ssh.chat: Deploy Tor hidden service endpoint

Question

ssh.chat: Deploy Tor hidden service endpoint

nya-furball opened this issue 3 years ago · comments

Is there any interest in offering ssh.chat as both a clearnet server and hidden service? If there is, I am willing to help out with setting up stuff!

nya-furball commented 3 years ago

UwU

Andrey Petrov · Answer 1 · Sun Mar 07 2021 22:37:02 GMT+0800 (China Standard Time)

Not a bad idea, I'm happy to host it on the same instance. Do you have a fav guide?

Biggest downside is latency is probably gonna be gross.

nya-furball · Answer 2 · Sun Mar 07 2021 22:44:21 GMT+0800 (China Standard Time)

If you don't need advanced features like vanguard, it's relatively easy. Just skip step 1 of this guide: https://community.torproject.org/onion-services/setup/
IGNORE BELOW! TYPO!
When you are in step 2, change the line "HiddenServicePort 80 127.0.0.1:80" to " HiddenServicePort 2 127.0.0.1:22" and change the name of your directory on the line "HiddenServiceDir /var/lib/tor/my_website/"

nya-furball · Answer 3 · Sun Mar 07 2021 22:47:31 GMT+0800 (China Standard Time)

You should be able to start the onion service without shutting down the ssh-chat service. This should preserve chat logs and uptime.

Andrey Petrov · Answer 4 · Sun Mar 07 2021 22:48:17 GMT+0800 (China Standard Time)

Awesome, I'll add it to the TODO list.

Also IIRC there's a Go-native implementation of onion services somewhere, wonder if I could embed it as a native feature of ssh-chat easily, will look into it briefly.

nya-furball · Answer 5 · Sun Mar 07 2021 22:50:40 GMT+0800 (China Standard Time)

IMHO: Not worth it. Adding additional code can compromise software security. Tor is easy to interface with existing services, so might as well use that.

Andrey Petrov · Answer 6 · Sun Mar 07 2021 22:51:50 GMT+0800 (China Standard Time)

It's more of a balancing act of how much maintenance things require for me, fewer moving pieces (ie. keeping one binary up) is always easier than a rube goldberg machine of systemd services. But yes, I'll keep that in mind.

nya-furball · Answer 7 · Sun Mar 07 2021 23:02:41 GMT+0800 (China Standard Time)

True. However, when you use the official package provided by the Tor Project, you get the backing of an organization that maintains the software, fixes vulns and does research on the latest threats to the tor network. Feel free to do however you like though, as I don't know how your infrastructure is deployed.

nya-furball · Answer 8 · Mon Mar 08 2021 00:30:22 GMT+0800 (China Standard Time)

shazow: I made a typo in my recommendation! Strike out the modified lines! Having two services listen on the same port will mess up your server!

Andrey Petrov · Answer 9 · Mon Apr 05 2021 20:54:24 GMT+0800 (China Standard Time)

@nya-furball Welcome back!

camosoul · Answer 10 · Fri Mar 25 2022 08:45:14 GMT+0800 (China Standard Time)

It's very easy to do...

ssh-chat --bind=:[port]
skip the ip so it listens to all

Add lines to /etc/tor/torrc

HiddenServiceDir /var/lib/tor/ssh-chat/
HiddenServicePort [port] 127.0.0.1:[port]

Then restart tor daemon and cat /var/lib/tor/ssh-chat/hostname

If you want to make it tor-only, make the --bind=127.0.0.1:[port]

...don't use port 22. That's for real ssh sessions. Plus, you can't reverse ssh tunnel below port 1001 without root... Pick a number above so you don't have to expose root.

...make sure client has torsocks installed.

If you use the same ssh key, you just gave away your identity, so...

Andrey Petrov · Answer 11 · Fri Mar 25 2022 23:22:02 GMT+0800 (China Standard Time)

@camosoul That's helpful, thanks. :) Just need to get around to it...