Anonymous SSH Sessions With TOR

OpenSSH is a great means to protect your connection from being sniffed by others. However, this isn't always enough. Simply proving that you connected to a server is enough to get incriminated. Unfortunately, SSH doesn't provide a native way to obfuscate to whom it connects. Instead, a proxy server can be set up. And this is where TOR comes to play. This howto covers installing TOR on a Debian based system and setting up SSH to use TOR.


Installing TOR

First you should to add the TOR repository to your system. It's only necessary if there's no package in the default repositories.

Add the following line to your /etc/apt/sources.list file. You have to replace lenny with your distribution.

deb lenny main

To use this repository without problems, you have to add the PGP key to your system.

apt-key adv --recv-keys --keyserver 0x94C09C7F

Update your repositories and install TOR.

apt-get update && apt-get install -y tor

If you want to use TOR with OpenSSH, you have to install another program called connect-proxy.

apt-get install -y connect-proxy


Setup OpenSSH to use TOR for all connections

However, this is not recommended, but here is how it works.

Add the following block to the top of your ~/.ssh/config file.

Host *
CheckHostIP no
Compression yes
Protocol 2
ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050) %p

The command line syntax won't change at all.


Set up OpenSSH to use TOR for a specific connection

I recommend using TOR only for a specific connection. All other connections won't be affected.

Add this block to your ~/.ssh/config. You have to replace mydomain with the host domain name or IP address and myaccount with your user name.

Host mydomain
User myaccount
CheckHostIP no
Compression yes
Protocol 2
ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050) %p


Set up OpenSSH to use TOR for a bunch of connections

Instead of setting up TOR for every single connections, you can do this for a bunch of connections at once. Following example shows how it works.

Host anon_*
CheckHostIP no
Compression yes
Protocol 2
ProxyCommand connect -4 -S localhost:9050 $(tor-resolve %h localhost:9050) %p
Host anon_mydomain
User myaccount
Host anon_mydomain2
User myaccount
Port 980

This way you know exactly if you're using TOR or not.



It is very simple to anonymize your SSH sessions if you know what you're doing. I've written this tutorial for legal purposes only. Using this is your own risk.

Share this page:

Suggested articles

16 Comment(s)

Add comment


By: phocean

It contributes to the mess that Internet is becoming : HTTP is the new transport protocol, in place of IP. HTTP wasn't designed for that, how many more layers will we continue to add on the top of it ? Total non-sense.

By: Silver Knight

phocean said: "It contributes to the mess that Internet is becoming : HTTP is the new transport protocol, in place of IP. HTTP wasn't designed for that, how many more layers will we continue to add on the top of it ? Total non-sense."

 Are you entirely 100% absolutely certain that you really really understand how the Internet works exactly?  You might want to think about reading up on the topic a little more.  TCP/IP and HTTP are not the same thing and HTTP most certainly is not in any way replacing IP.  HTTP,  FTP, SSH, IRC, POP, IMAP, and a number of other transfer protocols are used in addition to TCP/IP and are simply nothing more than agreed upon methods of exchanging data "over the wire".  NONE of these protocols are being used "in place of" IP, and I'm not exactly understanding how your comment quite relates to the content of this howto.

On the topic of the howto itself, my thanks to the author for your efforts.  While I have no need for TOR at this particular moment, I appreciate the attempt to share useful information and have captured this howto in my notes as some of the information in the howto is useful to me even though I have no need of the TOR part of it.

By: MoJo

I agree with Phocean.

Nowadays, a bunch of protocol are encapsulated in HTTP without valid reasons except simplicity and the fact that firewalls often let HTTP traffic cross them.

However these protocols are not used to carry hyper text messages (what is HTTP for).

TOR is an example of this non-sense, SOAP, WSDL, are others.

By: Anonymous

Tor uses TCP only.

By: Anonymous

Also, IP isn't a "transport". TCP, UDP and others are transport protocols, not IP which is in the Network Layer. Why don't you go read at least a wikipedia entry on the OSI and TCP/IP network protocol stacks?

By: Anonymous

you guys that are aruing about how nonsensical this all is are real dolts. TOR has a very specific aim and that's anonymization. Although some people do use it for simply traversing firewalls, which intself is useful in some sense.

 It's non-trivial to want to stay hidden and out of sight especially when there are very real dangers underneath police states where a little free speech can get you killed. 

 The internet works seamlessly like this because we manage to encapsulate one protocol over the other. Without this design your dribble being slobbered all over this page would not have been possible.

The internet was not simply and casually designed like this on a whim. They spent decades on such a progressive feat; with men standing atop the shoulders of other men pricesely because it took the combined efforts of scientists, mathematicians and all sorts of experts. 

 The fact that you can casually shrug off this accomplishment is testament to your trivial understanding of the computer that sits before you. How the internet is able to remain agnostic of the type of system that participates in the grand amalgam. Your myopic comprehension is truly and utterly disappointing. Today is another day I shrug of my hopes for an intelligent and sane human race. And instead we have our peers that blather on befuddled always to be trapped in their ever present philospher's cave. 

By: Palin

The nonsense about internet is the nonsense about firewall policies. That's the same about nonsense in the most-adopted operating system security (or lack of it), and the nonsense of application-side workaround to the nonsense above.

So now there's SOAP, rpc over http, but the RPC port is closed on the firewall, are you more secure now? :)

By: Jonny

You do realize that you sound like the biggest idiot.

By: Anonymous

The next step is to explain how to prevent incoming SSH connections from TOR proxies... If anyone is using TOR to get to one of my boxes, then they are certainly up to no good.



I love the idea of Tor but beware. I had it up and running and I got a legal notice that my ISP had received from the RIAA or HBO or someone that I was bittorrenting illegally. But, I never run bittorrent.  Turns out that someone else on the Tor network was (big surprise) and by being a Tor exit point as far as HBO was concerned it was I (or at least my system) that was putting out the bittorrent packets.

 Sadly I took  down Tor in spite of the fact that I really like the notion behind it etc. I suppose I could have left it up and not been an exit point but that did not seem like it was in the spirit of Tor

By: Anonymous

Why to complicate, when there is a toll which do exactly the same automatically? Use torify as follows:

torify ssh [email protected]_address and that's it.

With this tool you can torify any application you want, wget, telnet, ftp...

By: Sayyad habeeb

Hello guys!

Can anybody help me out please.  I'm using following command at cygwin window and getting the subsequent error

ssh -v -l cyg_server -2 -o ProxyCommand="/bin/connect -5 -S %h %p"


 ERROR: Got error response from SOCKS server: 4 (Host unreachable).

FATAL: failed to begin relaying via SOCKS.

ssh_exchange_identification: Connection closed by remote host

By: doj

Can we setup SFTP into Hidden web server for upload files from a remote client?

By: mark

What's the reason for disabling checking against known_hosts?

CheckHostIP no

Surely that opens you up to DNS poisoning attacks?

By: Jerry Rif

"connect-proxy" package needs to be installed on your distro, if you want to use "ProxyCommand connect" command. just to mention, else you get some errors and it wont work.

By: Sam Adams

You sound very passionate about this.