HowTo/SecureShell/en

Aus i2pwiki.mk16.de
Zur Navigation springen Zur Suche springen

<languages />

Introduction[Bearbeiten]

SSH can be made to act as an encrypted proxy, forwarding packets sent to some special port at your computer to some other remote computer through an encrypted tunnel. This is good if you dont have I2P (or Tor, or FreeNet, see below) installed in your local computer, but still wants to have the anonymity and security that these networks provide.

  • local computer <-A-> remote computer <-B-> the I2P-network

(tunnel A will be encrypted by SSH, and tunnel B will be encrypted by I2P. There is nothing that is not heavily encrypted.)

Because the link between your computer and your remote computer will be encrypted by SSH, noone will really be able tell what you are doing on your remote unless they have compromised any of the two computers in the ssh-tunnel. The ideal case is when you own both computers: The remote computer is your home computer, and your local computer is your laptop, for example.

/!\ This should be just as secure (and sometimes equally anonymous) as using a computer directly connected to the I2P-network, but be careful and think one more time before using this.

What you need:

  • A local computer with an ssh-client
  • A remote computer with an ssh-server and an I2P-node
  • Some unix OS, but It will probably work with Windows as well

Examples[Bearbeiten]

People learn by doing, so...

Note: The following examples ssh-servers relays the traffic to 127.0.0.1 (themselves) at port 4444 (I2P's http-tunnel), 6668 (I2P's irc-tunnel) etc. These ports are the default configurations for I2P, change them if you change them. It doesn't matter which port is used for the tunnel, as long as it's greater than 1023 (remember, only root can open sockets on privileged ports) and doesn't conflict with any ports already in use. You can keep things simple by using the same ports that I2P uses. It goes like this:

ssh -f -N -L [local_port]:host:host_port [user]@[remote_host]

Browsing eepsites[Bearbeiten]

To surf the I2P-network, just type:

ssh -f -N -L 8080:127.0.0.1:4444 user@your-remote-i2p-computer.com

You will be asked to enter the password of the user at your remote i2p computer. Set the browsers proxy settings to use localhost port 8080, and then type in or whatever eepsite you want to see.

IRC[Bearbeiten]

You can pretty much do whatever you want over this ssh-tunnel. If you want to chat with people on IRC, you just have to type:

ssh -f -N -L 9999:127.0.0.1:6668 user@your-remote-i2p-computer.com

And connect to 127.0.0.1 port 9999, and it will be forwarded encrypted to your remote i2p-computer, that in turn forwards it to some of the IRC-servers in I2P.

TOR[Bearbeiten]

If you want to browse the ordinary internet, I2P sucks, but most of us got TOR, so...

ssh -f -N -L 8080:127.0.0.1:8118 user@your-remote-i2p-computer.com

Use http-proxy localhost port 8080. This is mostly much better than using some ordinary anonymizing proxy (Obviously you need TOR for this) (The above example is using Privoxy combined with TOR. It is the default configuration, and there are lots of documentation about how to do this at the Tor-website. Google for it if you don't get it).

Privoxy[Bearbeiten]

If you want to route everything through Privoxy (a filtering local proxy), you just have to download Privoxy to your remote and make the following changes in the config file:

#this directs ALL requests to the tor proxy
forward-socks5t   /               127.0.0.1:9050 .
#this forwards all requests to I2P domains to the local I2P 
#proxy without dns requests
forward .i2p localhost:4444  
#this forwards all requests to Freenet domains to the local Freenet node 
#proxy without dns requests
forward ksk@ localhost:8888
forward ssk@ localhost:8888
forward chk@ localhost:8888
forward svk@ localhost:8888

With this configuration you only need to setup ONE tunnel to your remote machine, and it will handle i2p-, tor- and freenet-sites as if they were all in your little network. Privoxy will also strip away all headers and all information sent by your browser, so that, even if you use Internet Explorer, you will stay anonymous. Privoxy will listen at port 8118 by default, so just open an SSH-tunnel to that port number. See the above example.

(Copied from the forum. Thanks Romster and sirup! See http://forum.i2p/viewtopic.php?t=218)

Using Windows[Bearbeiten]

I have tried this with a Windows computer to my home computer, which uses linux. The best client is probably Plink. Google for PuTTY and download Plink from their web site. Open the command box and type something like:

plink -N -L 8080:127.0.0.1:8118 user@your-remote-i2p-computer.com

For some reason, plink (windows?) does not allow plink to go to background-mode, so if you close the command box the link will disapear as well :(

This is the same on linux. The cmd shell is the parent process, and when you close the parent, unforked children die. If you don't want that to happen, pick a better parent! Instead of the cmd prompt, enter your command directly into the run dialog.

Explanation[Bearbeiten]

ssh -f -N -L local_port:destination:dest_port user@relay-computer
  • -f = go to background after you have typed the password
  • -N = do not execute any command, but instead:
  • -L = forward packets from local_port <-A-> relay-computer <-B-> destination:dest_port or RTFM. Tip: If you are really paranoid, use multiple -L's, and SSH will forward several connections in one tunnel, probably making it a little bit harder for people to traffic-analyze your transmission(s).

-- Written by You (you at i2pmail dot org)

SSH over I2P network or how to tunnel a tunnel[Bearbeiten]

Setup tunnels on both ends[Bearbeiten]

I will describe in short steps how to route a SSH tunnel through the I2P network. Perhaps the additional encryption of the SSH connection by I2P is not needed. What is good about it: It will cloak that a SSH connection is made to the remote computer and from where it is originating, by routing it through the I2P network.

It can be useful for administrating a remote computer more anonymously, than connecting to its public IP-Address. Also you don't need to open an SSH port on the server to the public clearnet.

The connections quality and reliability of course depends on many factors. Experiment with settings like tunnel/backup quantity for this connection. If no stable connection is possible, maybe a "terminal multiplexer" like screen or Byobu can help.

Perhaps not the best solution, but it works:

  1. On both client and server, open the web console, go to "Hidden services" menu and create the tunnels with the wizard.
  2.  On the server add a "Normal Servertunnel" to localhost:SSHPORT (example "localhost:22")
  3.  On the client add a "Normal Clienttunnel" to localhost:SSHPORT (example "localhost:9922")
  4.  Copy the "Local Destination Key" from the server tunnel into the field "Destination Port" on the client tunnel.
  5.  Establish both tunnels and try to connect from client via ssh:
ssh -p9922 username@127.0.0.1

Recommended next steps:

  1. If no connection from LAN or public clearnet is needed, configure the SSH server to listen only on localhost interface.
  2. Applying the usual ssh security measures:
    1. Change SSH authentication method from password to publickey or OTP based.
    2. Disable root login via ssh and configure sudo if necessary.
    3. Add security by configuring fail2ban for SSH logins.

Know the risk of an unsecure configured SSH server. !!!

Because afaik, the destination key of your tunnel forwarding the ssh server, gets published to the public with the floodfill data. (true ?)

You can use an encrypted Leaseset to add protection from unwanted ssh-login attempts. ((how)secure ?)

Using tools for file transfer over SSH[Bearbeiten]

With a working tunnel setup for establishing a SSH connection through the I2P network, it is also possible to use most of the SSH based tools for file transfer and synchronization as usual.

todo: example sftp

!! read & understand rsync manual !! To copy from server directory to client, execute on clientside:

rsync -e='ssh -p 9922' user@localhost:"/mnt/dir/at/server" "/mnt/dir/at/client"

References[Bearbeiten]

<references />