return to table of content

Devzat – Chat over SSH, with some nice quality-of-life features

languagehacker
15 replies
23h47m

I'd be curious whether there's any security concerns on this one. Could an attacker craft a message that gets access to execute commands into a client terminal?

qudat
8 replies
23h11m

This is not sshd, this is a golang binary that uses the stdlib ssh lib. You would have to either a) figure out how to escape out of a golang binary, or b) if the go code executes shell commands with some user provided text, trying to shell inject something in there.

raggi
5 replies
20h41m

yup, not an extensive list, but further demonstrative:

  - terminal emulators are not security hardened clients against malicious actors
  - ssh lacks PKI and is inconvenient so users never do prekeying in practice, so it's TOFU / zero server assertion in most practical cases (i.e. easy to mitm)
  - ssh channel features are a constant concern, for server resources and for client features like agents, agents are easy to disable
  - most ssh implementations don't scale that well, it wasn't ever really a goal to do so
  - there are few tools for auditing and monitoring, unlike the common protocols/services/clients
fun for toys, but i wouldn't put credit card details in there, unlike some streamers started doing lately.

cwillu
4 replies
20h36m

ssh definitely supports PKI, it's just not the standard workflow for individuals

     ssh-keygen (1):  

     ssh-keygen supports signing of keys to produce certificates that may be used for user or host authentication.
     Certificates consist of a public key, some identity information, zero or more principal (user or host) names and
     a set of options that are signed by a Certification Authority (CA) key.  Clients or servers may then trust only
     the CA key and verify its signature on a certificate rather than trusting many user/host keys.  Note that
     OpenSSH certificates are a different, and much simpler, format to the X.509 certificates used in ssl(8)

password4321
1 replies
17h23m

TIL about PKIX-SSH, OpenSSH + X.509.

https://gitlab.com/secsh/pkixssh

http://tech.ciges.net/blog/openssh-with-x509-certificates-ho...

Right now I'd stick with something like Gravitational Teleport (overkill); Warpgate may become the perfect fit for this niche soon.

https://github.com/warp-tech/warpgate

It's also worth knowing about SSH clients that can use X.509 certificate keys as normal pre-shared keys with any SSH server, like PuttyCAC and built-in for macOS High Sierra and later.

https://www.idmanagement.gov/implement/scl-ssh/

raggi
0 replies
20h32m

I'm not talking about supporting public key cryptography, I'm talking about having a specific and usable deployment of a PKI. The closest thing SSH has is SSHFP, which depends on DNSSEC, which is according to many opinions, DOA.

anilakar
0 replies
11h47m

PKI, with I in bold quotation marks.

While it supports serial numbers, expiration dates and key revocation lists, it does not allow certificate chaining. That means whoever signs keys for end users has implicit access to the master key.

quackduck
0 replies
22h5m

whoa

phoyd
2 replies
21h17m

I'm also interested. Setting up a passwordless SSH account for some public service sounds like a good way to give your machine away to North Korean hackers, because you forgot to set someting in /etc/sshd to "no".

Is there a usable description somewhere on how to do this safely?

quackduck
0 replies
21h14m

i'd be interested in seeing that. here its ok because it doesnt use sshd at all

freedomben
1 replies
23h37m

Yeah, though SSH is already very mature at processing text, so it's a surprisingly good fit for a chat. I would also remember that any machine you SSH from is going to give the server some metadata like IP address, public keys (which aren't useful as creds but can be for tracking). Really fun little project though

tjoff
0 replies
23h12m

SSH might be, but maybe not your terminal. Which the very least can possibly trick you using escape codes. Also, unless my memory fails me 'cat'ing an untrusted file isn't recommended for security reasons.

Additionally you should disable SSH forwarding. Relevant thread from the startup selling coffee over SSH: https://news.ycombinator.com/item?id=40227624

Tepix
0 replies
8h32m

You may not want the chat server owner to know which public ssh key you are using for privacy reasons.

Workaround: Specify another ssh keypair

codazoda
10 replies
23h46m

Probably. See my comment (and example repo) elsewhere about running any old binary when someone connects.

jagged-chisel
8 replies
21h26m

Spoiler: set the user’s shell to any old binary, like a chat app.

semi-extrinsic
5 replies
20h3m

Or in the authorized_keys file, prepend the public key with a specified command. This is then the only command that the user can execute when logging in with that particular key. To wit:

  command="/usr/bin/foo" ssh-ed25519 AAAA....

kijin
3 replies
18h8m

I suppose this will also lock the user out of sftp and scp? Because otherwise they might be able to edit the authorized_keys file and run any command.

gerdesj
2 replies
17h32m

"I suppose this will also lock the user out of sftp and scp?"

No it wont! The specified command might provide sftp, scp, telnet or stream a film.

fragmede
1 replies
12h49m

I stream a film at funky.nondeterministic.computer on port 22

rovr138
0 replies
1h41m

hah

made me laugh

titaniumtown
0 replies
18h43m

i had no idea about that, thank you!

quackduck
0 replies
12h8m

I use a fork of that!

Borg3
0 replies
22h41m

Or you can just run IRC client on start. Just trap SIGINT and SIGTSTP, run simple or modified client that cannot do exec or escape to shell and you are done :)

quackduck
7 replies
22h58m

so sorry for it being down right now. hn hug of death is real

xyst
3 replies
22h49m

Guess it’s only useful as a toy :)

quackduck
1 replies
22h47m

I just have a really shit server

mro_name
0 replies
10h59m

which is great for human scale! Don't serve billions and burn the planet doing so.

bjoli
0 replies
19h46m

Or the person never expected more than a couple of hundred concurrent users and dimensioned the container or whatever after that.

I once wrote a similar chat, but much much worse in many ways, that could easily handle thousands of concurrent users, but hosted it on a 1mbit residential line. When Slashdot hit it I stood no chance.

humanperhaps
2 replies
16h22m

Didn't think about that when posting - my bad

quackduck
1 replies
12h6m

oh nonono thanks for posting lol

humanperhaps
0 replies
2h7m

Amazing project, by the way!

lynx23
5 replies
12h24m

Related: Does anyone by chance know how to configure an "anonymous" ssh account that always runs the same program? This would be great for making text mode games available to everyone without needing to support different platforms, now that windows actually ships with ssh.

lynx23
2 replies
10h51m

Thanks for the link! However, I will not touch the Google programming language.

fragmede
0 replies
8h28m

your loss. fwiw, It's not run by Google any more

cdelsolar
0 replies
5h9m

lol

quackduck
0 replies
7h52m

you can configure sshd to run any random executable when a user connects

hiAndrewQuinn
5 replies
10h28m

I have a Raspberry Pi running a read-only server where some friends and I have a "poor man's IRC" chat, in that we all log in from Termux and post messages to one another using `wall`. It's absolutely ridiculous and I love it.

complaintdept
2 replies
2h4m

Install `finger` and you've practically got a social media platform.

kouru225
1 replies
59m

I’m trying to google finger and all I get is fingerprint software

LawnGnome
0 replies
53m

https://en.wikipedia.org/wiki/Finger_(protocol)

An old, old Internet protocol that was used to get information on a user, and could be used by users to post updates from their .plan files. Essentially plaintext social media for people with Internet connections in the 80s and (early-ish) 90s.

thejosh
0 replies
9h7m

It's one of those things that if you need to ask why, you'll never understand :-)

_joel
0 replies
9h1m

Yea, came here to say, what about wall! :)

nedpat
3 replies
23h23m

This is actually cool!

But unless I'm missing something, what's the difference between this and IRC?

plussed_reader
2 replies
23h17m

The in-network effect.

quackduck
1 replies
22h5m

hmm? whats that

plussed_reader
0 replies
21h25m

The market force that currently propels whatsapp.

ipsum2
3 replies
23h34m

Doesn't seem to be working, the chat is frozen and I can't type anything.

evbogue
2 replies
23h24m

Same here, seems to have crashed.

quackduck
1 replies
23h21m

working on bringing it back, hold on

evbogue
0 replies
23h17m

Cool. Hanging!

knodi
2 replies
23h10m

When I read this comment, thought good readability it’s got to be Go

cdelsolar
0 replies
5h11m

why is this downvoted?

Aeolun
0 replies
18h41m

The readability might be nice, but the way files are structured makes no sense to me.

In PHP/Typescript there’s always a direct correspondence between imports and file locations, but Go baffles me.

codetrotter
3 replies
23h43m

See also: ssh-chat by shazow from ~10 years ago written in Go

  ssh chat.shazow.net
The most amazing part is perhaps the fact that this one is still around, 10 years later! Try it yourself and you’ll see :)

Discussion at the time:

https://news.ycombinator.com/item?id=8743374

Source code in GitHub repo here:

https://github.com/shazow/ssh-chat

quackduck
2 replies
21h28m

ssh-chat sort of inspired devzat. here's the story: I used to live in dubai at the time and for some odd dns reasons I could never actually join ssh-chat, but it acted as proof that ssh chats are possible, and so I decided to make my own version of it. then I moved to the us and was actually able to use both ssh-chat and devzat.

nojs
0 replies
11h32m

odd dns reasons

I would love to hear more about this

codetrotter
0 replies
21h25m

That’s so cool and nice :D

Any idea what we could do to allow all of the people still in Dubai to join chats over ssh too?

codazoda
3 replies
23h52m

I experimented with writing a shell replacement a while back. Turns out you can just run any old program. Here’s and example “hello world” shell replacement written in Go.

https://github.com/codazoda/goshell

jagged-chisel
2 replies
21h28m

Turns out you can just run any old program.

It’s amazing how simple some things are. Similarly, an HTTP server can also run any old binary in response to an incoming request. As long as it produces output that looks like an HTTP response, the client will receive that response.

steve1977
0 replies
12h36m

good old cgi

mro_name
0 replies
10h53m

but nginx or caddy can't run CGIs, they want scalability to the billions.

Disclaimer: I build a personal social web server https://seppo.social like that on top of shared (apache) hosting requiring no root privileges to install and run.

Or with a few lines of sh you can turn many cli tools to web services like https://qr.mro.name/

xyst
2 replies
22h49m

Is this working for anybody else?

I created a throwaway ed25519 key, reconfigured ssh config, and tried to connect with ‘ssh chat’

Nothing loads. ‘ssh -v chat’ isn’t helpful either. ping and nc (on both 22 and 443) show the server (or load balancer) is accessible for me.

Maybe a “hnfp DoS” (hacker news front page DoS)?

n2e
1 replies
22h44m

Have you tried connecting with the actual hostname directly instead of an alias?

Edit: nvm the author said it’s down

quackduck
0 replies
22h39m

back up now!

styczen
2 replies
1d

Normal talk in unices system can do that.

Irc have exange data between server and minimalize data trafic.

still irc is better, but meybe in future

riedel
0 replies
23h23m

I still use posix write [1] if there is an incident and i want to talk to the other admins that all try to fix sth. Quite fünf AS the younger ones are always Quote puzzled and feel caught...

[1] https://manpages.org/write

yu3zhou4
1 replies
1d

There was a beginner friendly machine to hack on HackTheBox where you had to hack a Devzat instance

quackduck
0 replies
22h4m

a devzat regular made that!

localfirst
1 replies
21h14m

what sort of server resource usage is this like right now as you are getting a ton of traffic?

also noticed that people were able to run commands but permission denied. that kinda freaked me out. eventually somebody is going to figure out how to escape the go binary

quackduck
0 replies
12h5m

im not worried at all :)

jasonjayr
1 replies
23h10m

As a gentle reminder, if you are forwarding your ssh-agent by default, you should connect with:

    ssh -o 'ForwardAgent no' $host
So your secure identities are not exposed to a random ssh server ...

Aeolun
0 replies
18h40m

Forwarding your agent by default (to all hosts!) sounds like a terrible idea.

danslo
1 replies
23h35m

I appear to have crashed the server with "tic 999", sorry guys!

quackduck
0 replies
22h31m

that wasn't it but yeah lol

Tepix
1 replies
8h25m

Looks like ascii colors aren't being filtered correctly.. which is a pretty big issue. White on white isn't very readable... :-)

quackduck
0 replies
7h55m

this sounds like a terminal thing. what terminal are you on.

tempestlxc
0 replies
17h52m

Chatting via SSH has given me a lot of insights. Thank you.

tcsenpai
0 replies
18h25m

If you want to use my server, it might be a little more powerful than the current one. I would self host but to be honest I'd prefer helping out with the main instance. In case, I am here

sdsd
0 replies
6h59m

I love stuff like this. I made a widget for MacOS where you can see incoming |hi messages sent to your Urbit, as a kind of poor man's p2p chat. But I didn't add a feature to send hi messages, so you still need a CLI for that.

You can see what it looks like here: https://www.youtube.com/watch?v=_bAx4Jx39jE&t=384s

(it's the widget in the bottom right of the screen)

qudat
0 replies
23h8m

Pretty neat! We implemented something similar with an IRC chat app (senpai) in our SSH app (pico.sh). After the user creates an account, it lets users connect to our public IRC bouncer with a single command (`ssh pico.sh -t chat`).

ref: https://pico.sh/irc

ingen0s
0 replies
7h23m

This makes my list for top of the year, nice work.

callwhendone
0 replies
17h25m

ssh: connect to host devzat.hackclub.com port 22: Connection refused

PORT STATE SERVICE

22/tcp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds

----

overloaded?

aa-jv
0 replies
8h59m

This is great, now we just need a way to host it on our mobile phones.