nyx

SSHd Without Port Forwarding With TOR.

View on GitHub

Nyx

"Your shell in the shadows."

Nyx is a standalone, stealth SSH server that operates entirely inside a Tor Hidden Service. With Nyx, you can securely access your machine from anywhere—whether behind corporate firewalls, CGNAT, or restrictive networks—without needing port forwarding, VPNs, or exposing your public IP address.

Nyx is userspace-only (no root required), leaves no footprint on your local LAN, and supports flexible, hybrid authentication (passwords and SSH keys).

✨ Features

  • NAT Piercing: Reachable behind any firewall as long as it permits outgoing connections. No port forwarding needed.
  • Stealth Mode: Never listens on public IPs or local LAN ports—binds strictly to the internal Tor circuit.
  • Hybrid Authentication: Support for users with passwords, SSH keys, or both.
  • Identity Management: Option for persistent (.onion remains across restarts) or ephemeral (new identity per session) onion addresses.
  • Self-Contained: Built-in utilities to generate secure bcrypt password hashes and Ed25519 SSH keypairs.

🚀 Quick Start

1. Setup Configuration

Nyx expects a config.yaml file alongside the binary. Create this manually or use the sample:

welcome_message: |
  Welcome to the Void.
  Authorized Access Only.

# true = Same .onion address across restarts (saved in data/tor)
# false = New random .onion address each run
persistent_identity: true

users:
  - username: admin
    # Use ./nyx -gen-pass to generate this hash
    password_hash: "$2a$10$X7H1/..." 
    
  - username: ghost
    # Use ./nyx -gen-key to generate keys
    authorized_keys:
      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA..."

Place your configuration next to the nyx executable.

2. Generate Credentials

Never store plain-text passwords in your config.

  • Generate a password hash:

    ./nyx -gen-pass "mySuperSecretPassword"

    Copy the resulting $2a$10$... hash to your config.yaml.

  • Generate SSH keypair for a client:

    ./nyx -gen-key

    Save the Private Key to your client. Paste the Public Key into the authorized_keys section in config.yaml.

3. Run the Server

Start Nyx simply via:

./nyx

You should see:

🧅 Initializing Tor...
🔮 Publishing Onion Service...
✨ NYX LIVE AT: v2xyz...randomstring...onion

💻 Connecting to Nyx

Since Nyx runs as a Tor Hidden Service, you must route SSH through Tor:

Method A: Robust SSH Config (Recommended)

Add to your local ~/.ssh/config:

Host nyx
    Hostname v2xyz...your_onion_address...onion
    User admin
    # Linux/macOS (openbsd-netcat)
    ProxyCommand nc -x localhost:9050 %h %p
    # Windows (Nmap's ncat)
    # ProxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p

Connect with:

ssh nyx

Requires a running Tor proxy (default port: 9050) and netcat/ncat installed.

Method B: Quick SSH (torify/torsocks)

If you have torify or torsocks:

torsocks ssh admin@v2xyz...your_onion_address...onion

⚙️ Advanced Configuration

Ephemeral vs. Persistent Identity

  • Persistent (true): Nyx saves keys inside a data/tor directory. Your onion address remains unchanged across restarts.
  • Ephemeral (false): Uses a temporary directory for identity; new onion address each run—perfect for disposable "burner" sessions.

File Structure

Running Nyx produces:

.
├── nyx              # The executable
├── config.yaml      # Your configuration file
└── data/            # Created automatically
    ├── host_key     # Server SSH Host Key (prevents warnings)
    └── tor/         # Tor keys (when persistent_identity is true)

🛡️ Security Notes

  • Always generate password hashes and SSH keys using Nyx’s builtin tools.
  • Never store plain-text credentials.
  • Use ephemeral identity for disposable/burner SSH sessions.