Tor part 2: hidden service

Author: Solène

Date: 11 October 2018

Tags: openbsd unix tor security

NILIn this second Tor article, I will present an interesting Tor feature

named **hidden service**. The principle of this hidden service is to

make available a network service from anywhere, with only

prerequisites that the computer must be powered on, tor not blocked

and it has network access.

This service will be available through an address not disclosing

anything about the server internet provider or its IP, instead, a

hostname ending by **.onion** will be provided by tor for

connecting. This hidden service will be only accessible through Tor.

There are a few advantages of using hidden services:

- privacy, hostname doesn't contain any hint

- security, secure access to a remote service not using SSL/TLS

- no need for running some kind of dynamic dns updater

The drawback is that it's quite slow and it only work for TCP

services.

From here, we assume that Tor is installed and working.

Running an hidden service require to modify the Tor daemon

configuration file, located in **/etc/tor/torrc** on OpenBSD.

Add the following lines in the configuration file to enable a hidden

service for SSH:

HiddenServiceDir /var/tor/ssh_service

HiddenServicePort 22 127.0.0.1:22

The directory **/var/tor/ssh_service** will be be created. The

directory **/var/tor** is owned by user **_tor** and not readable by

other users. The hidden service directory can be named as you want,

but it should be owned by user **_tor** with restricted

permissions. Tor daemon will take care at creating the directory with

correct permissions once you reload it.

Now you can reload the tor daemon to make the hidden service

available.

$ doas rcctl reload tor

In the **/var/tor/ssh_service** directory, two files are created. What

we want is the content of the file **hostname** which contains the

hostname to reach our hidden service.

$ doas cat /var/tor/ssh_service/hostname

piosdnzecmbijclc.onion

Now, we can use the following command to connect to the hidden service

from anywhere.

$ torsocks ssh piosdnzecmbijclc.onion

In Tor network, this feature doesn't use an exit node. Hidden services

can be used for various services like http, imap, ssh, gopher etc...

Using hidden service isn't illegal nor it makes the computer to relay

tor network, as previously, just check if you can use Tor on your

network.

Note: it is possible to have a version 3 .onion address which will

prevent hostname collapsing, but this produce very long

hostnames. This can be done like in the following example:

HiddenServiceDir /var/tor/ssh_service

HiddenServicePort 22 127.0.0.1:22

HiddenServiceVersion 3

This will produce a really long hostname like

tgoyfyp023zikceql5njds65ryzvwei5xvzyeubu2i6am5r5uzxfscad.onion

If you want to have the short and long hostnames, you need to specify

twice the hidden service, with differents folders.

Take care, if you run a ssh service on your website and using this

same ssh daemon on the hidden service, the host keys will be the same,

implying that someone could theoricaly associate both and know that

**this** public IP runs **this** hidden service, breaking anonymity.