Matt Traudt

An onion (v3) (SAT [What's this?]) a day keeps the bad guys away | About me

Use Git over Tor

Posted on 29 Oct 2016 by Matt Traudt

permalink

So you want to be a super l33t h4xx0r who stores his code on an onion service, huh? Or maybe you want to anonymously obtain a copy of a project's source code. Or you just think using Tor is cool. I'm with you there! Let's talk about how to use Git over Tor. After we're done, you can create an account at my Gogs onion service and start hosting public or private repositories on the "deep web!"

Assumptions

Variables

So that this information can apply to as many people as possible, I have done my best to not make any decisions for you.

Tor or the Tor Browser Bundle

Are you going to be using Tor or the TBB? It doesn't matter which you pick. You might want to pick Tor if you want to be able to use Git at any time. You may want the Tor Browser Bundle if you can't install a system service, don't want to, or only need Tor temporarily.

Later I will use SocksPort as a variable, which if you're using Tor, is 9050 by default. If you are using the TBB, then it is 9150 by default.

HTTP(S) or SSH or Git

What protocol are you going to use as transport? If you don't know what that means, then which of the three commands below do you expect to be using?

# Git
git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

# HTTPS
git clone https://git.torproject.org/tor.git

# SSH
git clone git@github.com:bitcoin/bitcoin.git

HTTP(S) is probably the most common. HTTP(S) and Git are the easiest to use, but some places only allow pushing over SSH. I recommended you use SSH because you can set it up such that its traffic goes over Tor transparently. You don't have to change your behavior at all!

If you are going to be using HTTP(S) or Git as transport, then you must use torsocks, as discussed later. If you use SSH as transport, you can use either torsocks or netcat. I prefer netcat.

1. Obtain and start Tor

It doesn't matter how you do it. Install Tor and start it.

If you're using plain old Tor, start by looking in your package manager and start it as a system service. If you're using the TBB, just decompress the download and start the browser. Take note of the differences between the two in the variables section.

2. Obtain torsocks and/or netcat

Torsocks is a program that can transparently tunnel just about any program's traffic through Tor. You will need it if you use HTTP(S) or Git as a transport. You can use it if you want to use SSH as a transport.

Example clone with torsocks:

torsocks git clone http://gogsys33repvmfz5.onion/mello/bm.git

If you are using SSH, I recommend you use netcat as once you're all set up, you can git clone over Tor transparently.

Example clone with netcat:

git clone git@gogsys33repvmfz5.onion/mello/bm.git

The complexity is hidden from you.

Not just any version of netcat will work. You need OpenBSD's netcat, not GNU's netcat. How do you tell which one you have? Run nc --help. If the output contains [-X proxy_protocol], then you have the right version of netcat.

3. Configure torsocks and/or netcat

On my system, torsocks's config is located at /etc/torsocks.conf. If you are using Tor (not the TBB), then you're done configuring torsocks. If you are using the TBB, you need to edit torsocks's config to have server_port = 9150 instead of server_port = 9050.

If you're using netcat instead of torsocks, you needt to edit your user's SSH config file. By default this is ~/.ssh/config. Create the file if it doesn't exist. Add the following to it.

Host gogsys33repvmfz5.onion
IdentityFile ~/.ssh/id_rsa
ProxyCommand nc -X 5 -x localhost:SocksPort %h %p

Replace gogsys33repvmfz5.onion with the hostname of the website hosting your code. Most places require you to identify yourself with a key instead of a password, so change the path ~/.ssh/id_rsa if needed. Finally, replace SocksPort with 9050 or 9150 as discussed in this section.

4. Do it!

You've done everything now. You can now use Git over Tor. You've downloaded/installed either Tor or the Tor Browser Bundle, you've decided if you want to use torsocks or netcat, and you've configured either torsocks or SSH as needed. Let's test it out now. If you don't want to use my Gogs service, then either ignore or modify the instructions below as you need.

These instructions assume you used netcat to transparently tunnel SSH traffic over Tor for my Gogs service. If you didn't you need to use

torsocks git VERB

instead of

git VERB

where VERB is clone, fetch, pull, or push.

Make an account

I recommend you make an account at my super cool Gogs onion service: http://gogsys33repvmfz5.onion. If it asks for an email address when you register, you should know that it doesn't have to be valid. You should also know that while the website will complain if you don't have JavaScript enabled, it will still mostly work without it.

Make a repository

After you have an account, make a repository. Once you've done that, you no longer need to use the website for anything again until you want to make another repository. Of course, you'll be missing out on cool features such as issue tracking, pull requests, project wiki pages, and creating collaborative organizations.

Generate an SSH key

Instructions for how to do so are out of scope. There is plenty of information on the Internet already.

After you have a key pair, upload the public key to Gogs here: http://gogsys33repvmfz5.onion/user/settings/ssh

Push your code

If you are starting a new project, you'll of course run something like the following.

mkdir my-repo
cd my-repo
git init
git touch README.md
git add README.md
git commit -m "Initial commit"
git remote add origin git@gogsys33repvmfz5.onion:test123/my-repo.git
git push origin master

If you already have a project tracked by git, you'll want to run something like the following to add Gogs as another remote.

cd my-repo
git remote add gogsys33 git@gogsys33repvmfz5.onion:test123/my-repo.git
[ ... do programming, fix bugs, commit changes, etc. ... ]
git push gogsys33 master

Fun optional stuff

I don't like having to type out a long random onion domain. So since I use netcat to tunnel SSH over Tor, my SSH config looks like this.

Host gogsys33
User git
IdentityFile ~/.ssh/id_rsa
ProxyCommand nc -X 5 -x localhost:SocksPort %h %p
HostName gogsys33repvmfz5.onion

Notice that Host has changed and I've added a HostName and User. Now I can transparently use Tor and also save on keystrokes. Some example commands:

git clone gogsys33:mello/bm.git
git fetch gogsys33
git remote add gogsys33 gogsys33:mello/scripts.git

tags: tor, tutorial