computer is your home computer, and your local computer is your laptop, for example.
 +
Because of the encryption by SSH between your computer and your remote computer, no one will really be able tell what you are doing on any end unless they have compromised any of the two computers in the ssh-tunnel. The ideal case is when you own both computers: The remote computer is your home computer, and your local computer is your laptop, for example.
   
 
<!--T:6-->
  
<!--T:6-->
  +
'''Note: Somebody might still be able to tell that you are using SSH to route through I2P, by checking when the SSH and I2P traffic goes non-idle at the same time.''' Hosting a few services on the remote I2P or doing some work on the same SSH session might confuse such one.
/!\ This should be just as secure (and sometimes equally anonymous) as using a computer directly connected to the I2P-network, but be careful and think one more time before using this.
  
   
 
<!--T:7-->
  
<!--T:7-->
Line 22: Line 22:
 
* A local computer with an ssh-client
  
* A local computer with an ssh-client
 
* A remote computer with an ssh-server and an I2P-node
  
* A remote computer with an ssh-server and an I2P-node
* Some unix OS, but It will probably work with Windows as well
 +
* Some UNIX-based OS, but it will probably work with Windows as well
   
 
== Examples == <!--T:9-->
  
== Examples == <!--T:9-->
   
 
<!--T:10-->
  
<!--T:10-->
People learn by doing, so...
 +
''People learn by doing, so...''
   
 
<!--T:11-->
  
<!--T:11-->
  +
This example can be used to make up the commands:
Note: The following examples ssh-servers relays the traffic to 127.0.0.1 (themselves) at port 4444 (I2P's http-tunnel), 6668 (I2P's irc-tunnel) etc. These ports are the default configurations for I2P, change them if you change them. It doesn't matter which port is used for the tunnel, as long as it's greater than 1023 (remember, only root can open sockets on privileged ports) and doesn't conflict with any ports already in use. You can keep things simple by using the same ports that I2P uses. It goes like this:
  
   
 
<pre>ssh -f -N -L [local_port]:[remote_host]:[remote_port] [user]@remote_host</pre>
<!--T:45-->
  
<pre>ssh -f -N -L [local_port]:host:host_port [user]@[remote_host]</pre>
  
   
  +
The flags used are:
=== Browsing eepsites === <!--T:12-->
  
 
* -f: daemonize self (aka go to background) after authentication (like password reading)
  +
* -N: don't execute a command (like a shell) at the remote
  +
* -L [local_port]:[remote_host]:[remote_port]: Redirect traffic from this computer's [local_port] to the remote computer, which then relays it to its understanding of [remote_host]:[remote_port]. You can specify multiples of this.<br />
  +
For our purposes, the [remote_host] of "-L"s for I2P traffic will mostly be "127.0.0.1".
   
  +
(If you are going to use an SSH connection for other things, it's advised to leave "-f" and "-N" flags out, as mixing your I2P-relayed SSH traffic with you-doing-things SSH traffic will confuse somebody watching the network.)
<!--T:13-->
  
To surf the I2P-network, just type:
  
<pre>ssh -f -N -L 8080:127.0.0.1:4444 user@your-remote-i2p-computer.com</pre>
  
You will be asked to enter the password of the user at your remote i2p computer. Set the browsers proxy settings to use localhost port 8080, and then type in or whatever eepsite you want to see.
  
   
  +
For example, the following command will redirect the port "4567" to the remote's port "4444" in the background:
=== IRC === <!--T:14-->
  
   
 
<pre>ssh -f -N -L 4567:127.0.0.1:4444 my-remote-computer.org</pre>
<!--T:15-->
  
You can pretty much do whatever you want over this ssh-tunnel. If you want to chat with people on IRC, you just have to type:
  
<pre>ssh -f -N -L 9999:127.0.0.1:6668 user@your-remote-i2p-computer.com</pre>
  
And connect to 127.0.0.1 port 9999, and it will be forwarded encrypted to your remote i2p-computer, that in turn forwards it to some of the IRC-servers in I2P.
  
   
  +
(If requested, after typing your password) SSH will relay the connections in the background. You can set your browser's proxy to the port you selected (in this example it being "4567") and SSH will handle the rest.
=== TOR === <!--T:16-->
  
   
  +
''Note: Unless you are using SSH with the local user used being root, you can't listen on ports lower than 1024, as the first 1024 ports are privileged and can be listened upon only by root.''
<!--T:17-->
  
If you want to browse the ordinary internet, I2P sucks, but most of us got TOR, so...
  
   
  +
Here are a few more examples:
<!--T:18-->
  
<pre>ssh -f -N -L 8080:127.0.0.1:8118 user@your-remote-i2p-computer.com</pre>
 +
* Port 9999 to remote's 6668, I2P's default IRC port:<pre>ssh -f -N -L 9999:127.0.0.1:6668 user@your-remote-i2p-computer.com</pre>
  +
* Port 8080 to remote's 8118, [[Tor]]'s HTTP proxy, while spawning a shell for whatever you do:<pre>ssh -L 8080:127.0.0.1:8118 user@your-remote-i2p-computer.com</pre>
Use http-proxy localhost port 8080. This is mostly much better than using some ordinary anonymizing proxy (Obviously you need TOR for this) (The above example is using Privoxy combined with TOR. It is the default configuration, and there are lots of documentation about how to do this at the Tor-website. Google for it if you don't get it).
  
   
 
=== Privoxy === <!--T:19-->
  
=== Privoxy === <!--T:19-->
   
 
<!--T:20-->
  
<!--T:20-->
  +
If you don't want to make lots of relay-ports and just want to route everything through one port, you can use Privoxy (a filtering local proxy) on the remote.<br />
If you want to route everything through Privoxy (a filtering local proxy), you just have to download Privoxy to your remote and make the following changes in the config file:
  
  +
These changes to Privoxy's config file will let you to use I2P, Tor, and Freenet from only one port:
   
 
<!--T:21-->
  
<!--T:21-->
Line 69: Line 66:
 
#this forwards all requests to I2P domains to the local I2P
 
#this forwards all requests to I2P domains to the local I2P
 
#proxy without dns requests
  
#proxy without dns requests
forward .i2p localhost:4444
+
forward .i2p localhost:4444
 
#this forwards all requests to Freenet domains to the local Freenet node
 
#this forwards all requests to Freenet domains to the local Freenet node
 
#proxy without dns requests
  
#proxy without dns requests
Line 78: Line 75:
   
 
<!--T:22-->
  
<!--T:22-->
  +
Then (assuming Privoxy listens on 8080) an ssh command like <pre>ssh -f -N -L 8080:127.0.0.1:8080 user@remote-computer.org</pre> will let you to set the proxies of everything to "127.0.0.1:8080" and Privoxy over at remote will take care of which network to send it to.
With this configuration you only need to setup ONE tunnel to your remote machine, and it will handle i2p-, tor- and freenet-sites as if they were all in your little network. Privoxy will also strip away all headers and all information sent by your browser, so that, even if you use Internet Explorer, you will stay anonymous. Privoxy will listen at port 8118 by default, so just open an SSH-tunnel to that port number. See the above example.
  
   
 
<!--T:23-->
  
<!--T:23-->
(Copied from the forum. Thanks Romster and sirup! See [http://forum.i2p/viewtopic.php?t=218 http://forum.i2p/viewtopic.php?t=218])
 +
(Copied from forum.i2p. Thanks Romster and sirup! See [http://forum.i2p/viewtopic.php?t=218 here (forum.i2p)])
   
 
=== Using Windows === <!--T:24-->
  
=== Using Windows === <!--T:24-->
   
 
<!--T:25-->
  
<!--T:25-->
I have tried this with a Windows computer to my home computer, which uses linux. The best client is probably Plink. Google for PuTTY and download Plink from their web site. Open the command box and type something like:
 +
This is tested with a Windows computer connecting to a Linux box. You can use Plink for this (search for PuTTY on something like duckduckgo and download Plink from their web site).<br />In a command prompt:
   
 
<!--T:26-->
  
<!--T:26-->
 
<pre>plink -N -L 8080:127.0.0.1:8118 user@your-remote-i2p-computer.com</pre>
  
<pre>plink -N -L 8080:127.0.0.1:8118 user@your-remote-i2p-computer.com</pre>
  +
The command prompt of Windows doesn't let an application to go to background, so the "-f" won't do any good, and closing the prompt will drop the connection. It is a good idea to omit "-N" too and use this as an actual SSH session, or type the command into the Run dialog (Win+R).
For some reason, plink (windows?) does not allow plink to go to background-mode, so if you close the command box the link will disapear as well :(
  
   
 
<!--T:27-->
  
<!--T:27-->
  +
This behaviour can also be seen on Linux, by putting a process to background (Ctrl+Z), then closing the shell the process was running under. The built-in command of "disown" or "nohup" from coreutils will prevent this from happening.
This is the same on linux. The cmd shell is the parent process, and when you close the parent, unforked children die. If you don't want that to happen, pick a better parent! Instead of the cmd prompt, enter your command directly into the run dialog.
  
   
=== Explanation === <!--T:28-->
 +
== SSH over I2P == <!--T:31-->
<pre>ssh -f -N -L local_port:destination:dest_port user@relay-computer</pre>
  
 
<!--T:29-->
  
* -f = go to background after you have typed the password
 
* -N = do not execute any command, but instead:
  
* -L = forward packets from local_port &lt;-A-&gt; relay-computer &lt;-B-&gt; destination:dest_port or RTFM. '''Tip''': If you are really paranoid, use multiple -L's, and SSH will forward several connections in one tunnel, probably making it a little bit harder for people to traffic-analyze your transmission(s).
  
 
<!--T:30-->
  
-- Written by You (you at i2pmail dot org)
  
 
== SSH over I2P network or how to tunnel a tunnel == <!--T:31-->
  
 
=== Setup tunnels on both ends ===
  
=== Setup tunnels on both ends ===
  +
This section describes how to use SSH "through" I2P. This can be useful for remotely using your computer without anyone knowing, or when the computer can't be reached publicly (like behind a firewall, NAT, etc). This also doesn't require the SSH server to be listening on all addresses "0.0.0.0".
I will describe in short steps how to route a SSH tunnel through the I2P network.
 
Perhaps the additional encryption of the SSH connection by I2P is not needed.
  
What is good about it: It will cloak that a SSH connection is made to the remote computer and from where it is originating, by routing it through the I2P network.
  
   
  +
''Note: If the SSH server and the I2P node are on different machines on the same network, it might be a good idea to still use listen-on-any "0.0.0.0", as a source IP of "192.168.X.X" will be denied by a strict-localhost listening.''
<!--T:32-->
  
It can be useful for administrating a remote computer more anonymously, than connecting to its public IP-Address.
  
Also you don't need to open an SSH port on the server to the public clearnet.
  
   
 
<!--T:33-->
  
<!--T:33-->
  +
The speed and reliability will be around slow/bad or close to normal, depending on several factors. If you can, play with setting like tunnel/backup quantity settings to make it better, at the cost of being less anonymous.<br />
The connections quality and reliability of course depends on many factors.
  
  +
You can also use a "terminal multiplexer", aka a terminal front which can be detached and reattached. GNU screen (can also be used with Byobu) and tmux can be used for such purpose.
Experiment with settings like tunnel/backup quantity for this connection.
  
If no stable connection is possible, maybe a "terminal multiplexer" like screen or Byobu can help.
  
   
 
<!--T:34-->
  
<!--T:34-->
  +
This example is a proof-of-concept, but not secure at all, see below.
Perhaps not the best solution, but it works:
  
 
# On both client and server, open the web console, go to "Hidden services" menu and create the tunnels with the wizard.
  
# On both client and server, open the web console, go to "Hidden services" menu and create the tunnels with the wizard.
# On the server add a "Normal Servertunnel" to localhost:SSHPORT (example "localhost:22")
 +
# On the server, add a "Server" tunnel to localhost:SSHPORT (example "localhost:22")
# On the client add a "Normal Clienttunnel" to localhost:SSHPORT (example "localhost:9922")
 +
# On the client, add a "Standard" tunnel to localhost:SSHPORT (example "localhost:9922")
# Copy the "Local Destination Key" from the server tunnel into the field "Destination Port" on the client tunnel.
 +
# Copy the "Local Destination Key" from the server tunnel into the field "Destination" on the client tunnel.
# Establish both tunnels and try to connect from client via ssh:
 +
# Start the both tunnels and try to connect from client via SSH: <pre>ssh -p9922 username@127.0.0.1</pre>
 
<!--T:35-->
  
<pre>ssh -p9922 username@127.0.0.1</pre>
  
   
 
<!--T:36-->
  
<!--T:36-->
Line 140: Line 118:
 
## Add security by configuring fail2ban for SSH logins.
  
## Add security by configuring fail2ban for SSH logins.
   
  +
'''Warning: This example will release the LeaseSet of your server tunnel publicly, letting anyone in, with the only front being SSH's authentication. It is recommended to use encrypted LeaseSets to prevent anyone but you from reaching the server.''' See [http://i2p-projekt.i2p/en/blog/post/2021/09/07/Level-Up-Encrypted-Leasesets this blog post] for an example for Java I2P routers.
<!--T:37-->
  
Know the risk of an unsecure configured SSH server. !!!
  
 
<!--T:38-->
  
Because afaik, the destination key of your tunnel forwarding the ssh server, gets published to the public
 
with the floodfill data. (true ?)
  
 
<!--T:39-->
  
You can use an encrypted Leaseset to add protection from unwanted ssh-login attempts. ((how)secure ?)
  
   
 
=== Using tools for file transfer over SSH=== <!--T:40-->
  
=== Using tools for file transfer over SSH=== <!--T:40-->
With a working tunnel setup for establishing a SSH connection through the I2P network, it is also possible
 +
With a working tunnel setup for establishing a SSH connection through the I2P network, it is also possible to use most of the SSH-based tools for file transfer and synchronization as usual.
to use most of the SSH based tools for file transfer and synchronization as usual.
  
   
 
<!--T:41-->
  
<!--T:41-->
  +
''TODO: examples about SFTP''
<pre>todo: example sftp</pre>
  
   
 
<!--T:42-->
  
<!--T:42-->
  +
==== Rsync ====
!! read & understand rsync manual !!
  
To copy from server directory to client, execute on clientside:
 +
This command will copy the "server" directory from the remote server to your computer's "client" directory through I2P (assuming the client tunnel is listening on port 9922):
   
 
<!--T:43-->
  
<!--T:43-->
<pre>rsync -e='ssh -p 9922' user@localhost:"/mnt/dir/at/server" "/mnt/dir/at/client"
 +
<pre>rsync -e='ssh -p 9922' user@localhost:"/mnt/dir/at/server" "/mnt/dir/at/client"</pre>
</pre>
  
   
 
== References == <!--T:44-->
  
== References == <!--T:44-->
 
 
<references />
  
<references />
  +
  +
== See also ==
  +
* [[Username]]
  +
* [[Password]]
  +
* [[Secure password generator]]
   
 
[[Category:Tutorial]]
  
[[Category:Tutorial]]

Latest revision as of 20:01, 29 January 2023

Introduction

SSH can be made to act as an encrypted proxy, forwarding packets sent a port at your computer to a remote computer through an encrypted tunnel. This is good if you don't (or can't) have I2P/Tor/FreeNet installed in your local computer, but still want to have the anonymity and security that these networks provide.

  • local computer <--SSH--> remote computer <--I2P--> the I2P-network

Both SSH and I2P heavily encrypts the data passing through.

Because of the encryption by SSH between your computer and your remote computer, no one will really be able tell what you are doing on any end unless they have compromised any of the two computers in the ssh-tunnel. The ideal case is when you own both computers: The remote computer is your home computer, and your local computer is your laptop, for example.

Note: Somebody might still be able to tell that you are using SSH to route through I2P, by checking when the SSH and I2P traffic goes non-idle at the same time. Hosting a few services on the remote I2P or doing some work on the same SSH session might confuse such one.

What you need:

  • A local computer with an ssh-client
  • A remote computer with an ssh-server and an I2P-node
  • Some UNIX-based OS, but it will probably work with Windows as well

Examples

People learn by doing, so...

This example can be used to make up the commands: 

ssh -f -N -L [local_port]:[remote_host]:[remote_port] [user]@remote_host

The flags used are:

  • -f: daemonize self (aka go to background) after authentication (like password reading)
  • -N: don't execute a command (like a shell) at the remote
  • -L [local_port]:[remote_host]:[remote_port]: Redirect traffic from this computer's [local_port] to the remote computer, which then relays it to its understanding of [remote_host]:[remote_port]. You can specify multiples of this.

For our purposes, the [remote_host] of "-L"s for I2P traffic will mostly be "127.0.0.1".

(If you are going to use an SSH connection for other things, it's advised to leave "-f" and "-N" flags out, as mixing your I2P-relayed SSH traffic with you-doing-things SSH traffic will confuse somebody watching the network.)

For example, the following command will redirect the port "4567" to the remote's port "4444" in the background: 

ssh -f -N -L 4567:127.0.0.1:4444 my-remote-computer.org

(If requested, after typing your password) SSH will relay the connections in the background. You can set your browser's proxy to the port you selected (in this example it being "4567") and SSH will handle the rest.

Note: Unless you are using SSH with the local user used being root, you can't listen on ports lower than 1024, as the first 1024 ports are privileged and can be listened upon only by root.

Here are a few more examples:

  • Port 9999 to remote's 6668, I2P's default IRC port:
    ssh -f -N -L 9999:127.0.0.1:6668 user@your-remote-i2p-computer.com
  • Port 8080 to remote's 8118, Tor's HTTP proxy, while spawning a shell for whatever you do:
    ssh -L 8080:127.0.0.1:8118 user@your-remote-i2p-computer.com

Privoxy

If you don't want to make lots of relay-ports and just want to route everything through one port, you can use Privoxy (a filtering local proxy) on the remote.
These changes to Privoxy's config file will let you to use I2P, Tor, and Freenet from only one port: 

#this directs ALL requests to the tor proxy
forward-socks5t   /               127.0.0.1:9050 .
#this forwards all requests to I2P domains to the local I2P 
#proxy without dns requests
forward .i2p localhost:4444
#this forwards all requests to Freenet domains to the local Freenet node 
#proxy without dns requests
forward ksk@ localhost:8888
forward ssk@ localhost:8888
forward chk@ localhost:8888
forward svk@ localhost:8888

Then (assuming Privoxy listens on 8080) an ssh command like 

ssh -f -N -L 8080:127.0.0.1:8080 user@remote-computer.org

will let you to set the proxies of everything to "127.0.0.1:8080" and Privoxy over at remote will take care of which network to send it to.

(Copied from forum.i2p. Thanks Romster and sirup! See here (forum.i2p))

Using Windows

This is tested with a Windows computer connecting to a Linux box. You can use Plink for this (search for PuTTY on something like duckduckgo and download Plink from their web site).
In a command prompt: 

plink -N -L 8080:127.0.0.1:8118 user@your-remote-i2p-computer.com

The command prompt of Windows doesn't let an application to go to background, so the "-f" won't do any good, and closing the prompt will drop the connection. It is a good idea to omit "-N" too and use this as an actual SSH session, or type the command into the Run dialog (Win+R).

This behaviour can also be seen on Linux, by putting a process to background (Ctrl+Z), then closing the shell the process was running under. The built-in command of "disown" or "nohup" from coreutils will prevent this from happening.

SSH over I2P

Setup tunnels on both ends

This section describes how to use SSH "through" I2P. This can be useful for remotely using your computer without anyone knowing, or when the computer can't be reached publicly (like behind a firewall, NAT, etc). This also doesn't require the SSH server to be listening on all addresses "0.0.0.0".

Note: If the SSH server and the I2P node are on different machines on the same network, it might be a good idea to still use listen-on-any "0.0.0.0", as a source IP of "192.168.X.X" will be denied by a strict-localhost listening.

The speed and reliability will be around slow/bad or close to normal, depending on several factors. If you can, play with setting like tunnel/backup quantity settings to make it better, at the cost of being less anonymous.
You can also use a "terminal multiplexer", aka a terminal front which can be detached and reattached. GNU screen (can also be used with Byobu) and tmux can be used for such purpose.

This example is a proof-of-concept, but not secure at all, see below.

  1. On both client and server, open the web console, go to "Hidden services" menu and create the tunnels with the wizard.
  2. On the server, add a "Server" tunnel to localhost:SSHPORT (example "localhost:22")
  3. On the client, add a "Standard" tunnel to localhost:SSHPORT (example "localhost:9922")
  4. Copy the "Local Destination Key" from the server tunnel into the field "Destination" on the client tunnel.
  5. Start the both tunnels and try to connect from client via SSH: 
    ssh -p9922 username@127.0.0.1

Recommended next steps:

  1. If no connection from LAN or public clearnet is needed, configure the SSH server to listen only on localhost interface.
  2. Applying the usual ssh security measures:
    1. Change SSH authentication method from password to publickey or OTP based.
    2. Disable root login via ssh and configure sudo if necessary.
    3. Add security by configuring fail2ban for SSH logins.

Warning: This example will release the LeaseSet of your server tunnel publicly, letting anyone in, with the only front being SSH's authentication. It is recommended to use encrypted LeaseSets to prevent anyone but you from reaching the server. See this blog post for an example for Java I2P routers.

Using tools for file transfer over SSH

With a working tunnel setup for establishing a SSH connection through the I2P network, it is also possible to use most of the SSH-based tools for file transfer and synchronization as usual.

TODO: examples about SFTP

Rsync

This command will copy the "server" directory from the remote server to your computer's "client" directory through I2P (assuming the client tunnel is listening on port 9922): 

rsync -e='ssh -p 9922' user@localhost:"/mnt/dir/at/server" "/mnt/dir/at/client"

References


See also

Retrieved from "http://wiki.i2p-projekt.i2p/wiki/index.php?title=HowTo/SecureShell&oldid=664"