Close

Tor

A project log for Wandboard experiments

Setting up the WBQUAD

christoph-tackChristoph Tack 06/02/2020 at 20:020 Comments

Install Tor

From ubuntu repository

Installing from Ubuntu repository is the easiest, but if you want to make hidden services work with authentication, you'll need a more recent version.

ubuntu@wandboard:~$ sudo apt install tor

From tor repository

Add the correct version to /etc/apt/sources.list (see Beginner’s Guide to Tor on Ubuntu).

Tor key fingerprints : https://2019.www.torproject.org/docs/signing-keys.html.en

christoph@christoph-ThinkPad-L580:~$ curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 19665  100 19665    0     0  61839      0 --:--:-- --:--:-- --:--:-- 61839
gpg: key EE8CBC9E886DDD89: 36 signatures not checked due to missing keys
gpg: key EE8CBC9E886DDD89: public key "deb.torproject.org archive signing key" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: public key of ultimately trusted key 04C9A9E2D54E852C not found
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
christoph@christoph-ThinkPad-L580:~$ gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
OK
christoph@christoph-ThinkPad-L580:~$ sudo apt-get update
...
christoph@christoph-ThinkPad-L580:~$ sudo apt-get install tor deb.torproject.org-keyring
...
christoph@christoph-ThinkPad-L580:~$ tor --version
Tor version 0.4.3.5.

Configuring Tor

On Beginner’s Guide to Tor on Ubuntu it's explained how to put a password on the control port.  We'll leave the control port disabled.

SSH login with Tor

This is explained well in Building a Tor Hidden Service From Scratch.

If you use this command, you should change the username, the path, the ssh-key and the name of your onion-domain.

christoph@christoph-ThinkPad-L580:~$ ssh -o VerifyHostKeyDNS=no -o User=ubuntu -o CheckHostIP=no\
>     -o IdentitiesOnly=yes \
>     -o ProxyCommand="nc -X 5 -x localhost:9050 %h %p" \
>     -i ~/.ssh/sshhs1.rsa af66kcmtrfqp6de7wfmfhou5pfrtxqbxtbwpryxl4tuixa5qfe55kkid.onion
Last login: Wed Jun  3 18:45:01 2020
ubuntu@wandboard:~$ 

 It's easier to put it all in ~/.ssh/config of christoph@christoph-ThinkPad-L580:

Host myOnion
      Hostname af66kcmtrfqp6de7wfmfhou5pfrtxqbxtbwpryxl4tuixa5qfe55kkid.onion
      User ubuntu
      IdentityFile ~/.ssh/sshhs1.rsa
      ProxyCommand nc -X 5 -x localhost:9050 %h %p
      VerifyHostKeyDNS no
      CheckHostIP no
      IdentitiesOnly yes

Then connection is as simple as:

christoph@christoph-ThinkPad-L580:~$ ssh myOnion
Last login: Wed Jun  3 19:01:32 2020 from 127.0.0.1
ubuntu@wandboard:~$  

Client authentication

Configuring Onion service version 3 explains how to do it.  On client side, make sure to set the access rights for the ClientAuthDir correctly.

root@christoph-ThinkPad-L580:/var/lib/tor# ls -l
total 7936
-rw------- 1 debian-tor debian-tor   20442 jun  2 21:33 cached-certs
-rw------- 1 debian-tor debian-tor 2128913 jun  5 20:15 cached-microdesc-consensus
-rw------- 1 debian-tor debian-tor 5381686 jun  2 22:03 cached-microdescs
-rw------- 1 debian-tor debian-tor  573384 jun  5 20:25 cached-microdescs.new
drwxr-sr-x 2 debian-tor debian-tor    4096 jun  5 21:52 client-auth
drwx--S--- 2 debian-tor debian-tor    4096 jun  5 20:15 keys
-rw------- 1 debian-tor debian-tor       0 jun  5 20:15 lock
-rw------- 1 debian-tor debian-tor    7449 jun  5 21:33 state

 /var/lib/tor/client-auth was owned by "root".  That didn't work. 

Discussions