Notes

Home About Contact Archive
GitHub LinkedIn Twitter CoBUG.org

SSH Fingerprint Verification via Tor

Using Tor to validate SSH fingerprints.
Posted on Mon, 27 Feb 2017 09:30:00 MST by Aaron Bieber
Tags: SSH, Tor

The Problem

OpenSSH (really, are there any other implementations?) requires Trust on First Use for fingerprint verification.

Verification can be especially problematic when using remote services like VPS or colocation.

How can you trust that the initial connection isn’t being Man In The Middle’d?

My Solution

.. for remote hosts, is to use Tor as supplemental verification. Fortunately OpenSSH makes this very easy as connections can be proxied (ProxyCommand) via arbitrary commands (socat in this case).

#!/bin/sh

# To make use of this, you need:
# - Tor installed / running
# - socat installed
# - Line 1 of your ~/.ssh/config should have: 'Include ~/.ssh/torify'

if [ $# -lt 1 ];then
        echo "Please specify hostname to check!"
        exit 1;
fi

TFILE=~/.ssh/torify
HOST=$1

CONF=$(cat <<'EOF'
Host *
        ProxyCommand socat STDIO SOCKS4A:localhost:%h:%p,socksport=9050
EOF
);

echo "$CONF" > "${TFILE}"
IP=$(tor-resolve "${HOST}")
for i in 1 2 3 4 5; do
        ssh "${IP}" & sleep 3; kill $!
done

echo "" > "${TFILE}"
ssh "$HOST" & sleep 3; kill $!

Latest version of this script can be pulled from here

The above script makes five cut-short ssh connections (waiting 3 seconds before cutting the connection by killing the ssh pid) to an IP address that is resolved using Tor. It then makes a single non-Tor’d cut-short connection to print the fingerprint as seen from your default outbound connection.

If all six of the output fingerprints match, it’s a bit more safe to assume that your connection to the remote host isn’t being tampered with!

Obviously, this solution isn’t 100%. Your Tor connection could be compromised.. Snakes could be on planes… etc. So use it at your own risk.


Made by qbit. Subscribe via RSS / Atom | Generated using boring and these files.
PGP: 0x1F81112D62A9ADCE / 3586 3350 BFEA C101 DB1A 4AF0 1F81 112D 62A9 ADCE
proof.