Actions

SSH

From Whonix

(Redirected from Ssh)


Ambox warning pn.svg.png Documentation for this is incomplete. Contributions are happily considered!

SSH is a core tool in a sysadmin's arsenal. It is mainly used to remotely control a machine.

Use stronger ssh keys. 

ssh-keygen -t ed25519

Prefer SSH servers available through a Tor Onion Service for stronger encryption and authentication. Consider using Onions Services Authentication. Tor also provides NAT hole-punching so you don't need to register with a DNS service nor open up your LAN to outside access. If the server is known to the public (non-hidden) one could use single Tor hops for the server, see Non Anonymous Onion Encryption and NAT Traversal.

Any references to SSH breaks in the Snowden archives applied to some outdated ciphers.

This has since been addressed by hardened OpenSSH settings (which are included in Whonix ™) and upstream disabling vulnerable algorithms.[1][2]

mosh [archive] might be useful, however since it requires UDP, using it over Tor is non-trivial, see Tunnel UDP over Tor.

Beware of keyboard keystroke and computer mouse based deanonymization as explained under Surfing Posting Blogging.

Can be combined with Two-factor authentication 2FA (undocumented).

Configuration SSH servers to listen on non-default ports reduces noise (automated hacking attempts) as well might increase security from lesser skilled attackers.

Whonix forum discussion:
https://forums.whonix.org/t/locking-down-your-ssh-client/7896 [archive]

Footnotes[edit]

  1. https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys [archive]
  2. https://stribika.github.io/2015/01/04/secure-secure-shell.html [archive]

Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Are you proficient with iptables? Want to contribute? Check out possible improvements to iptables [archive]. Please come and introduce yourself in the development forum [archive].

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.


Retrieved from "https://www.whonix.org/w/index.php?title=SSH&oldid=50150"