My server runs SSH on a non-standard port. This has some advantages, e.g. less automated login attempts and thus less log spamming. Of course, this decision can be discussed, and there are good alternatives like using fail2ban, port knocking or even tarpits.

However, there are also disadvantages, like having to configure the port for several tools (scp, sftp, mosh etc.) or nasty firewalls. For example, the university which I'm visiting has such crappy firewall rules that block my particular SSH port. To overcome this issue, I'm using SSH over Tor.

This approach requires a small program called connect to enable SSH connections over a SOCKS proxy which will be provided by Tor. On Debian based Linux distributions, this program is contained in the package connect-proxy, on macOS, it can be installed via the Homebrew Formula called connect. More information about this program can be found at the project's website:

Of course, Tor is also another requirement as well as the OpenSSH client.

As an example, it is assumed that you have running SSH on port 2222 for the host with the user example and your SSH private key file ~/.ssh/id_rsa (both not important for this approach).

Your SSH configuration (.ssh/config) might then look like this:

Host example
    Port 2222
    User example
    IdentityFile ~/.ssh/id_rsa

Under normal circumstances, you would log in by running the command $ ssh example but in cases where the TCP port 2222 is blocked, this does not work.

By adding following wildcard host alias to your SSH configuration, you can connect to your SSH host via Tor:

Host *-tor
    ProxyCommand connect -a none -S localhost:9050 $(tor-resolve %h localhost:9050) %p

In particular, you should follow these steps:

  1. Start Tor, e.g. by simply running tor in a terminal (will keep running in the foreground). Alternatively, you can run Tor as system service in the background.
  2. Connect to your SSH host by using the -tor suffix, e.g.: ssh example-tor
  3. Profit!

This post is based on Anonymous SSH Sessions With TOR.

Update: Shortly after publishing this post, the user pointed out on Mastodon, that this can be achieved way easier by simply prepending torify (or the preferred torsocks) to the SSH command. This of course requires torsocks (see project website) to be installed. The main difference is that torsocks will automatically try to determine how to wrap the socket calls of the applied command to use the SOCKS proxy of Tor instead of having to configure it manually like described above.