ssh access via onion domain

doc/EN/usage.org

@@ -16,14 +16,15 @@
 </center>
 #+END_HTML
 
-| [[Readme]]                 |
-| [[Improving ssh security]] |
-| [[./usage_email.html][Using Email]]            |
-| [[Syncing to the Cloud]]   |
-| [[Play Music]]             |
-| [[Microblogging]]          |
-| [[Social Network]]         |
-| [[Chat Services]]          |
+| [[Readme]]                                              |
+| [[Improving ssh security]]                              |
+| [[Administrating the system via an onion address (Tor)]] |
+| [[./usage_email.html][Using Email]]                                         |
+| [[Syncing to the Cloud]]                                |
+| [[Play Music]]                                          |
+| [[Microblogging]]                                       |
+| [[Social Network]]                                      |
+| [[Chat Services]]                                       |
 
 * Readme
 After the system has installed a README file will be generated which contains passwords and some brief advice on using the installed systems. You can read this with the following commands:
@@ -66,6 +67,24 @@ There are advantages and disadvantages to using ssh keys for logins. The advanta
 
 If you wish to only use ssh keys then log in to the Freedombone, become the root user and open the control panel with the 'control' command. Select /Security Settings/ then keep hitting enter until you reach the question about allowing password logins. Select "no" for that, then apply the settings. Any subsequent attempts to log in via a password will then be denied.
 
+* Administrating the system via an onion address (Tor)
+You can also access your system via the Tor system using an onion address. To find out what the onion address for ssh access is you can do the following:
+
+#+BEGIN_SRC bash
+ssh username@freedombone.local -p 2222
+sudo control
+#+END_SRC
+
+Then select "About this system" and look for the onion address for ssh. You can then close the terminal and open another, then do the following:
+
+#+BEGIN_SRC bash
+sudo apt-get install tor connect-proxy
+echo 'Host *.onion' >> ~/.ssh/config
+echo 'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p' >> ~/.ssh/config
+ssh username@address.onion -p 2222
+#+END_SRC
+
+Subsequently even if dynamic DNS isn't working you may still be able to administer your system. Using the onion address also gives you some degree of protection against corporate or government metadata analysis, since it becomes more difficult to passively detect which systems are communicating.
 * Syncing to the Cloud
 ** Initial install
 Within a browser go to your owncloud domain, then create an administrator account. The username and password can be anything, and ideally should be generated from a password manager.

website/EN/usage.html

@@ -3,15 +3,15 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<title></title>
-<!-- 2016-01-07 Thu 19:25 -->
+<!-- 2016-01-08 Fri 14:08 -->
 <meta  http-equiv="Content-Type" content="text/html;charset=utf-8" />
+<meta  name="viewport" content="width=device-width, initial-scale=1" />
+<title></title>
 <meta  name="generator" content="Org-mode" />
 <meta  name="author" content="Bob Mottram" />
 <meta  name="description" content="Turn the Beaglebone Black into a personal communications server"
  />
 <meta  name="keywords" content="freedombox, debian, beaglebone, hubzilla, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber" />
-<meta  name="viewport" content="width=device-width, initial-scale=1" />
 <style type="text/css">
  <!--/*--><![CDATA[/*><!--*/
   .title  { text-align: center;
@@ -179,27 +179,31 @@ for the JavaScript code in this tag.
 </tr>
 
 <tr>
+<td class="org-left"><a href="#orgheadline3">Administrating the system via an onion address (Tor)</a></td>
+</tr>
+
+<tr>
 <td class="org-left"><a href="./usage_email.html">Using Email</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgheadline3">Syncing to the Cloud</a></td>
+<td class="org-left"><a href="#orgheadline4">Syncing to the Cloud</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgheadline4">Play Music</a></td>
+<td class="org-left"><a href="#orgheadline5">Play Music</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgheadline5">Microblogging</a></td>
+<td class="org-left"><a href="#orgheadline6">Microblogging</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgheadline6">Social Network</a></td>
+<td class="org-left"><a href="#orgheadline7">Social Network</a></td>
 </tr>
 
 <tr>
-<td class="org-left"><a href="#orgheadline7">Chat Services</a></td>
+<td class="org-left"><a href="#orgheadline8">Chat Services</a></td>
 </tr>
 </tbody>
 </table>
@@ -284,11 +288,43 @@ If you wish to only use ssh keys then log in to the Freedombone, become the root
 </div>
 
 <div id="outline-container-orgheadline3" class="outline-2">
-<h2 id="orgheadline3">Syncing to the Cloud</h2>
+<h2 id="orgheadline3">Administrating the system via an onion address (Tor)</h2>
 <div class="outline-text-2" id="text-orgheadline3">
-</div><div id="outline-container-orgheadline8" class="outline-3">
-<h3 id="orgheadline8">Initial install</h3>
-<div class="outline-text-3" id="text-orgheadline8">
+<p>
+You can also access your system via the Tor system using an onion address. To find out what the onion address for ssh access is you can do the following:
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">ssh username@freedombone.local -p 2222
+sudo control
+</pre>
+</div>
+
+<p>
+Then select "About this system" and look for the onion address for ssh. You can then close the terminal and open another, then do the following:
+</p>
+
+<div class="org-src-container">
+
+<pre class="src src-bash">sudo apt-get install tor connect-proxy
+<span class="org-builtin">echo</span> <span class="org-string">'Host *.onion'</span> &gt;&gt; ~/.ssh/config
+<span class="org-builtin">echo</span> <span class="org-string">'ProxyCommand connect -R remote -5 -S 127.0.0.1:9050 %h %p'</span> &gt;&gt; ~/.ssh/config
+ssh username@address.onion -p 2222
+</pre>
+</div>
+
+<p>
+Subsequently even if dynamic DNS isn't working you may still be able to administer your system. Using the onion address also gives you some degree of protection against corporate or government metadata analysis, since it becomes more difficult to passively detect which systems are communicating.
+</p>
+</div>
+</div>
+<div id="outline-container-orgheadline4" class="outline-2">
+<h2 id="orgheadline4">Syncing to the Cloud</h2>
+<div class="outline-text-2" id="text-orgheadline4">
+</div><div id="outline-container-orgheadline9" class="outline-3">
+<h3 id="orgheadline9">Initial install</h3>
+<div class="outline-text-3" id="text-orgheadline9">
 <p>
 Within a browser go to your owncloud domain, then create an administrator account. The username and password can be anything, and ideally should be generated from a password manager.
 </p>
@@ -332,9 +368,9 @@ Log out from the administrator account and then log back in as the user you just
 </p>
 </div>
 </div>
-<div id="outline-container-orgheadline9" class="outline-3">
-<h3 id="orgheadline9">On Android</h3>
-<div class="outline-text-3" id="text-orgheadline9">
+<div id="outline-container-orgheadline10" class="outline-3">
+<h3 id="orgheadline10">On Android</h3>
+<div class="outline-text-3" id="text-orgheadline10">
 <p>
 Within F-droid search for <b>owncloud</b> and install the client. Also install <b>CalDAV Sync Adapter</b>.
 </p>
@@ -358,9 +394,9 @@ You will also be prompted to enter login details. Your Android and Owncloud cale
 </p>
 </div>
 </div>
-<div id="outline-container-orgheadline10" class="outline-3">
-<h3 id="orgheadline10">On Linux</h3>
-<div class="outline-text-3" id="text-orgheadline10">
+<div id="outline-container-orgheadline11" class="outline-3">
+<h3 id="orgheadline11">On Linux</h3>
+<div class="outline-text-3" id="text-orgheadline11">
 <p>
 Open your software center and search for "owncloud client". Enter your owncloud domain name (with the https prefix) and login details.
 </p>
@@ -371,12 +407,12 @@ You can now drag files into the <b>~/owncloud</b> directory and they will automa
 </div>
 </div>
 </div>
-<div id="outline-container-orgheadline4" class="outline-2">
-<h2 id="orgheadline4">Play Music</h2>
-<div class="outline-text-2" id="text-orgheadline4">
-</div><div id="outline-container-orgheadline11" class="outline-3">
-<h3 id="orgheadline11">With the DLNA service</h3>
-<div class="outline-text-3" id="text-orgheadline11">
+<div id="outline-container-orgheadline5" class="outline-2">
+<h2 id="orgheadline5">Play Music</h2>
+<div class="outline-text-2" id="text-orgheadline5">
+</div><div id="outline-container-orgheadline12" class="outline-3">
+<h3 id="orgheadline12">With the DLNA service</h3>
+<div class="outline-text-3" id="text-orgheadline12">
 <p>
 An easy way to play music on any mobile device in your home is to use the DLNA service. Copy your music into a directory called "<i>Music</i>" on a USB thumb drive and then insert it into from socket on the Beaglebone.
 </p>
@@ -416,9 +452,9 @@ The DLNA service will only work within your local home network, and isn't remote
 </div>
 </div>
 
-<div id="outline-container-orgheadline12" class="outline-3">
-<h3 id="orgheadline12">With Owncloud</h3>
-<div class="outline-text-3" id="text-orgheadline12">
+<div id="outline-container-orgheadline13" class="outline-3">
+<h3 id="orgheadline13">With Owncloud</h3>
+<div class="outline-text-3" id="text-orgheadline13">
 <p>
 The main advantage of playing music via Owncloud is that you can do that from anywhere - not only within your home network.
 </p>
@@ -430,12 +466,12 @@ By default a music player is installed into Owncloud, so all you need to do is t
 </div>
 </div>
 
-<div id="outline-container-orgheadline5" class="outline-2">
-<h2 id="orgheadline5">Microblogging</h2>
-<div class="outline-text-2" id="text-orgheadline5">
-</div><div id="outline-container-orgheadline13" class="outline-3">
-<h3 id="orgheadline13">Initial configuration</h3>
-<div class="outline-text-3" id="text-orgheadline13">
+<div id="outline-container-orgheadline6" class="outline-2">
+<h2 id="orgheadline6">Microblogging</h2>
+<div class="outline-text-2" id="text-orgheadline6">
+</div><div id="outline-container-orgheadline14" class="outline-3">
+<h3 id="orgheadline14">Initial configuration</h3>
+<div class="outline-text-3" id="text-orgheadline14">
 <p>
 To set up your microblog go to:
 </p>
@@ -543,20 +579,20 @@ When the install is complete you will see a lot of warnings but just ignore thos
 </div>
 </div>
 </div>
-<div id="outline-container-orgheadline6" class="outline-2">
-<h2 id="orgheadline6">Social Network</h2>
-<div class="outline-text-2" id="text-orgheadline6">
-</div><div id="outline-container-orgheadline14" class="outline-3">
-<h3 id="orgheadline14">Domains</h3>
-<div class="outline-text-3" id="text-orgheadline14">
+<div id="outline-container-orgheadline7" class="outline-2">
+<h2 id="orgheadline7">Social Network</h2>
+<div class="outline-text-2" id="text-orgheadline7">
+</div><div id="outline-container-orgheadline15" class="outline-3">
+<h3 id="orgheadline15">Domains</h3>
+<div class="outline-text-3" id="text-orgheadline15">
 <p>
 Both Hubzilla and GNU Social try to obtain certificates automatically at the time of installation via Let's Encrypt. This will likely mean that in order for this to work you'll need to have obtained at least one "official" domain via a domain selling service, since Let's Encrypt mostly doesn't seem to work with free subdomains from sites such as freeDNS.
 </p>
 </div>
 </div>
-<div id="outline-container-orgheadline15" class="outline-3">
-<h3 id="orgheadline15">Initial install</h3>
-<div class="outline-text-3" id="text-orgheadline15">
+<div id="outline-container-orgheadline16" class="outline-3">
+<h3 id="orgheadline16">Initial install</h3>
+<div class="outline-text-3" id="text-orgheadline16">
 <p>
 Visit the URL of your Hubzilla site and you should be taken through the rest of the installation procedure.  Note that this may take a few minutes so don't be concerned if it looks as if it has crashed - just leave it running.
 </p>
@@ -567,19 +603,19 @@ When installation is complete you can register a new user.
 </div>
 </div>
 </div>
-<div id="outline-container-orgheadline7" class="outline-2">
-<h2 id="orgheadline7">Chat Services</h2>
-<div class="outline-text-2" id="text-orgheadline7">
-</div><div id="outline-container-orgheadline16" class="outline-3">
-<h3 id="orgheadline16">IRC</h3>
-<div class="outline-text-3" id="text-orgheadline16">
+<div id="outline-container-orgheadline8" class="outline-2">
+<h2 id="orgheadline8">Chat Services</h2>
+<div class="outline-text-2" id="text-orgheadline8">
+</div><div id="outline-container-orgheadline17" class="outline-3">
+<h3 id="orgheadline17">IRC</h3>
+<div class="outline-text-3" id="text-orgheadline17">
 <p>
 IRC is useful for multi-user chat. The classic use case is for software development where many engineers might need to coordinate their activities, but it's also useful for meetings, parties and general socialising.
 </p>
 </div>
-<div id="outline-container-orgheadline17" class="outline-4">
-<h4 id="orgheadline17">Irssi</h4>
-<div class="outline-text-4" id="text-orgheadline17">
+<div id="outline-container-orgheadline18" class="outline-4">
+<h4 id="orgheadline18">Irssi</h4>
+<div class="outline-text-4" id="text-orgheadline18">
 <p>
 If you are using the <a href="http://www.irssi.org/">irssi</a> IRC client then you can use the following commands to connect to your IRC server.
 </p>
@@ -593,9 +629,9 @@ If you are using the <a href="http://www.irssi.org/">irssi</a> IRC client then y
 </div>
 </div>
 </div>
-<div id="outline-container-orgheadline18" class="outline-4">
-<h4 id="orgheadline18">XChat</h4>
-<div class="outline-text-4" id="text-orgheadline18">
+<div id="outline-container-orgheadline19" class="outline-4">
+<h4 id="orgheadline19">XChat</h4>
+<div class="outline-text-4" id="text-orgheadline19">
 <p>
 If you are using the XChat client:
 </p>
@@ -631,12 +667,12 @@ Click <b>close</b> and then <b>connect</b>.
 </div>
 </div>
 
-<div id="outline-container-orgheadline24" class="outline-3">
-<h3 id="orgheadline24">XMPP/Jabber</h3>
-<div class="outline-text-3" id="text-orgheadline24">
-</div><div id="outline-container-orgheadline19" class="outline-4">
-<h4 id="orgheadline19">Managing users</h4>
-<div class="outline-text-4" id="text-orgheadline19">
+<div id="outline-container-orgheadline25" class="outline-3">
+<h3 id="orgheadline25">XMPP/Jabber</h3>
+<div class="outline-text-3" id="text-orgheadline25">
+</div><div id="outline-container-orgheadline20" class="outline-4">
+<h4 id="orgheadline20">Managing users</h4>
+<div class="outline-text-4" id="text-orgheadline20">
 <p>
 To add a user:
 </p>
@@ -695,9 +731,9 @@ prosodyctl status
 </div>
 </div>
 
-<div id="outline-container-orgheadline20" class="outline-4">
-<h4 id="orgheadline20">Using with Jitsi</h4>
-<div class="outline-text-4" id="text-orgheadline20">
+<div id="outline-container-orgheadline21" class="outline-4">
+<h4 id="orgheadline21">Using with Jitsi</h4>
+<div class="outline-text-4" id="text-orgheadline21">
 <p>
 Jitsi is the recommended communications client for desktop or laptop systems, since it includes the <i>off the record</i> (OTR) feature which provides some additional security beyond the usual SSL certificates.
 </p>
@@ -727,9 +763,9 @@ You can also <a href="https://www.youtube.com/watch?v=vgx7VSrDGjk">see this vide
 </p>
 </div>
 </div>
-<div id="outline-container-orgheadline21" class="outline-4">
-<h4 id="orgheadline21">Using with Ubuntu</h4>
-<div class="outline-text-4" id="text-orgheadline21">
+<div id="outline-container-orgheadline22" class="outline-4">
+<h4 id="orgheadline22">Using with Ubuntu</h4>
+<div class="outline-text-4" id="text-orgheadline22">
 <p>
 The default XMPP client in Ubuntu is Empathy.  Using Empathy isn't as secure as using Jitsi, since it doesn't include the <i>off the record</i> feature, but since it's the default it's what many users will have easy access to.
 </p>
@@ -747,17 +783,17 @@ Click on <b>Advanced</b> and make sure that <b>Encryption required</b> and <b>Ig
 </p>
 </div>
 </div>
-<div id="outline-container-orgheadline22" class="outline-4">
-<h4 id="orgheadline22">Using Tor Messenger</h4>
-<div class="outline-text-4" id="text-orgheadline22">
+<div id="outline-container-orgheadline23" class="outline-4">
+<h4 id="orgheadline23">Using Tor Messenger</h4>
+<div class="outline-text-4" id="text-orgheadline23">
 <p>
 Tor Messenger is a messaging client which supports XMPP, and its onion routing enables you to protect the metadata of chat interactions to some extent by making it difficult for an adversary to know which server is talking to which. You can download Tor Messenger from <a href="https://torproject.org/">torproject.org</a> and the setup is pretty simple.
 </p>
 </div>
 </div>
-<div id="outline-container-orgheadline23" class="outline-4">
-<h4 id="orgheadline23">Using with Android</h4>
-<div class="outline-text-4" id="text-orgheadline23">
+<div id="outline-container-orgheadline24" class="outline-4">
+<h4 id="orgheadline24">Using with Android</h4>
+<div class="outline-text-4" id="text-orgheadline24">
 <p>
 Install <a href="https://f-droid.org/">F-Droid</a>
 </p>
@@ -784,16 +820,16 @@ Go back to the initial screen and then using the menu you can add contacts and b
 </div>
 </div>
 </div>
-<div id="outline-container-orgheadline25" class="outline-3">
-<h3 id="orgheadline25">Tox</h3>
-<div class="outline-text-3" id="text-orgheadline25">
+<div id="outline-container-orgheadline26" class="outline-3">
+<h3 id="orgheadline26">Tox</h3>
+<div class="outline-text-3" id="text-orgheadline26">
 <p>
 Tox is an encrypted peer-to-peer messaging system and so should work without Freedombone. It uses a system of nodes which act as a sort of directory service allowing users to find and connect to each other. The Tox node ID on the Freedombone can be found within the README within your home directory. If you have other users connect to your node then you will be able to continue chatting even when no other nodes are available.
 </p>
 </div>
-<div id="outline-container-orgheadline26" class="outline-4">
-<h4 id="orgheadline26">Using the Toxic client</h4>
-<div class="outline-text-4" id="text-orgheadline26">
+<div id="outline-container-orgheadline27" class="outline-4">
+<h4 id="orgheadline27">Using the Toxic client</h4>
+<div class="outline-text-4" id="text-orgheadline27">
 <p>
 To connect to your node use the command:
 </p>
@@ -806,12 +842,12 @@ To connect to your node use the command:
 </div>
 </div>
 </div>
-<div id="outline-container-orgheadline29" class="outline-3">
-<h3 id="orgheadline29">VoIP (Voice chat)</h3>
-<div class="outline-text-3" id="text-orgheadline29">
-</div><div id="outline-container-orgheadline27" class="outline-4">
-<h4 id="orgheadline27">Using with Ubuntu</h4>
-<div class="outline-text-4" id="text-orgheadline27">
+<div id="outline-container-orgheadline30" class="outline-3">
+<h3 id="orgheadline30">VoIP (Voice chat)</h3>
+<div class="outline-text-3" id="text-orgheadline30">
+</div><div id="outline-container-orgheadline28" class="outline-4">
+<h4 id="orgheadline28">Using with Ubuntu</h4>
+<div class="outline-text-4" id="text-orgheadline28">
 <p>
 Within the software center search for "mumble" and install the client then run it. Skip through the audio setup wizard.
 </p>
@@ -825,9 +861,9 @@ Click on "add new" to add a new server and enter the default domain name for the
 </p>
 </div>
 </div>
-<div id="outline-container-orgheadline28" class="outline-4">
-<h4 id="orgheadline28">Using with Android</h4>
-<div class="outline-text-4" id="text-orgheadline28">
+<div id="outline-container-orgheadline29" class="outline-4">
+<h4 id="orgheadline29">Using with Android</h4>
+<div class="outline-text-4" id="text-orgheadline29">
 <p>
 Install <a href="https://f-droid.org/">F-Droid</a>
 </p>
@@ -854,9 +890,9 @@ Selecting the server by pressing on it then connects you to the server so that y
 </div>
 </div>
 </div>
-<div id="outline-container-orgheadline30" class="outline-3">
-<h3 id="orgheadline30">SIP phones</h3>
-<div class="outline-text-3" id="text-orgheadline30">
+<div id="outline-container-orgheadline31" class="outline-3">
+<h3 id="orgheadline31">SIP phones</h3>
+<div class="outline-text-3" id="text-orgheadline31">
 <p>
 Freedombone also supports SIP phones The username and domain is the same as for your email address, and the SIP password and extension number will appear within the README file in your home directory. Various SIP client options are available, such as CSipSimple on Android and Jitsi on desktop or laptop machines. Ideally use clients which support ZRTP, which will provide the best level of security.
 </p>