Using SSH

Like other Linux distributions, you can go "under-the-hood" via Secure Shell Protocol (SSH) if you choose. Even though StartOS is designed to be used from the GUI, it is a good idea to set up SSH access. It can be useful for debugging purposes as well as advanced functionality.

For security reasons, StartOS _disables_ access is not available, so you will need to add an SSH key to your server via the method below.

Contents

• Creating an SSH Key
• Registering Your SSH Key with StartOS
• SSH over LAN
• Connecting via PuTTY on Windows
• SSH over Tor

Creating an SSH Key

1. Open a terminal on your client device and enter the following command.

   ssh-keygen -t ed25519
   

   You will be asked to enter a file in which to save the key. We recommend pressing Enter to use the default location

2. Optionally create a passphrase, or press enter for no passphrase.

   The next 3 step are for Linux and Mac users only. Windows users skip to Registering Your SSH Key with StartOS

3. The terminal will inform you that your public key has been saved. Take note of the path.

   Your public key has been saved in /home/user/.ssh/id_ed25519.pub
   

4. Start your system's ssh-agent:

   eval "$(ssh-agent -s)"
   

5. Add your key to the ssh-agent:

   ssh-add ~/.ssh/id_ed25519
   

   Note: if you changed the file name/location in step 1, you will need to use that file/path in this step

Registering Your SSH Key with StartOS

1. Open a terminal on your client device and display your SSH public key (created above):

   • Mac and Linux:

     cat ~/.ssh/id_ed25519.pub
     

   • Windows:

     type .ssh\id_ed25519.pub
     

2. Copy the resulting line that looks similar to

   ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINH3tqX71XsPlzYhhoo9CqAP2Yx7gsGTh43bQXr1zqoq user@email.com
   

3. In StartOS, navigate to System > SSH.

4. Click "Add New Key".

5. Paste your SSH public key (copied above).

6. Click "Submit".

SSH over LAN

1. Open a terminal on your client device and enter:

   ssh start9@SERVER-HOSTNAME
   

   Replace SERVER-HOSTNAME with your server's adjective-noun.local address URL.

2. The first time you connect, you will see something like this:

   The authenticity of host 'adjective-noun.local (192.168.1.175)' can't be established.
   
   ED25519 key fingerprint is SHA256:BgYhzyIDbshm3annI1cfySd8C4/lh6Gfk2Oi3FdIVAa.
   
   This key is not known by any other names.
   
   Are you sure you want to continue connecting (yes/no/[fingerprint])?
   

   Type "yes" and hit Enter to start trusting the server's SSH public key.

   
   If you get a scary looking warning that says something like
   
       WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
   
   Fear not! This is most likely happening because you have recently re-flashed your server, which causes a change in the key for your device's hostname. The solution is to delete the existing entry from your `known_hosts` file, which is typically located at `~/.ssh/known_hosts`. This will be specified in the warning, along with a helpful line number (in case your file is lengthy).
   

Connecting via PuTTY on Windows

For Windows, following the command above will work. But if you prefer a GUI tool, BrewsBitcoin has created a guide for connecting via SSH using PuTTY on Windows

SSH over Tor

Terminal SSH over Tor is only supported on Linux and MacOS. For Windows, it is only possible with PuTTY as seen <a href="https://tor.stackexchange.com/a/143" target="_blank">here</a>. Note: those instructions use port 9150, but we've configured Tor in Windows on the traditional port 9050.

1. Install torsocks

   • Mac:

     brew install torsocks
     

   • Debian / Ubuntu

     sudo apt install torsocks
     

   • Arch / Garuda / Manjaro

     sudo pacman -S torsocks
     

2. Run the following command:

   echo -e "\nHost *.onion\n\tProxyCommand nc -xlocalhost:9050 %h %p" >> ~/.ssh/config
   

   This command adds a wildcard setting for .onion domains to your SSH config file. Any .onion domains you connect to using SSH will use the specified proxy command.

3. SSH into StartOS:

   
   The changes you make here are on the overlay and won't persist after a restart of your server.
   

   ssh start9@<custom-address>.local
   

4. Elevate yourself to root in chroot edit mode (which will make your changes persist across reboots):

   sudo /usr/lib/startos/scripts/chroot-and-upgrade
   

5. Using Vim or Nano, add the following 2 lines to /etc/tor/torrc

   HiddenServiceDir /var/lib/tor/ssh
   HiddenServicePort 22 127.0.0.1:22
   

   
   You can also add these lines by running the following command:
   
       echo -e "\nHiddenServiceDir /var/lib/tor/ssh\nHiddenServicePort 22 127.0.0.1:22" >> /etc/tor/torrc
   

6. Restart your Start9 server by exiting chroot edit mode:

   exit
   

7. SSH in again to gather you newly-generated SSH ".onion" address:

   sudo cat /var/lib/tor/ssh/hostname
   

   
   This .onion address is only for SSH access and should not be confused with your server's main .onion address.
   

8. Exit SSH

   exit
   

9. Now you can SSH into your server using your SSH ".onion" URL:

   ssh start9@xxxxxxxxxxxxxxxxx.onion