ssh.chat: Deploy Tor hidden service endpoint

[nya-furball]

Is there any interest in offering ssh.chat as both a clearnet server and hidden service? If there is, I am willing to help out with setting up stuff!

[shazow]

Not a bad idea, I'm happy to host it on the same instance. Do you have a fav guide?

Biggest downside is latency is probably gonna be gross.

[nya-furball]

If you don't need advanced features like vanguard, it's relatively easy. Just skip step 1 of this guide: https://community.torproject.org/onion-services/setup/
IGNORE BELOW! TYPO!
When you are in step 2, change the line "HiddenServicePort 80 127.0.0.1:80" to " HiddenServicePort 2 127.0.0.1:22" and change the name of your directory on the line "HiddenServiceDir /var/lib/tor/my_website/"

[nya-furball]

You should be able to start the onion service without shutting down the ssh-chat service. This should preserve chat logs and uptime.

[shazow]

Awesome, I'll add it to the TODO list.

Also IIRC there's a Go-native implementation of onion services somewhere, wonder if I could embed it as a native feature of ssh-chat easily, will look into it briefly.

[nya-furball]

IMHO: Not worth it. Adding additional code can compromise software security. Tor is easy to interface with existing services, so might as well use that.

[shazow]

It's more of a balancing act of how much maintenance things require for me, fewer moving pieces (ie. keeping one binary up) is always easier than a rube goldberg machine of systemd services. But yes, I'll keep that in mind.

[nya-furball]

True. However, when you use the official package provided by the Tor Project, you get the backing of an organization that maintains the software, fixes vulns and does research on the latest threats to the tor network. Feel free to do however you like though, as I don't know how your infrastructure is deployed.

[nya-furball]

shazow: I made a typo in my recommendation! Strike out the modified lines! Having two services listen on the same port will mess up your server!

[shazow]

@nya-furball Welcome back!

[nya-furball]

UwU

[camosoul]

It's very easy to do...

ssh-chat --bind=:[port]
skip the ip so it listens to all

Add lines to /etc/tor/torrc

HiddenServiceDir /var/lib/tor/ssh-chat/
HiddenServicePort [port] 127.0.0.1:[port]

Then restart tor daemon and cat /var/lib/tor/ssh-chat/hostname

If you want to make it tor-only, make the --bind=127.0.0.1:[port]

...don't use port 22. That's for real ssh sessions. Plus, you can't reverse ssh tunnel below port 1001 without root... Pick a number above so you don't have to expose root.

...make sure client has torsocks installed.

If you use the same ssh key, you just gave away your identity, so...

[shazow]

@camosoul That's helpful, thanks. :) Just need to get around to it...