[HN Gopher] Devzat - Chat over SSH, with some nice quality-of-li...
___________________________________________________________________
Devzat - Chat over SSH, with some nice quality-of-life features
Author : humanperhaps
Score : 171 points
Date : 2024-07-18 17:58 UTC (5 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| rwmj wrote:
| I wonder if you could do something similar with an ssh account
| which is hard-wired to run 'ytalk'
| (https://en.wikipedia.org/wiki/Talk_(software)).
| codazoda wrote:
| Probably. See my comment (and example repo) elsewhere about
| running any old binary when someone connects.
| Borg3 wrote:
| Or you can just run IRC client on start. Just trap SIGINT and
| SIGTSTP, run simple or modified client that cannot do exec or
| escape to shell and you are done :)
| jagged-chisel wrote:
| Spoiler: set the user's shell to any old binary, like a chat
| app.
| semi-extrinsic wrote:
| Or in the authorized_keys file, prepend the public key with
| a specified command. This is then the only command that the
| user can execute when logging in with that particular key.
| To wit: command="/usr/bin/foo" ssh-ed25519
| AAAA....
| yu3zhou4 wrote:
| There was a beginner friendly machine to hack on HackTheBox where
| you had to hack a Devzat instance
| quackduck wrote:
| a devzat regular made that!
| styczen wrote:
| Normal talk in unices system can do that.
|
| Irc have exange data between server and minimalize data trafic.
|
| still irc is better, but meybe in future
| Joker_vD wrote:
| There was also `write` [0]. It would literally parse /etc/utmp
| [1] to find out which terminal the recepient user was logged
| on, then it would open that terminal and write(2) the message
| to it. Ah, wonderful user isolation.
|
| [0] https://man.cat-v.org/unix-6th/1/write
|
| [1] https://man.cat-v.org/unix-6th/5/utmp
| riedel wrote:
| I still use posix write [1] if there is an incident and i
| want to talk to the other admins that all try to fix sth.
| Quite funf AS the younger ones are always Quote puzzled and
| feel caught...
|
| [1] https://manpages.org/write
| codazoda wrote:
| I experimented with writing a shell replacement a while back.
| Turns out you can just run any old program. Here's and example
| "hello world" shell replacement written in Go.
|
| https://github.com/codazoda/goshell
| jagged-chisel wrote:
| > Turns out you can just run any old program.
|
| It's amazing how simple some things are. Similarly, an HTTP
| server can also run any old binary in response to an incoming
| request. As long as it produces output that looks like an HTTP
| response, the client will receive that response.
| languagehacker wrote:
| I'd be curious whether there's any security concerns on this one.
| Could an attacker craft a message that gets access to execute
| commands into a client terminal?
| freedomben wrote:
| Yeah, though SSH is already very mature at processing text, so
| it's a surprisingly good fit for a chat. I would also remember
| that any machine you SSH from is going to give the server some
| metadata like IP address, public keys (which aren't useful as
| creds but can be for tracking). Really fun little project
| though
| tjoff wrote:
| SSH might be, but maybe not your terminal. Which the very
| least can possibly trick you using escape codes. Also, unless
| my memory fails me 'cat'ing an untrusted file isn't
| recommended for security reasons.
|
| Additionally you should disable SSH forwarding. Relevant
| thread from the startup selling coffee over SSH:
| https://news.ycombinator.com/item?id=40227624
| qudat wrote:
| This is not sshd, this is a golang binary that uses the stdlib
| ssh lib. You would have to either a) figure out how to escape
| out of a golang binary, or b) if the go code executes shell
| commands with some user provided text, trying to shell inject
| something in there.
| cwillu wrote:
| Or convince the ssh daemon to pass on terminal escape codes
| to another user.
|
| https://nvd.nist.gov/vuln/detail/CVE-2021-33477
| quackduck wrote:
| whoa
| raggi wrote:
| yup, not an extensive list, but further demonstrative:
| - terminal emulators are not security hardened clients
| against malicious actors - ssh lacks PKI and is
| inconvenient so users never do prekeying in practice, so
| it's TOFU / zero server assertion in most practical cases
| (i.e. easy to mitm) - ssh channel features are a
| constant concern, for server resources and for client
| features like agents, agents are easy to disable -
| most ssh implementations don't scale that well, it wasn't
| ever really a goal to do so - there are few tools for
| auditing and monitoring, unlike the common
| protocols/services/clients
|
| fun for toys, but i wouldn't put credit card details in
| there, unlike some streamers started doing lately.
| cwillu wrote:
| ssh definitely supports PKI, it's just not the standard
| workflow for individuals ssh-keygen
| (1): ssh-keygen supports signing of keys
| to produce certificates that may be used for user or host
| authentication. Certificates consist of a public
| key, some identity information, zero or more principal
| (user or host) names and a set of options that
| are signed by a Certification Authority (CA) key.
| Clients or servers may then trust only the CA
| key and verify its signature on a certificate rather than
| trusting many user/host keys. Note that OpenSSH
| certificates are a different, and much simpler, format to
| the X.509 certificates used in ssl(8)
| raggi wrote:
| I'm not talking about supporting public key cryptography,
| I'm talking about having a specific and usable deployment
| of a PKI. The closest thing SSH has is SSHFP, which
| depends on DNSSEC, which is according to many opinions,
| DOA.
| phoyd wrote:
| I'm also interested. Setting up a passwordless SSH account for
| some public service sounds like a good way to give your machine
| away to North Korean hackers, because you forgot to set
| someting in /etc/sshd to "no".
|
| Is there a usable description somewhere on how to do this
| safely?
| quackduck wrote:
| i'd be interested in seeing that. here its ok because it
| doesnt use sshd at all
| codetrotter wrote:
| See also: ssh-chat by shazow from ~10 years ago written in Go
| ssh chat.shazow.net
|
| The most amazing part is perhaps the fact that this one is still
| around, 10 years later! Try it yourself and you'll see :)
|
| Discussion at the time:
|
| https://news.ycombinator.com/item?id=8743374
|
| Source code in GitHub repo here:
|
| https://github.com/shazow/ssh-chat
| quackduck wrote:
| ssh-chat sort of inspired devzat. here's the story: I used to
| live in dubai at the time and for some odd dns reasons I could
| never actually join ssh-chat, but it acted as proof that ssh
| chats are possible, and so I decided to make my own version of
| it. then I moved to the us and was actually able to use both
| ssh-chat and devzat.
| codetrotter wrote:
| That's so cool and nice :D
|
| Any idea what we could do to allow all of the people still in
| Dubai to join chats over ssh too?
| freedomben wrote:
| Cool, the source code is amazingly readable. Also love the sense
| of humor :-D such as
| https://github.com/quackduck/devzat/blob/main/commands.go#L1...
| knodi wrote:
| When I read this comment, thought good readability it's got to
| be Go
| danslo wrote:
| I appear to have crashed the server with "tic 999", sorry guys!
| quackduck wrote:
| that wasn't it but yeah lol
| ipsum2 wrote:
| Doesn't seem to be working, the chat is frozen and I can't type
| anything.
| evbogue wrote:
| Same here, seems to have crashed.
| quackduck wrote:
| working on bringing it back, hold on
| evbogue wrote:
| Cool. Hanging!
| nedpat wrote:
| This is actually cool!
|
| But unless I'm missing something, what's the difference between
| this and IRC?
| plussed_reader wrote:
| The in-network effect.
| quackduck wrote:
| hmm? whats that
| plussed_reader wrote:
| The market force that currently propels whatsapp.
| jasonjayr wrote:
| As a gentle reminder, if you are forwarding your ssh-agent by
| default, you should connect with: ssh -o
| 'ForwardAgent no' $host
|
| So your secure identities are not exposed to a random ssh server
| ...
| qudat wrote:
| Pretty neat! We implemented something similar with an IRC chat
| app (senpai) in our SSH app (pico.sh). After the user creates an
| account, it lets users connect to our public IRC bouncer with a
| single command (`ssh pico.sh -t chat`).
|
| ref: https://pico.sh/irc
| quackduck wrote:
| so sorry for it being down right now. hn hug of death is real
| xyst wrote:
| Guess it's only useful as a toy :)
| quackduck wrote:
| I just have a really shit server
| bjoli wrote:
| Or the person never expected more than a couple of hundred
| concurrent users and dimensioned the container or whatever
| after that.
|
| I once wrote a similar chat, but much much worse in many
| ways, that could easily handle thousands of concurrent users,
| but hosted it on a 1mbit residential line. When Slashdot hit
| it I stood no chance.
| xyst wrote:
| Is this working for anybody else?
|
| I created a throwaway ed25519 key, reconfigured ssh config, and
| tried to connect with 'ssh chat'
|
| Nothing loads. 'ssh -v chat' isn't helpful either. ping and nc
| (on both 22 and 443) show the server (or load balancer) is
| accessible for me.
|
| Maybe a "hnfp DoS" (hacker news front page DoS)?
| n2e wrote:
| Have you tried connecting with the actual hostname directly
| instead of an alias?
|
| Edit: nvm the author said it's down
| quackduck wrote:
| back up now!
| localfirst wrote:
| what sort of server resource usage is this like right now as you
| are getting a ton of traffic?
|
| also noticed that people were able to run commands but permission
| denied. that kinda freaked me out. eventually somebody is going
| to figure out how to escape the go binary
___________________________________________________________________
(page generated 2024-07-18 23:00 UTC)