On your server, edit the torrc file like so:
[ Datura ] [ /dev/pts/9 ] [~]
→ cat /etc/tor/torrc
HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/
HiddenServicePort 22 127.0.0.1:22
HiddenServicePort 80 127.0.0.1:4443
Then just edit your local .ssh config to access it:
[ mainpc ] [ /dev/pts/7 ] [~]
→ cat .ssh/config
Host web-gw2024-dedi
User root
hostname 37.27.32.233
IdentityFile ~/.ssh/torified
Host tortura
User root
hostname daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
IdentityFile ~/.ssh/torified
proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p
Host datura
User root
hostname 65.109.30.253
IdentityFile ~/.ssh/torified
Then connect to the host via SSH:
[ mainpc ] [ /dev/pts/5 ] [~]
→ systemctl restart tor@default
[ mainpc ] [ /dev/pts/5 ] [~]
→ ssh tortura
The authenticity of host 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion (<no hostip for proxy command>)' can't be established.
ED25519 key fingerprint is SHA256:A0CFTeUixGoK96VenBQ7Z2U8kX5olDCqBvBNeJUfs6I.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:144: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/nihilist/.ssh/torified':
Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 2 14:47:23 2024 from 178.255.149.178
[ Datura ] [ /dev/pts/11 ] [~]
→
So that's how you do it if you cannot access the server via a public IP directly, but keep in mind that the latency is most likely unbearable due to the 6 hops circuit (since we're doing it via the .onion link, rather than connecting to the IP directly)
so you're probably better off just connecting to the IP directly but forcing the SSH connection through tor using torsocks, which greatly reduces the latency (3 hops instead of 6):
[ mainpc ] [ /dev/pts/7 ] [~]
→ torsocks ssh datura
Enter passphrase for key '/home/nihilist/.ssh/torified':
Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 2 15:48:08 2024 from 127.0.0.1
[ Datura ] [ /dev/pts/12 ] [~]
→ id
uid=0(root) gid=0(root) groups=0(root)
Let's install cockpit from the apt repositories:
[ Datura ] [ /dev/pts/11 ] [~]
→ apt install cockpit -y
[ Datura ] [ /dev/pts/11 ] [~]
→ systemctl status cockpit
● cockpit.service - Cockpit Web Service
Loaded: loaded (/lib/systemd/system/cockpit.service; static)
Active: active (running) since Fri 2024-05-03 13:30:51 CEST; 2min 5s ago
TriggeredBy: ● cockpit.socket
Docs: man:cockpit-ws(8)
Process: 3563910 ExecStartPre=/usr/lib/cockpit/cockpit-certificate-ensure --for-cockpit-tls (code=exited, status=0/SUCCESS)
Main PID: 3563926 (cockpit-tls)
Tasks: 1 (limit: 77002)
Memory: 2.4M
CPU: 355ms
CGroup: /system.slice/cockpit.service
└─3563926 /usr/lib/cockpit/cockpit-tls
May 03 13:30:51 Datura systemd[1]: Starting cockpit.service - Cockpit Web Service...
May 03 13:30:51 Datura cockpit-certificate-ensure[3563918]: /usr/lib/cockpit/cockpit-certificate-helper: line 25: sscg: command not found
May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: ......+.....+.+......+...+.........+...+..............+.+...+..+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+++++++++++++++++++++++++++++++>
May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: .+.........+...+...+.......+........+....+..............+.........+......+.+......+..+.+..+...+....+...+.........+.....+....+.....+++++++++++++++++++++++++++++++++++++++++++++++++>
May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: -----
May 03 13:30:51 Datura systemd[1]: Started cockpit.service - Cockpit Web Service.
May 03 13:30:51 Datura cockpit-tls[3563926]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 03 13:30:55 Datura cockpit-tls[3563926]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
once it completes, just connect to it on port 9090:
ignore the self-signed HTTPs warning and enable javascript afterward:
In the Tor browser, select the "Safer" security level to be able to browse to the cockpit service with javascript:
if it refuses the login, make sure the user has proper sudo access like so::
[ Datura ] [ /dev/pts/11 ] [~]
→ useradd nihilist
[ Datura ] [ /dev/pts/11 ] [~]
→ passwd nihilist
New password:
Retype new password:
passwd: password updated successfully
[ Datura ] [ /dev/pts/11 ] [~]
→ usermod -aG sudo nihilist
[ Datura ] [ /dev/pts/11 ] [~]
→ visudo
# User privilege specification
root ALL=(ALL:ALL) ALL
nihilist ALL=(ALL:ALL) ALL
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@contact.nowhere.moe (PGP)