nihilist`s Blog
Previous Page

nihilist@mainpc - 2024-05-02

Remote anonymous access setup (cockpit + ssh through tor)

Initial Setup

On your server, edit the torrc file like so:


[ Datura ] [ /dev/pts/9 ] [~]
→ cat /etc/tor/torrc

HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/
HiddenServicePort 22 127.0.0.1:22
HiddenServicePort 80 127.0.0.1:4443

Then just edit your local .ssh config to access it:


[ mainpc ] [ /dev/pts/7 ] [~]
→ cat .ssh/config
Host web-gw2024-dedi
        User root
        hostname 37.27.32.233
        IdentityFile ~/.ssh/torified

Host tortura
        User root
        hostname daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
        IdentityFile ~/.ssh/torified
        proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p

Host datura
        User root
        hostname 65.109.30.253
        IdentityFile ~/.ssh/torified

Then connect to the host via SSH:


[ mainpc ] [ /dev/pts/5 ] [~]
→ systemctl restart tor@default

[ mainpc ] [ /dev/pts/5 ] [~]
→ ssh tortura
The authenticity of host 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion (<no hostip for proxy command>)' can't be established.
ED25519 key fingerprint is SHA256:A0CFTeUixGoK96VenBQ7Z2U8kX5olDCqBvBNeJUfs6I.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:144: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/nihilist/.ssh/torified':
Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May  2 14:47:23 2024 from 178.255.149.178

[ Datura ] [ /dev/pts/11 ] [~]
→

So that's how you do it if you cannot access the server via a public IP directly, but keep in mind that the latency is most likely unbearable due to the 6 hops circuit (since we're doing it via the .onion link, rather than connecting to the IP directly)

so you're probably better off just connecting to the IP directly but forcing the SSH connection through tor using torsocks, which greatly reduces the latency (3 hops instead of 6):


[ mainpc ] [ /dev/pts/7 ] [~]
→ torsocks ssh datura
Enter passphrase for key '/home/nihilist/.ssh/torified':
Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May  2 15:48:08 2024 from 127.0.0.1

[ Datura ] [ /dev/pts/12 ] [~]
→ id
uid=0(root) gid=0(root) groups=0(root)

Cockpit .onion setup



Let's install cockpit from the apt repositories: 


[ Datura ] [ /dev/pts/11 ] [~]
→ apt install cockpit -y
	
[ Datura ] [ /dev/pts/11 ] [~]
→ systemctl status cockpit
● cockpit.service - Cockpit Web Service
     Loaded: loaded (/lib/systemd/system/cockpit.service; static)
     Active: active (running) since Fri 2024-05-03 13:30:51 CEST; 2min 5s ago
TriggeredBy: ● cockpit.socket
       Docs: man:cockpit-ws(8)
    Process: 3563910 ExecStartPre=/usr/lib/cockpit/cockpit-certificate-ensure --for-cockpit-tls (code=exited, status=0/SUCCESS)
   Main PID: 3563926 (cockpit-tls)
      Tasks: 1 (limit: 77002)
     Memory: 2.4M
        CPU: 355ms
     CGroup: /system.slice/cockpit.service
             └─3563926 /usr/lib/cockpit/cockpit-tls

May 03 13:30:51 Datura systemd[1]: Starting cockpit.service - Cockpit Web Service...
May 03 13:30:51 Datura cockpit-certificate-ensure[3563918]: /usr/lib/cockpit/cockpit-certificate-helper: line 25: sscg: command not found
May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: ......+.....+.+......+...+.........+...+..............+.+...+..+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+++++++++++++++++++++++++++++++>
May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: .+.........+...+...+.......+........+....+..............+.........+......+.+......+..+.+..+...+....+...+.........+.....+....+.....+++++++++++++++++++++++++++++++++++++++++++++++++>
May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: -----
May 03 13:30:51 Datura systemd[1]: Started cockpit.service - Cockpit Web Service.
May 03 13:30:51 Datura cockpit-tls[3563926]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 03 13:30:55 Datura cockpit-tls[3563926]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.

once it completes, just connect to it on port 9090:

ignore the self-signed HTTPs warning and enable javascript afterward:

In the Tor browser, select the "Safer" security level to be able to browse to the cockpit service with javascript:

if it refuses the login, make sure the user has proper sudo access like so::


[ Datura ] [ /dev/pts/11 ] [~]
→ useradd nihilist

[ Datura ] [ /dev/pts/11 ] [~]
→ passwd nihilist
New password:
Retype new password:
passwd: password updated successfully

[ Datura ] [ /dev/pts/11 ] [~]
→ usermod -aG sudo nihilist

[ Datura ] [ /dev/pts/11 ] [~]
→ visudo

# User privilege specification
root    ALL=(ALL:ALL) ALL
nihilist ALL=(ALL:ALL) ALL

Nihilism

Until there is Nothing left.

My Links

RSS Feed
Matrix Chat

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@nihilism.network (PGP)