I have a Raspberry Pi running a read-only server where some friends and I have a "poor man's IRC" chat, in that we all log in from Termux and post messages to one another using `wall`. It's absolutely ridiculous and I love it.
Pretty neat! We implemented something similar with an IRC chat app (senpai) in our SSH app (pico.sh). After the user creates an account, it lets users connect to our public IRC bouncer with a single command (`ssh pico.sh -t chat`).
ssh-chat sort of inspired devzat. here's the story: I used to live in dubai at the time and for some odd dns reasons I could never actually join ssh-chat, but it acted as proof that ssh chats are possible, and so I decided to make my own version of it. then I moved to the us and was actually able to use both ssh-chat and devzat.
I'd be curious whether there's any security concerns on this one. Could an attacker craft a message that gets access to execute commands into a client terminal?
This is not sshd, this is a golang binary that uses the stdlib ssh lib. You would have to either a) figure out how to escape out of a golang binary, or b) if the go code executes shell commands with some user provided text, trying to shell inject something in there.
Yeah, though SSH is already very mature at processing text, so it's a surprisingly good fit for a chat. I would also remember that any machine you SSH from is going to give the server some metadata like IP address, public keys (which aren't useful as creds but can be for tracking). Really fun little project though
I'm also interested. Setting up a passwordless SSH account for some public service sounds like a good way to give your machine away to North Korean hackers, because you forgot to set someting in /etc/sshd to "no".
Is there a usable description somewhere on how to do this safely?
I experimented with writing a shell replacement a while back. Turns out you can just run any old program. Here’s and example “hello world” shell replacement written in Go.
It’s amazing how simple some things are. Similarly, an HTTP server can also run any old binary in response to an incoming request. As long as it produces output that looks like an HTTP response, the client will receive that response.
I love stuff like this. I made a widget for MacOS where you can see incoming |hi messages sent to your Urbit, as a kind of poor man's p2p chat. But I didn't add a feature to send hi messages, so you still need a CLI for that.
Related: Does anyone by chance know how to configure an "anonymous" ssh account that always runs the same program? This would be great for making text mode games available to everyone without needing to support different platforms, now that windows actually ships with ssh.
If you want to use my server, it might be a little more powerful than the current one. I would self host but to be honest I'd prefer helping out with the main instance. In case, I am here
what sort of server resource usage is this like right now as you are getting a ton of traffic?
also noticed that people were able to run commands but permission denied. that kinda freaked me out. eventually somebody is going to figure out how to escape the go binary
There was also `write` [0]. It would literally parse /etc/utmp [1] to find out which terminal the recepient user was logged on, then it would open that terminal and write(2) the message to it. Ah, wonderful user isolation.
hiAndrewQuinn|1 year ago
thejosh|1 year ago
complaintdept|1 year ago
_joel|1 year ago
rwmj|1 year ago
codazoda|1 year ago
qudat|1 year ago
ref: https://pico.sh/irc
codetrotter|1 year ago
Discussion at the time:
https://news.ycombinator.com/item?id=8743374
Source code in GitHub repo here:
https://github.com/shazow/ssh-chat
quackduck|1 year ago
languagehacker|1 year ago
qudat|1 year ago
Tepix|1 year ago
Workaround: Specify another ssh keypair
freedomben|1 year ago
phoyd|1 year ago
Is there a usable description somewhere on how to do this safely?
codazoda|1 year ago
https://github.com/codazoda/goshell
jagged-chisel|1 year ago
It’s amazing how simple some things are. Similarly, an HTTP server can also run any old binary in response to an incoming request. As long as it produces output that looks like an HTTP response, the client will receive that response.
quackduck|1 year ago
humanperhaps|1 year ago
xyst|1 year ago
yu3zhou4|1 year ago
quackduck|1 year ago
freedomben|1 year ago
knodi|1 year ago
jasonjayr|1 year ago
Aeolun|1 year ago
unknown|1 year ago
[deleted]
sdsd|1 year ago
You can see what it looks like here: https://www.youtube.com/watch?v=_bAx4Jx39jE&t=384s
(it's the widget in the bottom right of the screen)
lynx23|1 year ago
SushiHippie|1 year ago
fragmede|1 year ago
I use it for funky.nondeterministic.computer
quackduck|1 year ago
xyst|1 year ago
I created a throwaway ed25519 key, reconfigured ssh config, and tried to connect with ‘ssh chat’
Nothing loads. ‘ssh -v chat’ isn’t helpful either. ping and nc (on both 22 and 443) show the server (or load balancer) is accessible for me.
Maybe a “hnfp DoS” (hacker news front page DoS)?
n2e|1 year ago
Edit: nvm the author said it’s down
1vuio0pswjnm7|1 year ago
https://man.openbsd.org/authpf
tcsenpai|1 year ago
Tepix|1 year ago
quackduck|1 year ago
localfirst|1 year ago
also noticed that people were able to run commands but permission denied. that kinda freaked me out. eventually somebody is going to figure out how to escape the go binary
quackduck|1 year ago
nedpat|1 year ago
But unless I'm missing something, what's the difference between this and IRC?
unknown|1 year ago
[deleted]
plussed_reader|1 year ago
ipsum2|1 year ago
evbogue|1 year ago
aa-jv|1 year ago
danslo|1 year ago
quackduck|1 year ago
tempestlxc|1 year ago
ingen0s|1 year ago
callwhendone|1 year ago
PORT STATE SERVICE
22/tcp closed ssh
Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds
----
overloaded?
styczen|1 year ago
Irc have exange data between server and minimalize data trafic.
still irc is better, but meybe in future
Joker_vD|1 year ago
[0] https://man.cat-v.org/unix-6th/1/write
[1] https://man.cat-v.org/unix-6th/5/utmp