# SSH tunnel traffic redirecting to TOR network

## ontheair

Hello,

I am running a small gentoo server for several purposes. It is also an exit-node for my SSH tunnel (I am using it because I often have to connect to unsecured public WIFI networks abroad). In this case I am tunneling my traffic via SSH to the gentoo server and there it goes directly to the ISP. No problem.

Now I am asked by a friend if I can give him SSH tunnel access to my server (he will go on vacation and will also be using unsecured public WIFI). So I want to create a new user for him (just able to tunnel via SSH, but nothing else, no bash, etc). And, for security purposes, I want that his (and only his) traffic is not directly forwarded to the ISP but routed through the TOR network instead.

TOR and polipo configuration is not a problem, I already have done it, working fine, checking for DNS leaks via tcpdump, etc.

So, my problems are:

- How to create a user in gentoo who is just allowed to do SSH tunnel and nothing more?

- How to redirect his traffic (and only his traffic) to polipo?

I am working with gentoo now for almost one year, but I am still not a pro - so any help is appreciated.

Thank you!

Stefan

----------

## Hu

Create a normal user account for him.  Lock its password, so that it can only authenticate with a key.  (This is not necessary if you do the next step, but it is a good extra step so that no one with console access can use that account either.)  Configure sshd to permit only public key authentication.  Obtain a public key from your friend, and install it for him with usage restrictions.  See man sshd section AUTHORIZED_KEYS FILE FORMAT for details on what restrictions you can set.

Could you elaborate on how you would forward traffic to polipo in the general case?

----------

## ontheair

Thank you for your reply! I forgot to say that I am using keyboard interactive login without key for my account and I also would prefer this for the new account.

I am not using TOR / polipo in normal cases, but I would like to use it for the new user account for SSH tunnel forwarding. So I installed TOR and polipo on my server and configured it. Polipo is listening on port 8123 localhost and forwarding traffic to TOR on port 9050 localhost.

I tested everything with:

http_proxy=localhost:8123 wget -P [local destination path] [URL for testing]

As I can see in tcpdump the whole traffic generated by wget is routed through polipo and TOR correctly. So I need to find a way, that all traffic from SSH tunnel forwarding by the new user is routed this way by default.

----------

## Hu

In general, I recommend that any Internet-facing sshd disable all password-based authentication, as a measure to mitigate attacks by bots.

If you insist on not using ssh key authentication for the restricted user, you could instead use a ForceCommand directive to execute a very limited command.

The simplest way to provide Tor-based protection for him would be to have his ssh client forward a port from his machine to your Polipo listener, then have him configure his system to use his forwarded port as a proxy.  His machine would then forward the traffic to Polipo, which could forward the traffic again over Tor.

----------

## ontheair

Ok, this could be an idea.

1 - Restricting shell access could be done in the sshd conf with something like this, I think:

Match user tunneluser

    ForceCommand [a shell script with a loop?]

    ChrootDirectory /home/tunneluser

2 - Forwarding the ssh client (PuTTY in this case) to polipo listener port. This is possible, right. But still he is able to change this settings on his client and access the internet directly without using TOR. This is ok because I trust him, but on the technical view this is not a bulletproof solution.

While searching the internet I found cjb.net/shell.html by accident. They are offering free shell access to the public with tunneling. And they say, that the tunnel is forwarded to the TOR network. So they are doing exactly what I want to do.

Now I can tell my friend that he should use cjb.net instead of my server. But now I am curious, how to do that... Because they are able to do it, so it should also be possible with my server  :Wink: 

----------

