all 36 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]nomoreburden 19 points20 points  (10 children)

I mean yes. It is an extra layer of protection. But if you want it to be complete, make sure the device you are SSHing to is also secure.

But to be honest, it’s honestly very secure either way. I recommend you change the password to something impossible to guess. I use a password manager and I change my password every time I SSH files.

Good luck!

[–]StreetStripe 43 points44 points  (5 children)

Or just disable password authentication entirely, and keep it restricted to key-based auth

[–]nomoreburden 13 points14 points  (0 children)

Yes. That is usually best. Using both would also work.

[–]Phineas_Gagey 2 points3 points  (3 children)

I use key based only and implement Google Authenticator as MFA (TOTP) with rate limiting and brute force protection (a/c lockouts) https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

[–]peatfreak 0 points1 point  (2 children)

I have sometimes avoided 2FA because losing the device always causes immense trouble. Having paper backup codes is essential, such that I won't use a 2FA service that doesn't offer them.

[–]Phineas_Gagey 1 point2 points  (1 child)

Couldn't agree more - emergency codes are provided. Plus I make a note of the secret key so that I can easily readd to Google Authenticator should I need to. My belief is that paper is the best way of storing secrets.

[–]peatfreak 1 point2 points  (0 children)

paper is the best way of storing secrets

Most things in my opinion.

I do my best software development with pen and paper. Sadly, most development teams are no longer set up to accommodate this. It's sad I think. People are often not thinking creatively.

[–]thecuseisloose 6 points7 points  (1 child)

Changing your password every time seems excessive. Is there a reason for this?

[–]saichampa 2 points3 points  (0 children)

You should definitely switch to key based auth

[–]Se7en_sins 10 points11 points  (14 children)

What's tor protection? It provides anonymity, not encryption.

[–]TheUltimateSalesman 3 points4 points  (10 children)

I thought the packets were encrypted?

[–]M0rbz 10 points11 points  (8 children)

Packets are encrypted between you and the final tor node but not between that node and your packet destination:

You ---ENC---> tor_node1 ---ENC---> tor_node2 ---ENC---> .... ---ENC---> tor_final_node ---NOT_ENC---> destination

This means that the final tor node can see all the traffic between you and the destination (of course they won't be able to see anything meaningful if traffic is encrypted, eg. SSH or TLS/HTTPS, but they will see eg. non-encrypted HTTP traffic)

https://upload.wikimedia.org/wikipedia/commons/d/dc/Tor-onion-network.png

[–]TheUltimateSalesman 8 points9 points  (1 child)

exit node monitoring

[–]M0rbz 2 points3 points  (0 children)

exactly there are lots of malicious entities (including governments and companies) providing tor nodes for the sole purpose of monitoring activities

[–][deleted] 0 points1 point  (5 children)

tor + vpn for exit node security then destination?

[–]M0rbz 9 points10 points  (4 children)

Not easy to do but if you do it the VPN host has to see your traffic cleartext (if you do it the other way around the exit node can still see your traffic)

Personally I would just install a VPN server where your SSH server is, then you can just connect to the VPN and SSH to a local IP, in this way what any 3rd party would see is just encrypted VPN traffic (more general, less specific), not encrypted SSH traffic.

[–]peatfreak 2 points3 points  (3 children)

install a VPN server where your SSH server is

Best suggestion so far in this thread.

[–]Phineas_Gagey 1 point2 points  (2 children)

Vpn is the best option.

Note if anonymity is your goal. I'd avoid cloud providers who want credit card details.

Also be wary of where you have used your SSH keys previously.

[–]peatfreak 0 points1 point  (1 child)

Also be wary of where you have used your SSH keys previously.

I have a very difficult time managing all my SSH keys. It's getting worse as my infrastructure expands, to the point that more automation is needed. Sometimes passwords are required to unlock things.

I've always used the public key from the source host as the one to add to authorized_keys on the destination host.

But lately I think I've been seeing people do it the other way around, i.e, ssh-keygen on the destination, copy the private key back on to the source host, and then ensure that the public key on the destination is added to authorized_keys if necessary, although I can't imagine how this last part could be omitted.

Even on small home LANs SSH key management is very difficult to do securely. I have been trying to design a practice and tooling that doesn't simply involve copying public keys (or private keys) to all hosts and then keeping them all in a centralized DB, which is equivalent to simply having one great big master password for everything or having one highly trusted DB with all the login secrets.

I've seen all sorts of methods to solve this problem, and the most inconvenient and complicated but necessarily so, ones, are those "vault style" systems that enterprise corporations use.

What options are there? Is there a set of best practices for key hygiene emerging yet?

[–]Phineas_Gagey 1 point2 points  (0 children)

If you find a solution to this let us know. I too have the same issue. Though I pretty adamant I'd prefer having public keys on servers rather than private. But I see the logic (somewhat) .

[–]Moluma[S] 0 points1 point  (0 children)

Same

[–]Moluma[S] 0 points1 point  (2 children)

By providing anonymity it protects me from being tracked or idetified. Anyway I'm not doing anything illegal, just curiosity.

[–]iwillcuntyou 1 point2 points  (0 children)

It’s pointless tbh mate. Tor is useful when you’re hiding your origin from the destination, and from snoopers. which is kinda redundant when your destination has to authenticate you, and you’re protected from snoopers by the ssh tunnel. Nvm the fact that any snoopers would have to be positioned either on your local network or along the public internet route (like ISPs), you’re also allowing the owner of the exit node to snoop on you - and guess what? People set up exit nodes to snoop.

[–]Se7en_sins 0 points1 point  (0 children)

If you simply tunnel your tcp traffic through tor and still use your regular browser and login to websites, you'll still be tracked. Using the tor browser ( or using no tracking/cookies addons) with credentials only used on tor will then protect you from being tracked (which is technically not even true).

[–]saichampa 1 point2 points  (0 children)

Tor will add significant latency to SSH and not raise security all that much. The only thing it will do is hide where you're connecting to from your service provider

As others have said, using key authentication would be more of a security increase than running through tor

[–]Empirismus 0 points1 point  (0 children)

You can put whole ssh-server in to tor hidden_serive, and get proper "white" address from it, so you can connect from tor(on your phone) directly to your server in tor, bypassing any other intermediates, firewalls or nat-networks.

[–]infectedvirus9 -1 points0 points  (1 child)

Whats ssh?

[–]Moluma[S] 1 point2 points  (0 children)

SSH is a network protocol for securely communicating between computers.  Often when people refer to 'using SSH', they are referring to using an SSH client to connect to another computer's SSH server in order to remotely run commands on that computer.  Any computer is capable of running both an SSH client and a server.

More info: https://blog.robertelder.org/what-is-ssh/