Markjenkinsparit: signed host keys by Mark Jenkins

2019-05-21T04:29:15Z

signed host keys by Mark Jenkins

Markjenkinsparit: start of article, lots of text

2019-05-21T03:14:29Z

start of article, lots of text

New page

whonix.skull.space provides a means to access a Skullspace hosted Whonix gateway over ssh.

To obtain an account, contact Mark Jenkins <mark@parit.ca> .

Both styles of TCP port tunneling through ssh are supported:
* SOCKS proxy (-D in openssh), which many applications can be configured to use
* local port forwarding (-L in openssh)

This service is hosted on [[vmsrv]] . Because an ip address is shared with vmsrv.skullspace.ca, you have to connect your ssh client to port 1887, not port 22. A openssh command line example:
$ ssh -D SOCKSPORT -L LOCALPORT:SOMEREMOTESERVER:SOMEREMOTEPORT -p 1887 username@whonix.skull.space
The distinct whonix.skull.space domain name can help you avoid typing the port each time you login, just put

Host whonix.skull.space
HostName whonix.skull.space
Port 1887

in your ~/.ssh/config file (openssh) or equivilent profile feature in other ssh clients.

==Implementation details==

The whonix.skull.space setup consists of two parts:
* a KVM virtual machine using only 256 megabytes of RAM running the whonix cli gateway stack on Debian 9 (10.0.2.15 / 10.152.152.10)
* an unprivileged linux container running Debian 9 and openssh-server locked down to only allow port forwarding. (172.30.8.4 / 10.152.152.51). Uses the whonix gateway (above) as a default route and dns server. Port 1887 is forwarded with a source NAT and destination NAT rule from the vm server host OS so as to come from 172.30.8.1. This node is sort of a subtitute for the Whonix workstation.

==Privacy/Security caution==

Security and convenience are trade-offs, this setup provides the convenience of only requiring ssh and your client applications to use a forwarded port or SOCKS proxy. Using Whonix in the way it was designed, or alternatively the Tor Browser Bundle or Tails is going to be more solid.

Another alternative that still allows you to use whatever choice of operating system and applications on your usual workstation is to run a Whonix gateway yourself on another computer of your own. An old PC with two network cards could be suitable for this. If there's interest, Mark could show people how to build Whonix boxes someday.

Some possible issue to consider when using the Skullspace hosted Whonix gateway:
(This section TODO)

← Older revision		Revision as of 04:29, 21 May 2019
Line 31:		Line 31:
	Some possible issue to consider when using the Skullspace hosted Whonix gateway:		Some possible issue to consider when using the Skullspace hosted Whonix gateway:
	(This section TODO)		(This section TODO)
		+
		+	==ssh host key hashes==
		+	These are signed by Mark Jenkins <mark@markjenkins.ca> (http://markjenkins.ca/gpg/)
		+	-----BEGIN PGP SIGNED MESSAGE-----
		+	Hash: SHA1
		+
		+	SHA256:8RJrSbdshRleYx8hzOuTP+VCfFG1x6aowUqwaw4Fo4A (RSA)
		+	MD5:f6:a1:f9:95:bf:f8:e1:13:21:72:d1:cb:52:dd:b1:55 (RSA)
		+	SHA256:ZPiteHCt00McOADVQl/C1lUBA7dGqh2oalKSZVJKTOc (ECDSA)
		+	MD5:e1:10:b1:80:35:86:fe:82:2d:bf:c3:8a:0d:f4:8b:bc (ECDSA)
		+	-----BEGIN PGP SIGNATURE-----
		+	Version: GnuPG v1
		+
		+	iQEcBAEBAgAGBQJc433FAAoJEKj4ZJOqTbH7JR4H/3HANDBHyBe5e7E6iKxBp+gi
		+	6klCVdkmLDWr3vgWi1WGZ0eMnaQ8T5BE5cx3bntUlKWG5dGLj2iAyRSKYI+JXpnv
		+	aXc6GlWsWZ89Cpmak5Ac9LbFSDYpo/5PcTpoUiX8DnXXyEGAQJuhGsaFixjdzKYl
		+	vdH1YxtcIpbULMgW2I+trGaIXvbqMPrfP3n3nbUfMmydu+UfJzJ3fedTcPFnmV1y
		+	23xqWWL06NmCH5h2ZDwyRPbXPj+QDGA98hNclFaifNtMB9KETMoQ2G7XZVyawsbU
		+	ifMDdH+vPUINkTI3G2Ng1lUbTYJfVrdGwn8fxTn/buv/l2HEZl5ZNizQw8v3/Cs=
		+	=FCYW
		+	-----END PGP SIGNATURE-----

Whonix.skull.space - Revision history

Markjenkinsparit: signed host keys by Mark Jenkins

Markjenkinsparit: start of article, lots of text