Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TOR class to allow remote SSH access over deep networks #146

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Commits on Mar 13, 2024

  1. TOR class to allow remote SSH access over deep networks

    This class configures an onion service to access the SSH server over
    Tor. This is useful when you have a box behind NAT or some firewall
    that is broken or unknown, and you need to get a rescue shell on the
    host.
    
    With this, you give an operator a thumb drive, who only needs to
    figure out how to boot into GRML, and then after a while you get a
    shell, pretty much regardless of where the box is.
    
    This is not enabled by default, naturally, otherwise the secret key
    would leak in default GRML builds: this is solely designed to be run
    in an ad-hoc, one-time fashion. It also generates the SSH keys for the
    same reason: those are shown in the build logs and can be used to
    authenticate the remote host (a redundant measure to the onion service
    name, of course).
    
    I also enable `DEFAULT_BOOT_OPTIONS=ssh` in my builds, but that hasn't
    been done here (although maybe it's possible to enable that in the
    class? to be investigated).
    
    Finally, another shim is required here to inject a valid SSH public
    key in the image, so you can login over SSH. In my case, I have an
    extra CLASS that only has this one script which does:
    
        gpg --export-ssh-key [email protected] | tee -a $target/root/.ssh/authorized_keys
    
    This could also be folded in the TOR class, but I'm not sure how to do
    variables yet, so that's not yet standardized.
    anarcat committed Mar 13, 2024
    Configuration menu
    Copy the full SHA
    017064b View commit details
    Browse the repository at this point in the history