Merge pull request #439 from jagtalon/jag/readme

README: Change whitelist to allowlist
2025-04-20 02:37:41 +03:00 · 2025-03-06 12:47:46 -05:00 · 2025-03-06 12:34:58 -05:00 · 2024-09-06 14:10:40 -04:00 · 2024-09-06 14:09:21 -04:00 · 2024-09-06 14:09:03 -04:00
31 changed files with 1377 additions and 404 deletions
--- a/.github/ISSUE_TEMPLATE/BUG.yml
+++ b/.github/ISSUE_TEMPLATE/BUG.yml
@ -0,0 +1,63 @@
+name: Bug Report
+description: Create a report to fix something that is broken
+title: "[Bug]: "
+labels: ["bug", "needs-triage"]
+body:
+  - type: textarea
+    id: summary
+    validations:
+      required: true
+    attributes:
+      label: Summary
+      description: A clear and concise description of what the bug is.
+  - type: input
+    id: client-version
+    attributes:
+      label: Client version
+      description: Paste output of `ssh -V`
+    validations:
+      required: true
+  - type: input
+    id: server-version
+    attributes:
+      label: Server version
+      description: Paste output of `ssh-chat --version`
+      placeholder: e.g., ssh-chat v0.1.0
+    validations:
+      required: true
+
+  - type: input
+    id: latest-server-version
+    attributes:
+      label: Latest server version available (at time of report)
+      description: Check https://github.com/shazow/ssh-chat/releases and paste the latest version
+      placeholder: e.g., v0.2.0
+    validations:
+      required: true
+
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: To Reproduce
+      description: Steps to reproduce the behavior
+      placeholder: |
+        1. Full command to run...
+        2. Resulting output...
+      render: markdown
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected behavior
+      description: A clear and concise description of what you expected to happen.
+      placeholder: Describe the expected behavior
+    validations:
+      required: true
+
+  - type: textarea
+    id: context
+    attributes:
+      label: Additional context
+      description: Add any other context about the problem here.
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@ -29,4 +29,4 @@ jobs:
      run: go build -v .

    - name: Test
-      run: go test -race -vet "all" -v .
+      run: go test -race -vet "all" -v ./...
--- a/21
+++ b/21
@ -0,0 +1,21 @@
+FROM golang:alpine AS builder
+
+WORKDIR /usr/src/app
+
+COPY . .
+RUN apk add make openssh
+RUN make build
+
+
+FROM alpine
+
+RUN apk add openssh
+RUN mkdir /root/.ssh
+WORKDIR /root/.ssh
+RUN ssh-keygen -t rsa -C "chatkey" -f id_rsa
+
+WORKDIR /usr/local/bin
+
+COPY --from=builder /usr/src/app/ssh-chat .
+RUN chmod +x ssh-chat
+CMD ["/usr/local/bin/ssh-chat"]
--- a/7
+++ b/7
@ -35,6 +35,13 @@ release:
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 LDFLAGS='$(LDFLAGS)' ./build_release "github.com/shazow/ssh-chat/cmd/ssh-chat" README.md LICENSE
 	CGO_ENABLED=0 GOOS=linux GOARCH=386 LDFLAGS='$(LDFLAGS)' ./build_release "github.com/shazow/ssh-chat/cmd/ssh-chat" README.md LICENSE
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=6 LDFLAGS='$(LDFLAGS)' ./build_release "github.com/shazow/ssh-chat/cmd/ssh-chat" README.md LICENSE
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 LDFLAGS='$(LDFLAGS)' ./build_release "github.com/shazow/ssh-chat/cmd/ssh-chat" README.md LICENSE
 	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 LDFLAGS='$(LDFLAGS)' ./build_release "github.com/shazow/ssh-chat/cmd/ssh-chat" README.md LICENSE
+	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 LDFLAGS='$(LDFLAGS)' ./build_release "github.com/shazow/ssh-chat/cmd/ssh-chat" README.md LICENSE
 	CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 LDFLAGS='$(LDFLAGS)' ./build_release "github.com/shazow/ssh-chat/cmd/ssh-chat" README.md LICENSE
 	CGO_ENABLED=0 GOOS=windows GOARCH=386 LDFLAGS='$(LDFLAGS)' ./build_release "github.com/shazow/ssh-chat/cmd/ssh-chat" README.md LICENSE
+
+deploy: build/ssh-chat-linux_amd64.tgz
+	ssh -p 2022 ssh.chat tar xvz < build/ssh-chat-linux_amd64.tgz
+	@echo " --- Ready to deploy ---"
+	@echo "Run: ssh -t -p 2022 ssh.chat sudo systemctl restart ssh-chat"
--- a/README.md
+++ b/README.md
@ -12,13 +12,15 @@ Custom SSH server written in Go. Instead of a shell, you get a chat prompt.

 Join the party:

-```
+``` console
 $ ssh ssh.chat
 ```

 Please abide by our [project's Code of Conduct](https://github.com/shazow/ssh-chat/blob/master/CODE_OF_CONDUCT.md) while participating in chat.

-The server's RSA key fingerprint is `MD5:e5:d5:d1:75:90:38:42:f6:c7:03:d7:d0:56:7d:6a:db` or `SHA256:HQDLlZsXL3t0lV5CHM0OXeZ5O6PcfHuzkS8cRbbTLBI`. If you see something different, you might be [MITM](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)'d.
+The host's public key is `ssh.chat ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPrQofxXqoz2y9A7NFkkENt6iW8/mvpfes3RY/41Oyt` and the fingerprint is `SHA256:yoqMXkCysMTBsvhu2yRoMUl+EmZKlvkN+ZKmL3115xU` (as of 2021-10-13).
+
+If you see something different, you might be [MITM](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)'d.

 (Apologies if the server is down, try again shortly.)

@ -50,7 +52,7 @@ Additionally, `make debug` runs the server with an http `pprof` server. This all

 ## Quick Start

-```
+``` console
 Usage:
  ssh-chat [OPTIONS]

@ -60,7 +62,7 @@ Application Options:
  -i, --identity=  Private key to identify server with. (default: ~/.ssh/id_rsa)
      --bind=      Host and port to listen on. (default: 0.0.0.0:2022)
      --admin=     File of public keys who are admins.
-      --whitelist= Optional file of public keys who are allowed to connect.
+      --allowlist= Optional file of public keys who are allowed to connect.
      --motd=      Optional Message of the Day file.
      --log=       Write chat log to this file.
      --pprof=     Enable pprof http server for profiling.
@ -72,7 +74,7 @@ Help Options:
 After doing `go get github.com/shazow/ssh-chat/...` on this repo, you should be able
 to run a command like:

-```
+``` console
 $ ssh-chat --verbose --bind ":22" --identity ~/.ssh/id_dsa
 ```

--- a/auth.go
+++ b/auth.go
@ -1,11 +1,14 @@
 package sshchat

 import (
+	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/csv"
 	"errors"
 	"fmt"
 	"net"
 	"strings"
+	"sync"
 	"time"

 	"github.com/shazow/ssh-chat/set"
@ -13,13 +16,20 @@ import (
 	"golang.org/x/crypto/ssh"
 )

-// ErrNotWhitelisted Is the error returned when a key is checked that is not whitelisted,
-// when whitelisting is enabled.
-var ErrNotWhitelisted = errors.New("not whitelisted")
+// KeyLoader loads public keys, e.g. from an authorized_keys file.
+// It must return a nil slice on error.
+type KeyLoader func() ([]ssh.PublicKey, error)

-// ErrBanned is the error returned when a key is checked that is banned.
+// ErrNotAllowed Is the error returned when a key is checked that is not allowlisted,
+// when allowlisting is enabled.
+var ErrNotAllowed = errors.New("not allowed")
+
+// ErrBanned is the error returned when a client is banned.
 var ErrBanned = errors.New("banned")

+// ErrIncorrectPassphrase is the error returned when a provided passphrase is incorrect.
+var ErrIncorrectPassphrase = errors.New("incorrect passphrase")
+
 // newAuthKey returns string from an ssh.PublicKey used to index the key in our lookup.
 func newAuthKey(key ssh.PublicKey) string {
 	if key == nil {
@ -42,13 +52,20 @@ func newAuthAddr(addr net.Addr) string {
 	return host
 }

-// Auth stores lookups for bans, whitelists, and ops. It implements the sshd.Auth interface.
+// Auth stores lookups for bans, allowlists, and ops. It implements the sshd.Auth interface.
+// If the contained passphrase is not empty, it complements a allowlist.
 type Auth struct {
-	bannedAddr   *set.Set
-	bannedClient *set.Set
-	banned       *set.Set
-	whitelist    *set.Set
-	ops          *set.Set
+	passphraseHash []byte
+	bannedAddr     *set.Set
+	bannedClient   *set.Set
+	banned         *set.Set
+	allowlist      *set.Set
+	ops            *set.Set
+
+	settingsMu      sync.RWMutex
+	allowlistMode   bool
+	opLoader        KeyLoader
+	allowlistLoader KeyLoader
 }

 // NewAuth creates a new empty Auth.
@ -57,28 +74,47 @@ func NewAuth() *Auth {
 		bannedAddr:   set.New(),
 		bannedClient: set.New(),
 		banned:       set.New(),
-		whitelist:    set.New(),
+		allowlist:    set.New(),
 		ops:          set.New(),
 	}
 }

+func (a *Auth) AllowlistMode() bool {
+	a.settingsMu.RLock()
+	defer a.settingsMu.RUnlock()
+	return a.allowlistMode
+}
+
+func (a *Auth) SetAllowlistMode(value bool) {
+	a.settingsMu.Lock()
+	defer a.settingsMu.Unlock()
+	a.allowlistMode = value
+}
+
+// SetPassphrase enables passphrase authentication with the given passphrase.
+// If an empty passphrase is given, disable passphrase authentication.
+func (a *Auth) SetPassphrase(passphrase string) {
+	if passphrase == "" {
+		a.passphraseHash = nil
+	} else {
+		hashArray := sha256.Sum256([]byte(passphrase))
+		a.passphraseHash = hashArray[:]
+	}
+}
+
 // AllowAnonymous determines if anonymous users are permitted.
 func (a *Auth) AllowAnonymous() bool {
-	return a.whitelist.Len() == 0
+	return !a.AllowlistMode() && a.passphraseHash == nil
 }

-// Check determines if a pubkey fingerprint is permitted.
-func (a *Auth) Check(addr net.Addr, key ssh.PublicKey, clientVersion string) error {
-	authkey := newAuthKey(key)
+// AcceptPassphrase determines if passphrase authentication is accepted.
+func (a *Auth) AcceptPassphrase() bool {
+	return a.passphraseHash != nil
+}

-	if a.whitelist.Len() != 0 {
-		// Only check whitelist if there is something in it, otherwise it's disabled.
-		whitelisted := a.whitelist.In(authkey)
-		if !whitelisted {
-			return ErrNotWhitelisted
-		}
-		return nil
-	}
+// CheckBans checks IP, key and client bans.
+func (a *Auth) CheckBans(addr net.Addr, key ssh.PublicKey, clientVersion string) error {
+	authkey := newAuthKey(key)

 	var banned bool
 	if authkey != "" {
@ -98,6 +134,29 @@ func (a *Auth) Check(addr net.Addr, key ssh.PublicKey, clientVersion string) err
 	return nil
 }

+// CheckPubkey determines if a pubkey fingerprint is permitted.
+func (a *Auth) CheckPublicKey(key ssh.PublicKey) error {
+	authkey := newAuthKey(key)
+	allowlisted := a.allowlist.In(authkey)
+	if a.AllowAnonymous() || allowlisted || a.IsOp(key) {
+		return nil
+	} else {
+		return ErrNotAllowed
+	}
+}
+
+// CheckPassphrase determines if a passphrase is permitted.
+func (a *Auth) CheckPassphrase(passphrase string) error {
+	if !a.AcceptPassphrase() {
+		return errors.New("passphrases not accepted") // this should never happen
+	}
+	passedPassphraseHash := sha256.Sum256([]byte(passphrase))
+	if subtle.ConstantTimeCompare(passedPassphraseHash[:], a.passphraseHash) == 0 {
+		return ErrIncorrectPassphrase
+	}
+	return nil
+}
+
 // Op sets a public key as a known operator.
 func (a *Auth) Op(key ssh.PublicKey, d time.Duration) {
 	if key == nil {
@ -114,25 +173,68 @@ func (a *Auth) Op(key ssh.PublicKey, d time.Duration) {

 // IsOp checks if a public key is an op.
 func (a *Auth) IsOp(key ssh.PublicKey) bool {
-	if key == nil {
-		return false
-	}
 	authkey := newAuthKey(key)
 	return a.ops.In(authkey)
 }

-// Whitelist will set a public key as a whitelisted user.
-func (a *Auth) Whitelist(key ssh.PublicKey, d time.Duration) {
+// LoadOps sets the public keys form loader to operators and saves the loader for later use
+func (a *Auth) LoadOps(loader KeyLoader) error {
+	a.settingsMu.Lock()
+	a.opLoader = loader
+	a.settingsMu.Unlock()
+	return a.ReloadOps()
+}
+
+// ReloadOps sets the public keys from a loader saved in the last call to operators
+func (a *Auth) ReloadOps() error {
+	a.settingsMu.RLock()
+	defer a.settingsMu.RUnlock()
+	return addFromLoader(a.opLoader, a.Op)
+}
+
+// Allowlist will set a public key as a allowlisted user.
+func (a *Auth) Allowlist(key ssh.PublicKey, d time.Duration) {
 	if key == nil {
 		return
 	}
+	var err error
 	authItem := newAuthItem(key)
 	if d != 0 {
-		a.whitelist.Set(set.Expire(authItem, d))
+		err = a.allowlist.Set(set.Expire(authItem, d))
 	} else {
-		a.whitelist.Set(authItem)
+		err = a.allowlist.Set(authItem)
 	}
-	logger.Debugf("Added to whitelist: %q (for %s)", authItem.Key(), d)
+	if err == nil {
+		logger.Debugf("Added to allowlist: %q (for %s)", authItem.Key(), d)
+	} else {
+		logger.Errorf("Error adding %q to allowlist for %s: %s", authItem.Key(), d, err)
+	}
+}
+
+// LoadAllowlist adds the public keys from the loader to the allowlist and saves the loader for later use
+func (a *Auth) LoadAllowlist(loader KeyLoader) error {
+	a.settingsMu.Lock()
+	a.allowlistLoader = loader
+	a.settingsMu.Unlock()
+	return a.ReloadAllowlist()
+}
+
+//  LoadAllowlist adds the public keys from a loader saved in a previous call to the allowlist
+func (a *Auth) ReloadAllowlist() error {
+	a.settingsMu.RLock()
+	defer a.settingsMu.RUnlock()
+	return addFromLoader(a.allowlistLoader, a.Allowlist)
+}
+
+func addFromLoader(loader KeyLoader, adder func(ssh.PublicKey, time.Duration)) error {
+	if loader == nil {
+		return nil
+	}
+	keys, err := loader()
+	for _, key := range keys {
+		adder(key, 0)
+	}
+	return err
 }

 // Ban will set a public key as banned.
--- a/auth_test.go
+++ b/auth_test.go
@ -21,19 +21,20 @@ func ClonePublicKey(key ssh.PublicKey) (ssh.PublicKey, error) {
 	return ssh.ParsePublicKey(key.Marshal())
 }

-func TestAuthWhitelist(t *testing.T) {
+func TestAuthAllowlist(t *testing.T) {
 	key, err := NewRandomPublicKey(512)
 	if err != nil {
 		t.Fatal(err)
 	}

 	auth := NewAuth()
-	err = auth.Check(nil, key, "")
+	err = auth.CheckPublicKey(key)
 	if err != nil {
 		t.Error("Failed to permit in default state:", err)
 	}

-	auth.Whitelist(key, 0)
+	auth.Allowlist(key, 0)
+	auth.SetAllowlistMode(true)

 	keyClone, err := ClonePublicKey(key)
 	if err != nil {
@ -44,9 +45,9 @@ func TestAuthWhitelist(t *testing.T) {
 		t.Error("Clone key does not match.")
 	}

-	err = auth.Check(nil, keyClone, "")
+	err = auth.CheckPublicKey(keyClone)
 	if err != nil {
-		t.Error("Failed to permit whitelisted:", err)
+		t.Error("Failed to permit allowlisted:", err)
 	}

 	key2, err := NewRandomPublicKey(512)
@ -54,8 +55,42 @@ func TestAuthWhitelist(t *testing.T) {
 		t.Fatal(err)
 	}

-	err = auth.Check(nil, key2, "")
+	err = auth.CheckPublicKey(key2)
 	if err == nil {
-		t.Error("Failed to restrict not whitelisted:", err)
+		t.Error("Failed to restrict not allowlisted:", err)
+	}
+}
+
+func TestAuthPassphrases(t *testing.T) {
+	auth := NewAuth()
+
+	if auth.AcceptPassphrase() {
+		t.Error("Doesn't known it won't accept passphrases.")
+	}
+	auth.SetPassphrase("")
+	if auth.AcceptPassphrase() {
+		t.Error("Doesn't known it won't accept passphrases.")
+	}
+
+	err := auth.CheckPassphrase("Pa$$w0rd")
+	if err == nil {
+		t.Error("Failed to deny without passphrase:", err)
+	}
+
+	auth.SetPassphrase("Pa$$w0rd")
+
+	err = auth.CheckPassphrase("Pa$$w0rd")
+	if err != nil {
+		t.Error("Failed to allow vaild passphrase:", err)
+	}
+
+	err = auth.CheckPassphrase("something else")
+	if err == nil {
+		t.Error("Failed to restrict wrong passphrase:", err)
+	}
+
+	auth.SetPassphrase("")
+	if auth.AcceptPassphrase() {
+		t.Error("Didn't clear passphrase.")
 	}
 }
--- a/chat/command.go
+++ b/chat/command.go
@ -458,4 +458,72 @@ func InitCommands(c *Commands) {
 			return nil
 		},
 	})
+
+	c.Add(Command{
+		Prefix:     "/away",
+		PrefixHelp: "[REASON]",
+		Help:       "Set away reason, or empty to unset.",
+		Handler: func(room *Room, msg message.CommandMsg) error {
+			awayMsg := strings.TrimSpace(strings.TrimLeft(msg.Body(), "/away"))
+			isAway, _, _ := msg.From().GetAway()
+			msg.From().SetAway(awayMsg)
+			if awayMsg != "" {
+				room.Send(message.NewEmoteMsg("has gone away: "+awayMsg, msg.From()))
+				return nil
+			}
+			if isAway {
+				room.Send(message.NewEmoteMsg("is back.", msg.From()))
+				return nil
+			}
+			return errors.New("not away. Append a reason message to set away")
+		},
+	})
+
+	c.Add(Command{
+		Prefix: "/back",
+		Help:   "Clear away status.",
+		Handler: func(room *Room, msg message.CommandMsg) error {
+			isAway, _, _ := msg.From().GetAway()
+			if isAway {
+				msg.From().SetAway("")
+				room.Send(message.NewEmoteMsg("is back.", msg.From()))
+				return nil
+			}
+			return errors.New("must be away to be back")
+		},
+	})
+
+	c.Add(Command{
+		Op:         true,
+		Prefix:     "/mute",
+		PrefixHelp: "USER",
+		Help:       "Toggle muting USER, preventing messages from broadcasting.",
+		Handler: func(room *Room, msg message.CommandMsg) error {
+			if !room.IsOp(msg.From()) {
+				return errors.New("must be op")
+			}
+
+			args := msg.Args()
+			if len(args) == 0 {
+				return errors.New("must specify user")
+			}
+
+			member, ok := room.MemberByID(args[0])
+			if !ok {
+				return errors.New("user not found")
+			}
+
+			setMute := !member.IsMuted()
+			member.SetMute(setMute)
+			id := member.ID()
+
+			if setMute {
+				room.Send(message.NewSystemMsg("Muted: "+id, msg.From()))
+			} else {
+				room.Send(message.NewSystemMsg("Unmuted: "+id, msg.From()))
+			}
+
+			return nil
+		},
+	})
 }
--- a/chat/command_test.go
+++ b/chat/command_test.go
@ -0,0 +1,70 @@
+package chat
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/shazow/ssh-chat/chat/message"
+)
+
+func TestAwayCommands(t *testing.T) {
+	cmds := &Commands{}
+	InitCommands(cmds)
+
+	room := NewRoom()
+	go room.Serve()
+	defer room.Close()
+
+	// steps are order dependent
+	// User can be "away" or "not away" using 3 commands "/away [msg]", "/away", "/back"
+	// 2^3 possible cases, run all and verify state at the end
+	type step struct {
+		// input
+		Msg string
+
+		// expected output
+		IsUserAway  bool
+		AwayMessage string
+
+		// expected state change
+		ExpectsError func(awayBefore bool) bool
+	}
+	neverError := func(_ bool) bool { return false }
+	// if the user was away before, then the error is expected
+	errorIfAwayBefore := func(awayBefore bool) bool { return awayBefore }
+
+	awayStep := step{"/away snorkling", true, "snorkling", neverError}
+	notAwayStep := step{"/away", false, "", errorIfAwayBefore}
+	backStep := step{"/back", false, "", errorIfAwayBefore}
+
+	steps := []step{awayStep, notAwayStep, backStep}
+	cases := [][]int{
+		{0, 1, 2}, {0, 2, 1}, {1, 0, 2}, {1, 2, 0}, {2, 0, 1}, {2, 1, 0},
+	}
+	for _, c := range cases {
+		t.Run(fmt.Sprintf("Case: %d, %d, %d", c[0], c[1], c[2]), func(t *testing.T) {
+
+			u := message.NewUser(message.SimpleID("shark"))
+
+			for _, s := range []step{steps[c[0]], steps[c[1]], steps[c[2]]} {
+				msg, _ := message.NewPublicMsg(s.Msg, u).ParseCommand()
+
+				awayBeforeCommand, _, _ := u.GetAway()
+
+				err := cmds.Run(room, *msg)
+				if err != nil && s.ExpectsError(awayBeforeCommand) {
+					t.Fatalf("unexpected error running the command: %+v", err)
+				}
+
+				isAway, _, awayMsg := u.GetAway()
+				if isAway != s.IsUserAway {
+					t.Fatalf("expected user away state '%t' not equals to actual '%t' after message '%s'", s.IsUserAway, isAway, s.Msg)
+				}
+				if awayMsg != s.AwayMessage {
+					t.Fatalf("expected user away message '%s' not equal to actual '%s' after message '%s'", s.AwayMessage, awayMsg, s.Msg)
+				}
+			}
+
+		})
+	}
+}
--- a/chat/logger.go
+++ b/chat/logger.go
@ -1,7 +1,9 @@
 package chat

-import "io"
-import stdlog "log"
+import (
+	"io"
+	stdlog "log"
+)

 var logger *stdlog.Logger

--- a/chat/message/message.go
+++ b/chat/message/message.go
@ -191,10 +191,11 @@ func (m PrivateMsg) From() *User {
 }

 func (m PrivateMsg) Render(t *Theme) string {
-	s := fmt.Sprintf("[PM from %s] %s", m.from.Name(), m.body)
+	format := "[PM from %s] %s"
 	if t == nil {
-		return s
+		return fmt.Sprintf(format, m.from.ID(), m.body) 
 	}
+	s := fmt.Sprintf(format, m.from.Name(), m.body)
 	return t.ColorPM(s)
 }

--- a/chat/message/user.go
+++ b/chat/message/user.go
@ -33,10 +33,12 @@ type User struct {
 	screen    io.WriteCloser
 	closeOnce sync.Once

-	mu      sync.Mutex
-	config  UserConfig
-	replyTo *User     // Set when user gets a /msg, for replying.
-	lastMsg time.Time // When the last message was rendered
+	mu         sync.Mutex
+	config     UserConfig
+	replyTo    *User     // Set when user gets a /msg, for replying.
+	lastMsg    time.Time // When the last message was rendered.
+	awayReason string    // Away reason, "" when not away.
+	awaySince  time.Time // When away was set, 0 when not away.
 }

 func NewUser(identity Identifier) *User {
@ -71,6 +73,26 @@ func (u *User) LastMsg() time.Time {
 	return u.lastMsg
 }

+// SetAway sets the users away reason and state.
+func (u *User) SetAway(msg string) {
+	u.mu.Lock()
+	defer u.mu.Unlock()
+	u.awayReason = msg
+	if msg == "" {
+		u.awaySince = time.Time{}
+	} else {
+		// Reset away timer even if already away
+		u.awaySince = time.Now()
+	}
+}
+
+// GetAway returns if the user is away, when they went away, and the reason.
+func (u *User) GetAway() (bool, time.Time, string) {
+	u.mu.Lock()
+	defer u.mu.Unlock()
+	return u.awayReason != "", u.awaySince, u.awayReason
+}
+
 func (u *User) Config() UserConfig {
 	u.mu.Lock()
 	defer u.mu.Unlock()
@ -121,7 +143,9 @@ func (u *User) setColorIdx(idx int) {
 func (u *User) Close() {
 	u.closeOnce.Do(func() {
 		if u.screen != nil {
-			u.screen.Close()
+			if err := u.screen.Close(); err != nil {
+				logger.Printf("Failed to close user %q screen: %s", u.ID(), err)
+			}
 		}
 		// close(u.msg) TODO: Close?
 		close(u.done)
--- a/chat/room.go
+++ b/chat/room.go
@ -27,6 +27,23 @@ var ErrInvalidName = errors.New("invalid name")
 type Member struct {
 	*message.User
 	IsOp bool
+
+	// TODO: Move IsOp under mu?
+
+	mu      sync.Mutex
+	isMuted bool // When true, messages should not be broadcasted.
+}
+
+func (m *Member) IsMuted() bool {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	return m.isMuted
+}
+
+func (m *Member) SetMute(muted bool) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.isMuted = muted
 }

 // Room definition, also a Set of User Items
@ -84,6 +101,20 @@ func (r *Room) HandleMsg(m message.Message) {
 		fromID = fromMsg.From().ID()
 	}

+	if fromID != "" {
+		if item, err := r.Members.Get(fromID); err != nil {
+			// Message from a member who is not in the room, this should not happen.
+			logger.Printf("Room received unexpected message from a non-member: %v", m)
+			return
+		} else if member, ok := item.Value().(*Member); ok && member.IsMuted() {
+			// Short circuit message handling for muted users
+			if _, ok = m.(*message.CommandMsg); !ok {
+				member.User.Send(m)
+			}
+			return
+		}
+	}
+
 	switch m := m.(type) {
 	case *message.CommandMsg:
 		cmd := *m
@ -150,6 +181,7 @@ func (r *Room) Join(u *message.User) (*Member, error) {
 	if err != nil {
 		return nil, err
 	}
+	// TODO: Remove user ID from sets, probably referring to a prior user.
 	r.History(u)
 	s := fmt.Sprintf("%s joined. (Connected: %d)", u.Name(), r.Members.Len())
 	r.Send(message.NewAnnounceMsg(s))
--- a/chat/room_test.go
+++ b/chat/room_test.go
@ -158,6 +158,94 @@ func TestIgnore(t *testing.T) {
 	expectOutput(t, buffer, ignored.user.Name()+": hello again!"+message.Newline)
 }

+func TestMute(t *testing.T) {
+	var buffer []byte
+
+	ch := NewRoom()
+	go ch.Serve()
+	defer ch.Close()
+
+	// Create 3 users, join the room and clear their screen buffers
+	users := make([]ScreenedUser, 3)
+	members := make([]*Member, 3)
+	for i := 0; i < 3; i++ {
+		screen := &MockScreen{}
+		user := message.NewUserScreen(message.SimpleID(fmt.Sprintf("user%d", i)), screen)
+		users[i] = ScreenedUser{
+			user:   user,
+			screen: screen,
+		}
+
+		member, err := ch.Join(user)
+		if err != nil {
+			t.Fatal(err)
+		}
+		members[i] = member
+	}
+
+	for _, u := range users {
+		for i := 0; i < 3; i++ {
+			u.user.HandleMsg(u.user.ConsumeOne())
+			u.screen.Read(&buffer)
+		}
+	}
+
+	// Use some handy variable names for distinguish between roles
+	muter := users[0]
+	muted := users[1]
+	other := users[2]
+
+	members[0].IsOp = true
+
+	// test muting unexisting user
+	if err := sendCommand("/mute test", muter, ch, &buffer); err != nil {
+		t.Fatal(err)
+	}
+	expectOutput(t, buffer, "-> Err: user not found"+message.Newline)
+
+	// test muting by non-op
+	if err := sendCommand("/mute "+muted.user.Name(), other, ch, &buffer); err != nil {
+		t.Fatal(err)
+	}
+	expectOutput(t, buffer, "-> Err: must be op"+message.Newline)
+
+	// test muting existing user
+	if err := sendCommand("/mute "+muted.user.Name(), muter, ch, &buffer); err != nil {
+		t.Fatal(err)
+	}
+	expectOutput(t, buffer, "-> Muted: "+muted.user.Name()+message.Newline)
+
+	if got, want := members[1].IsMuted(), true; got != want {
+		t.Error("muted user failed to set mute flag")
+	}
+
+	// when an emote is sent by a muted user, it should not be displayed for anyone
+	ch.HandleMsg(message.NewPublicMsg("hello!", muted.user))
+	ch.HandleMsg(message.NewEmoteMsg("is crying", muted.user))
+
+	if muter.user.HasMessages() {
+		muter.user.HandleMsg(muter.user.ConsumeOne())
+		muter.screen.Read(&buffer)
+		t.Errorf("muter should not have messages: %s", buffer)
+	}
+	if other.user.HasMessages() {
+		other.user.HandleMsg(other.user.ConsumeOne())
+		other.screen.Read(&buffer)
+		t.Errorf("other should not have messages: %s", buffer)
+	}
+
+	// test unmuting
+	if err := sendCommand("/mute "+muted.user.Name(), muter, ch, &buffer); err != nil {
+		t.Fatal(err)
+	}
+	expectOutput(t, buffer, "-> Unmuted: "+muted.user.Name()+message.Newline)
+
+	ch.HandleMsg(message.NewPublicMsg("hello again!", muted.user))
+	other.user.HandleMsg(other.user.ConsumeOne())
+	other.screen.Read(&buffer)
+	expectOutput(t, buffer, muted.user.Name()+": hello again!"+message.Newline)
+}
+
 func expectOutput(t *testing.T, buffer []byte, expected string) {
 	t.Helper()

--- a/cmd/ssh-chat/cmd.go
+++ b/cmd/ssh-chat/cmd.go
@ -2,7 +2,6 @@ package main

 import (
 	"bufio"
-	"errors"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@ -10,7 +9,6 @@ import (
 	"os/signal"
 	"os/user"
 	"strings"
-	"time"

 	"github.com/alexcesaro/log"
 	"github.com/alexcesaro/log/golog"
@ -30,16 +28,17 @@ var Version string = "dev"

 // Options contains the flag options
 type Options struct {
-	Admin      string `long:"admin" description:"File of public keys who are admins."`
-	Bind       string `long:"bind" description:"Host and port to listen on." default:"0.0.0.0:2022"`
-	Identity   string `short:"i" long:"identity" description:"Private key to identify server with." default:"~/.ssh/id_rsa"`
-	Log        string `long:"log" description:"Write chat log to this file."`
-	Motd       string `long:"motd" description:"Optional Message of the Day file."`
-	Pprof      int    `long:"pprof" description:"Enable pprof http server for profiling."`
-	Verbose    []bool `short:"v" long:"verbose" description:"Show verbose logging."`
-	Version    bool   `long:"version" description:"Print version and exit."`
-	Whitelist  string `long:"whitelist" description:"Optional file of public keys who are allowed to connect."`
-	Passphrase string `long:"unsafe-passphrase" description:"Require an interactive passphrase to connect. Whitelist feature is more secure."`
+	Admin      string   `long:"admin" description:"File of public keys who are admins."`
+	Bind       string   `long:"bind" description:"Host and port to listen on." default:"0.0.0.0:2022"`
+	Identity   []string `short:"i" long:"identity" description:"Private key to identify server with." default:"~/.ssh/id_rsa"`
+	Log        string   `long:"log" description:"Write chat log to this file."`
+	Motd       string   `long:"motd" description:"Optional Message of the Day file."`
+	Pprof      int      `long:"pprof" description:"Enable pprof http server for profiling."`
+	Verbose    []bool   `short:"v" long:"verbose" description:"Show verbose logging."`
+	Version    bool     `long:"version" description:"Print version and exit."`
+	Allowlist  string   `long:"allowlist" description:"Optional file of public keys who are allowed to connect."`
+	Whitelist  string   `long:"whitelist" dexcription:"Old name for allowlist option"`
+	Passphrase string   `long:"unsafe-passphrase" description:"Require an interactive passphrase to connect. Allowlist feature is more secure."`
 }

 const extraHelp = `There are hidden options and easter eggs in ssh-chat. The source code is a good
@ -89,7 +88,7 @@ func main() {

 	// Figure out the log level
 	numVerbose := len(options.Verbose)
-	if numVerbose > len(logLevels) {
+	if numVerbose >= len(logLevels) {
 		numVerbose = len(logLevels) - 1
 	}

@ -104,61 +103,26 @@ func main() {
 		message.SetLogger(os.Stderr)
 	}

-	privateKeyPath := options.Identity
-	if strings.HasPrefix(privateKeyPath, "~/") {
-		user, err := user.Current()
-		if err == nil {
-			privateKeyPath = strings.Replace(privateKeyPath, "~", user.HomeDir, 1)
-		}
-	}
-
-	signer, err := ReadPrivateKey(privateKeyPath)
-	if err != nil {
-		fail(3, "Failed to read identity private key: %v\n", err)
-	}
-
 	auth := sshchat.NewAuth()
 	config := sshd.MakeAuth(auth)
-	config.AddHostKey(signer)
 	config.ServerVersion = "SSH-2.0-Go ssh-chat"
 	// FIXME: Should we be using config.NoClientAuth = true by default?

-	if options.Passphrase != "" {
-		if options.Whitelist != "" {
-			logger.Warning("Passphrase is disabled while whitelist is enabled.")
-		}
-		if config.KeyboardInteractiveCallback != nil {
-			fail(1, "Passphrase authentication conflicts with existing KeyboardInteractive setup.") // This should not happen
-		}
-
-		// We use KeyboardInteractiveCallback instead of PasswordCallback to
-		// avoid preventing the client from including a pubkey in the user
-		// identification.
-		config.KeyboardInteractiveCallback = func(conn ssh.ConnMetadata, challenge ssh.KeyboardInteractiveChallenge) (*ssh.Permissions, error) {
-			answers, err := challenge("", "", []string{"Passphrase required to connect: "}, []bool{true})
-			if err != nil {
-				return nil, err
-			}
-			if len(answers) == 1 && answers[0] == options.Passphrase {
-				// Success
-				return nil, nil
-			}
-			// It's not gonna do much but may as well throttle brute force attempts a little
-			time.Sleep(2 * time.Second)
-
-			return nil, errors.New("incorrect passphrase")
-		}
-
-		// We also need to override the PublicKeyCallback to prevent rando pubkeys from bypassing
-		cb := config.PublicKeyCallback
-		config.PublicKeyCallback = func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
-			perms, err := cb(conn, key)
+	for _, privateKeyPath := range options.Identity {
+		if strings.HasPrefix(privateKeyPath, "~/") {
+			user, err := user.Current()
 			if err == nil {
-				err = errors.New("passphrase authentication required")
+				privateKeyPath = strings.Replace(privateKeyPath, "~", user.HomeDir, 1)
 			}
-			return perms, err
 		}

+		signer, err := ReadPrivateKey(privateKeyPath)
+		if err != nil {
+			fail(3, "Failed to read identity private key: %v\n", err)
+		}
+
+		config.AddHostKey(signer)
+		fmt.Printf("Added server identity: %s\n", sshd.Fingerprint(signer.PublicKey()))
 	}

 	s, err := sshd.ListenSSH(options.Bind, config)
@ -174,35 +138,24 @@ func main() {
 	host.SetTheme(message.Themes[0])
 	host.Version = Version

-	err = fromFile(options.Admin, func(line []byte) error {
-		key, _, _, _, err := ssh.ParseAuthorizedKey(line)
-		if err != nil {
-			if err.Error() == "ssh: no key found" {
-				return nil // Skip line
-			}
-			return err
-		}
-		auth.Op(key, 0)
-		return nil
-	})
+	if options.Passphrase != "" {
+		auth.SetPassphrase(options.Passphrase)
+	}
+
+	err = auth.LoadOps(loaderFromFile(options.Admin, logger))
 	if err != nil {
 		fail(5, "Failed to load admins: %v\n", err)
 	}

-	err = fromFile(options.Whitelist, func(line []byte) error {
-		key, _, _, _, err := ssh.ParseAuthorizedKey(line)
-		if err != nil {
-			if err.Error() == "ssh: no key found" {
-				return nil // Skip line
-			}
-			return err
-		}
-		auth.Whitelist(key, 0)
-		return nil
-	})
-	if err != nil {
-		fail(6, "Failed to load whitelist: %v\n", err)
+	if options.Allowlist == "" && options.Whitelist != "" {
+		fmt.Println("--whitelist was renamed to --allowlist.")
+		options.Allowlist = options.Whitelist
 	}
+	err = auth.LoadAllowlist(loaderFromFile(options.Allowlist, logger))
+	if err != nil {
+		fail(6, "Failed to load allowlist: %v\n", err)
+	}
+	auth.SetAllowlistMode(options.Allowlist != "")

 	if options.Motd != "" {
 		host.GetMOTD = func() (string, error) {
@ -243,24 +196,32 @@ func main() {
 	fmt.Fprintln(os.Stderr, "Interrupt signal detected, shutting down.")
 }

-func fromFile(path string, handler func(line []byte) error) error {
+func loaderFromFile(path string, logger *golog.Logger) sshchat.KeyLoader {
 	if path == "" {
-		// Skip
 		return nil
 	}
-
-	file, err := os.Open(path)
-	if err != nil {
-		return err
-	}
-	defer file.Close()
-
-	scanner := bufio.NewScanner(file)
-	for scanner.Scan() {
-		err := handler(scanner.Bytes())
+	return func() ([]ssh.PublicKey, error) {
+		file, err := os.Open(path)
 		if err != nil {
-			return err
+			return nil, err
 		}
+		defer file.Close()
+
+		var keys []ssh.PublicKey
+		scanner := bufio.NewScanner(file)
+		for scanner.Scan() {
+			key, _, _, _, err := ssh.ParseAuthorizedKey(scanner.Bytes())
+			if err != nil {
+				if err.Error() == "ssh: no key found" {
+					continue // Skip line
+				}
+				return nil, err
+			}
+			keys = append(keys, key)
+		}
+		if keys == nil {
+			logger.Warning("file", path, "contained no keys")
+		}
+		return keys, nil
 	}
-	return nil
 }
--- a/cmd/ssh-chat/key.go
+++ b/cmd/ssh-chat/key.go
@ -4,9 +4,10 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"syscall"

-	"github.com/howeyc/gopass"
 	"golang.org/x/crypto/ssh"
+	"golang.org/x/term"
 )

 // ReadPrivateKey attempts to read your private key and possibly decrypt it if it
@ -24,8 +25,8 @@ func ReadPrivateKey(path string) (ssh.Signer, error) {
 	} else if _, ok := err.(*ssh.PassphraseMissingError); ok {
 		passphrase := []byte(os.Getenv("IDENTITY_PASSPHRASE"))
 		if len(passphrase) == 0 {
-			fmt.Print("Enter passphrase: ")
-			passphrase, err = gopass.GetPasswd()
+			fmt.Println("Enter passphrase to unlock identity private key:", path)
+			passphrase, err = term.ReadPassword(int(syscall.Stdin))
 			if err != nil {
 				return nil, fmt.Errorf("couldn't read passphrase: %v", err)
 			}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,13 @@
+version: '3.2'
+services:
+  app:
+    container_name: ssh-chat
+    build: .
+    ports:
+      - 2022:2022
+    restart: unless-stopped
+    volumes:
+      - type: bind
+        source: ~/.ssh/
+        target: /root/.ssh/
+        read_only: true
--- a/go.mod
+++ b/go.mod
@ -2,12 +2,13 @@ module github.com/shazow/ssh-chat

 require (
 	github.com/alexcesaro/log v0.0.0-20150915221235-61e686294e58
-	github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c
-	github.com/jessevdk/go-flags v1.4.0
+	github.com/jessevdk/go-flags v1.5.0
 	github.com/shazow/rateio v0.0.0-20200113175441-4461efc8bdc4
-	golang.org/x/crypto v0.0.0-20200420104511-884d27f42877
-	golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f
-	golang.org/x/text v0.3.2
+	golang.org/x/crypto v0.17.0
+	golang.org/x/sync v0.1.0
+	golang.org/x/sys v0.15.0
+	golang.org/x/term v0.15.0
+	golang.org/x/text v0.14.0
 )

 go 1.13
--- a/go.sum
+++ b/go.sum
@ -1,28 +1,50 @@
 github.com/alexcesaro/log v0.0.0-20150915221235-61e686294e58 h1:MkpmYfld/S8kXqTYI68DfL8/hHXjHogL120Dy00TIxc=
 github.com/alexcesaro/log v0.0.0-20150915221235-61e686294e58/go.mod h1:YNfsMyWSs+h+PaYkxGeMVmVCX75Zj/pqdjbu12ciCYE=
-github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c h1:kQWxfPIHVLbgLzphqk3QUflDy9QdksZR4ygR807bpy0=
-github.com/howeyc/gopass v0.0.0-20170109162249-bf9dde6d0d2c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs=
-github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c h1:aY2hhxLhjEAbfXOx2nRJxCXezC6CO2V/yN+OCr1srtk=
-github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs=
-github.com/jessevdk/go-flags v1.4.0 h1:4IU2WS7AumrZ/40jfhf4QVDMsQwqA7VEHozFRrGARJA=
-github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/shazow/rateio v0.0.0-20150116013248-e8e00881e5c1 h1:Lx3BlDGFElJt4u/zKc9A3BuGYbQAGlEFyPuUA3jeMD0=
-github.com/shazow/rateio v0.0.0-20150116013248-e8e00881e5c1/go.mod h1:vt2jWY/3Qw1bIzle5thrJWucsLuuX9iUNnp20CqCciI=
+github.com/jessevdk/go-flags v1.5.0 h1:1jKYvbxEjfUl0fmqTCOfonvskHHXMjBySTLW4y9LFvc=
+github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
 github.com/shazow/rateio v0.0.0-20200113175441-4461efc8bdc4 h1:zwQ1HBo5FYwn1ksMd19qBCKO8JAWE9wmHivEpkw/DvE=
 github.com/shazow/rateio v0.0.0-20200113175441-4461efc8bdc4/go.mod h1:vt2jWY/3Qw1bIzle5thrJWucsLuuX9iUNnp20CqCciI=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576 h1:aUX/1G2gFSs4AsJJg2cL3HuoRhCSCz733FE5GUSuaT4=
-golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200420104511-884d27f42877 h1:IhZPbxNd1UjBCaD5AfpSSbJTRlp+ZSuyuH5uoksNS04=
-golang.org/x/crypto v0.0.0-20200420104511-884d27f42877/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54 h1:xe1/2UUJRmA9iDglQSlkx8c5n3twv58+K0mPpC2zmhA=
-golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f h1:gWF768j/LaZugp8dyS4UwsslYCYz9XgFxvlgsn0n9H8=
-golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/host.go
+++ b/host.go
@ -9,11 +9,14 @@ import (
 	"sync"
 	"time"

+	"golang.org/x/crypto/ssh"
+
 	"github.com/shazow/rateio"
 	"github.com/shazow/ssh-chat/chat"
 	"github.com/shazow/ssh-chat/chat/message"
 	"github.com/shazow/ssh-chat/internal/humantime"
 	"github.com/shazow/ssh-chat/internal/sanitize"
+	"github.com/shazow/ssh-chat/set"
 	"github.com/shazow/ssh-chat/sshd"
 )

@ -49,6 +52,8 @@ type Host struct {

 	// GetMOTD is used to reload the motd from an external source
 	GetMOTD func() (string, error)
+	// OnUserJoined is used to notify when a user joins a host
+	OnUserJoined func(*message.User)
 }

 // NewHost creates a Host on top of an existing listener.
@ -114,6 +119,33 @@ func (h *Host) Connect(term *sshd.Terminal) {
 	}

 	user.SetConfig(cfg)
+	go user.Consume()
+
+	// Close term once user is closed.
+	defer user.Close()
+	defer term.Close()
+
+	h.mu.Lock()
+	motd := h.motd
+	count := h.count
+	h.count++
+	h.mu.Unlock()
+
+	// Send MOTD
+	if motd != "" && !apiMode {
+		user.Send(message.NewAnnounceMsg(motd))
+	}
+
+	member, err := h.Join(user)
+	if err != nil {
+		// Try again...
+		id.SetName(fmt.Sprintf("Guest%d", count))
+		member, err = h.Join(user)
+	}
+	if err != nil {
+		logger.Errorf("[%s] Failed to join: %s", term.Conn.RemoteAddr(), err)
+		return
+	}

 	// Load user config overrides from ENV
 	// TODO: Would be nice to skip the command parsing pipeline just to load
@ -140,34 +172,6 @@ func (h *Host) Connect(term *sshd.Terminal) {
 		}
 	}

-	go user.Consume()
-
-	// Close term once user is closed.
-	defer user.Close()
-	defer term.Close()
-
-	h.mu.Lock()
-	motd := h.motd
-	count := h.count
-	h.count++
-	h.mu.Unlock()
-
-	// Send MOTD
-	if motd != "" {
-		user.Send(message.NewAnnounceMsg(motd))
-	}
-
-	member, err := h.Join(user)
-	if err != nil {
-		// Try again...
-		id.SetName(fmt.Sprintf("Guest%d", count))
-		member, err = h.Join(user)
-	}
-	if err != nil {
-		logger.Errorf("[%s] Failed to join: %s", term.Conn.RemoteAddr(), err)
-		return
-	}
-
 	// Successfully joined.
 	if !apiMode {
 		term.SetPrompt(GetPrompt(user))
@ -183,6 +187,10 @@ func (h *Host) Connect(term *sshd.Terminal) {

 	logger.Debugf("[%s] Joined: %s", term.Conn.RemoteAddr(), user.Name())

+	if h.OnUserJoined != nil {
+		h.OnUserJoined(user)
+	}
+
 	for {
 		line, err := term.ReadLine()
 		if err == io.EOF {
@ -334,6 +342,20 @@ func (h *Host) GetUser(name string) (*message.User, bool) {
 // InitCommands adds host-specific commands to a Commands container. These will
 // override any existing commands.
 func (h *Host) InitCommands(c *chat.Commands) {
+	sendPM := func(room *chat.Room, msg string, from *message.User, target *message.User) error {
+		m := message.NewPrivateMsg(msg, from, target)
+		room.Send(&m)
+
+		txt := fmt.Sprintf("[Sent PM to %s]", target.Name())
+		if isAway, _, awayReason := target.GetAway(); isAway {
+			txt += " Away: " + awayReason
+		}
+		sysMsg := message.NewSystemMsg(txt, from)
+		room.Send(sysMsg)
+		target.SetReplyTo(from)
+		return nil
+	}
+
 	c.Add(chat.Command{
 		Prefix:     "/msg",
 		PrefixHelp: "USER MESSAGE",
@ -352,14 +374,7 @@ func (h *Host) InitCommands(c *chat.Commands) {
 				return errors.New("user not found")
 			}

-			m := message.NewPrivateMsg(strings.Join(args[1:], " "), msg.From(), target)
-			room.Send(&m)
-
-			txt := fmt.Sprintf("[Sent PM to %s]", target.Name())
-			ms := message.NewSystemMsg(txt, msg.From())
-			room.Send(ms)
-			target.SetReplyTo(msg.From())
-			return nil
+			return sendPM(room, strings.Join(args[1:], " "), msg.From(), target)
 		},
 	})

@ -379,20 +394,12 @@ func (h *Host) InitCommands(c *chat.Commands) {
 				return errors.New("no message to reply to")
 			}

-			name := target.Name()
-			_, found := h.GetUser(name)
+			_, found := h.GetUser(target.ID())
 			if !found {
 				return errors.New("user not found")
 			}

-			m := message.NewPrivateMsg(strings.Join(args, " "), msg.From(), target)
-			room.Send(&m)
-
-			txt := fmt.Sprintf("[Sent PM to %s]", name)
-			ms := message.NewSystemMsg(txt, msg.From())
-			room.Send(ms)
-			target.SetReplyTo(msg.From())
-			return nil
+			return sendPM(room, strings.Join(args, " "), msg.From(), target)
 		},
 	})

@ -416,7 +423,7 @@ func (h *Host) InitCommands(c *chat.Commands) {
 			case true:
 				whois = id.WhoisAdmin(room)
 			case false:
-				whois = id.Whois()
+				whois = id.Whois(room)
 			}
 			room.Send(message.NewSystemMsg(whois, msg.From()))

@ -509,7 +516,7 @@ func (h *Host) InitCommands(c *chat.Commands) {
 			room.Send(message.NewAnnounceMsg(body))
 			target.Close()

-			logger.Debugf("Banned: \n-> %s", id.Whois())
+			logger.Debugf("Banned: \n-> %s", id.Whois(room))

 			return nil
 		},
@ -691,4 +698,202 @@ func (h *Host) InitCommands(c *chat.Commands) {
 			return nil
 		},
 	})
+
+	forConnectedUsers := func(cmd func(*chat.Member, ssh.PublicKey) error) error {
+		return h.Members.Each(func(key string, item set.Item) error {
+			v := item.Value()
+			if v == nil { // expired between Each and here
+				return nil
+			}
+			user := v.(*chat.Member)
+			pk := user.Identifier.(*Identity).PublicKey()
+			return cmd(user, pk)
+		})
+	}
+
+	forPubkeyUser := func(args []string, cmd func(ssh.PublicKey)) (errors []string) {
+		invalidUsers := []string{}
+		invalidKeys := []string{}
+		noKeyUsers := []string{}
+		var keyType string
+		for _, v := range args {
+			switch {
+			case keyType != "":
+				pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(keyType + " " + v))
+				if err == nil {
+					cmd(pk)
+				} else {
+					invalidKeys = append(invalidKeys, keyType+" "+v)
+				}
+				keyType = ""
+			case strings.HasPrefix(v, "ssh-"):
+				keyType = v
+			default:
+				user, ok := h.GetUser(v)
+				if ok {
+					pk := user.Identifier.(*Identity).PublicKey()
+					if pk == nil {
+						noKeyUsers = append(noKeyUsers, user.Identifier.Name())
+					} else {
+						cmd(pk)
+					}
+				} else {
+					invalidUsers = append(invalidUsers, v)
+				}
+			}
+		}
+		if len(noKeyUsers) != 0 {
+			errors = append(errors, fmt.Sprintf("users without a public key: %v", noKeyUsers))
+		}
+		if len(invalidUsers) != 0 {
+			errors = append(errors, fmt.Sprintf("invalid users: %v", invalidUsers))
+		}
+		if len(invalidKeys) != 0 {
+			errors = append(errors, fmt.Sprintf("invalid keys: %v", invalidKeys))
+		}
+		return
+	}
+
+	allowlistHelptext := []string{
+		"Usage: /allowlist help | on | off | add {PUBKEY|USER}... | remove {PUBKEY|USER}... | import [AGE] | reload {keep|flush} | reverify | status",
+		"help: this help message",
+		"on, off: set allowlist mode (applies to new connections)",
+		"add, remove: add or remove keys from the allowlist",
+		"import: add all keys of users connected since AGE (default 0) ago to the allowlist",
+		"reload: re-read the allowlist file and keep or discard entries in the current allowlist but not in the file",
+		"reverify: kick all users not in the allowlist if allowlisting is enabled",
+		"status: show status information",
+	}
+
+	allowlistImport := func(args []string) (msgs []string, err error) {
+		var since time.Duration
+		if len(args) > 0 {
+			since, err = time.ParseDuration(args[0])
+			if err != nil {
+				return
+			}
+		}
+		cutoff := time.Now().Add(-since)
+		noKeyUsers := []string{}
+		forConnectedUsers(func(user *chat.Member, pk ssh.PublicKey) error {
+			if user.Joined().Before(cutoff) {
+				if pk == nil {
+					noKeyUsers = append(noKeyUsers, user.Identifier.Name())
+				} else {
+					h.auth.Allowlist(pk, 0)
+				}
+			}
+			return nil
+		})
+		if len(noKeyUsers) != 0 {
+			msgs = []string{fmt.Sprintf("users without a public key: %v", noKeyUsers)}
+		}
+		return
+	}
+
+	allowlistReload := func(args []string) error {
+		if !(len(args) > 0 && (args[0] == "keep" || args[0] == "flush")) {
+			return errors.New("must specify whether to keep or flush current entries")
+		}
+		if args[0] == "flush" {
+			h.auth.allowlist.Clear()
+		}
+		return h.auth.ReloadAllowlist()
+	}
+
+	allowlistReverify := func(room *chat.Room) []string {
+		if !h.auth.AllowlistMode() {
+			return []string{"allowlist is disabled, so nobody will be kicked"}
+		}
+		var kicked []string
+		forConnectedUsers(func(user *chat.Member, pk ssh.PublicKey) error {
+			if h.auth.CheckPublicKey(pk) != nil && !user.IsOp { // we do this check here as well for ops without keys
+				kicked = append(kicked, user.Name())
+				user.Close()
+			}
+			return nil
+		})
+		if kicked != nil {
+			room.Send(message.NewAnnounceMsg("Kicked during pubkey reverification: " + strings.Join(kicked, ", ")))
+		}
+		return nil
+	}
+
+	allowlistStatus := func() (msgs []string) {
+		if h.auth.AllowlistMode() {
+			msgs = []string{"allowlist enabled"}
+		} else {
+			msgs = []string{"allowlist disabled"}
+		}
+		allowlistedUsers := []string{}
+		allowlistedKeys := []string{}
+		h.auth.allowlist.Each(func(key string, item set.Item) error {
+			keyFP := item.Key()
+			if forConnectedUsers(func(user *chat.Member, pk ssh.PublicKey) error {
+				if pk != nil && sshd.Fingerprint(pk) == keyFP {
+					allowlistedUsers = append(allowlistedUsers, user.Name())
+					return io.EOF
+				}
+				return nil
+			}) == nil {
+				// if we land here, the key matches no users
+				allowlistedKeys = append(allowlistedKeys, keyFP)
+			}
+			return nil
+		})
+		if len(allowlistedUsers) != 0 {
+			msgs = append(msgs, "Connected users on the allowlist: "+strings.Join(allowlistedUsers, ", "))
+		}
+		if len(allowlistedKeys) != 0 {
+			msgs = append(msgs, "Keys on the allowlist without connected user: "+strings.Join(allowlistedKeys, ", "))
+		}
+		return
+	}
+
+	c.Add(chat.Command{
+		Op:         true,
+		Prefix:     "/allowlist",
+		PrefixHelp: "COMMAND [ARGS...]",
+		Help:       "Modify the allowlist or allowlist state. See /allowlist help for subcommands",
+		Handler: func(room *chat.Room, msg message.CommandMsg) (err error) {
+			if !room.IsOp(msg.From()) {
+				return errors.New("must be op")
+			}
+
+			args := msg.Args()
+			if len(args) == 0 {
+				args = []string{"help"}
+			}
+
+			// send exactly one message to preserve order
+			var replyLines []string
+
+			switch args[0] {
+			case "help":
+				replyLines = allowlistHelptext
+			case "on":
+				h.auth.SetAllowlistMode(true)
+			case "off":
+				h.auth.SetAllowlistMode(false)
+			case "add":
+				replyLines = forPubkeyUser(args[1:], func(pk ssh.PublicKey) { h.auth.Allowlist(pk, 0) })
+			case "remove":
+				replyLines = forPubkeyUser(args[1:], func(pk ssh.PublicKey) { h.auth.Allowlist(pk, 1) })
+			case "import":
+				replyLines, err = allowlistImport(args[1:])
+			case "reload":
+				err = allowlistReload(args[1:])
+			case "reverify":
+				replyLines = allowlistReverify(room)
+			case "status":
+				replyLines = allowlistStatus()
+			default:
+				err = errors.New("invalid subcommand: " + args[0])
+			}
+			if err == nil && replyLines != nil {
+				room.Send(message.NewSystemMsg(strings.Join(replyLines, "\r\n"), msg.From()))
+			}
+			return
+		},
+	})
 }
--- a/host_test.go
+++ b/host_test.go
@ -2,9 +2,8 @@ package sshchat

 import (
 	"bufio"
-	"crypto/rand"
-	"crypto/rsa"
 	"errors"
+	"fmt"
 	"io"
 	mathRand "math/rand"
 	"strings"
@ -13,6 +12,7 @@ import (
 	"github.com/shazow/ssh-chat/chat/message"
 	"github.com/shazow/ssh-chat/sshd"
 	"golang.org/x/crypto/ssh"
+	"golang.org/x/sync/errgroup"
 )

 func stripPrompt(s string) string {
@ -23,9 +23,15 @@ func stripPrompt(s string) string {
 	if endPos := strings.Index(s, "\x1b[2K "); endPos > 0 {
 		return s[endPos+4:]
 	}
+	if endPos := strings.Index(s, "\x1b[K-> "); endPos > 0 {
+		return s[endPos+6:]
+	}
 	if endPos := strings.Index(s, "] "); endPos > 0 {
 		return s[endPos+2:]
 	}
+	if strings.HasPrefix(s, "-> ") {
+		return s[3:]
+	}
 	return s
 }

@ -42,6 +48,14 @@ func TestStripPrompt(t *testing.T) {
 			Input: "[foo] \x1b[D\x1b[D\x1b[D\x1b[D\x1b[D\x1b[D\x1b[K * Guest1 joined. (Connected: 2)\r",
 			Want:  " * Guest1 joined. (Connected: 2)\r",
 		},
+		{
+			Input: "[foo] \x1b[6D\x1b[K-> From your friendly system.\r",
+			Want:  "From your friendly system.\r",
+		},
+		{
+			Input: "-> Err: must be op.\r",
+			Want:  "Err: must be op.\r",
+		},
 	}

 	for i, tc := range tests {
@ -75,153 +89,263 @@ func TestHostGetPrompt(t *testing.T) {
 	}
 }

-func TestHostNameCollision(t *testing.T) {
-	key, err := sshd.NewRandomSigner(512)
+func getHost(t *testing.T, auth *Auth) (*sshd.SSHListener, *Host) {
+	key, err := sshd.NewRandomSigner(1024)
 	if err != nil {
 		t.Fatal(err)
 	}
-	config := sshd.MakeNoAuth()
+	var config *ssh.ServerConfig
+	if auth == nil {
+		config = sshd.MakeNoAuth()
+	} else {
+		config = sshd.MakeAuth(auth)
+	}
 	config.AddHostKey(key)

 	s, err := sshd.ListenSSH("localhost:0", config)
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer s.Close()
-	host := NewHost(s, nil)
-	go host.Serve()
-
-	done := make(chan struct{}, 1)
-
-	// First client
-	go func() {
-		err := sshd.ConnectShell(s.Addr().String(), "foo", func(r io.Reader, w io.WriteCloser) error {
-			scanner := bufio.NewScanner(r)
-
-			// Consume the initial buffer
-			scanner.Scan()
-			actual := stripPrompt(scanner.Text())
-			expected := " * foo joined. (Connected: 1)\r"
-			if actual != expected {
-				t.Errorf("Got %q; expected %q", actual, expected)
-			}
-
-			// Ready for second client
-			done <- struct{}{}
-
-			scanner.Scan()
-			actual = scanner.Text()
-			// This check has to happen second because prompt doesn't always
-			// get set before the first message.
-			if !strings.HasPrefix(actual, "[foo] ") {
-				t.Errorf("First client failed to get 'foo' name: %q", actual)
-			}
-			actual = stripPrompt(actual)
-			expected = " * Guest1 joined. (Connected: 2)\r"
-			if actual != expected {
-				t.Errorf("Got %q; expected %q", actual, expected)
-			}
-
-			// Wrap it up.
-			close(done)
-			return nil
-		})
-		if err != nil {
-			done <- struct{}{}
-			t.Fatal(err)
-		}
-	}()
-
-	// Wait for first client
-	<-done
-
-	// Second client
-	err = sshd.ConnectShell(s.Addr().String(), "foo", func(r io.Reader, w io.WriteCloser) error {
-		scanner := bufio.NewScanner(r)
-
-		// Consume the initial buffer
-		scanner.Scan()
-		scanner.Scan()
-		scanner.Scan()
-
-		actual := scanner.Text()
-		if !strings.HasPrefix(actual, "[Guest1] ") {
-			t.Errorf("Second client did not get Guest1 name: %q", actual)
-		}
-		return nil
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	<-done
+	return s, NewHost(s, auth)
 }

-func TestHostWhitelist(t *testing.T) {
-	key, err := sshd.NewRandomSigner(512)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	auth := NewAuth()
-	config := sshd.MakeAuth(auth)
-	config.AddHostKey(key)
-
-	s, err := sshd.ListenSSH("localhost:0", config)
-	if err != nil {
-		t.Fatal(err)
-	}
+func TestHostNameCollision(t *testing.T) {
+	s, host := getHost(t, nil)
+	defer s.Close()
+
+	newUsers := make(chan *message.User)
+	host.OnUserJoined = func(u *message.User) {
+		newUsers <- u
+	}
+	go host.Serve()
+
+	g := errgroup.Group{}
+
+	// First client
+	g.Go(func() error {
+		return sshd.ConnectShell(s.Addr().String(), "foo", func(r io.Reader, w io.WriteCloser) error {
+			// second client
+			name := (<-newUsers).Name()
+			if name != "Guest1" {
+				t.Errorf("Second client did not get Guest1 name: %q", name)
+			}
+			return nil
+		})
+	})
+
+	// Second client
+	g.Go(func() error {
+		// first client
+		name := (<-newUsers).Name()
+		if name != "foo" {
+			t.Errorf("First client did not get foo name: %q", name)
+		}
+		return sshd.ConnectShell(s.Addr().String(), "foo", func(r io.Reader, w io.WriteCloser) error {
+			return nil
+		})
+	})
+
+	if err := g.Wait(); err != nil {
+		t.Error(err)
+	}
+}
+
+func TestHostAllowlist(t *testing.T) {
+	auth := NewAuth()
+	s, host := getHost(t, auth)
 	defer s.Close()
-	host := NewHost(s, auth)
 	go host.Serve()

 	target := s.Addr().String()

+	clientPrivateKey, err := sshd.NewRandomSigner(512)
+	if err != nil {
+		t.Fatal(err)
+	}
+	clientKey := clientPrivateKey.PublicKey()
+	loadCount := -1
+	loader := func() ([]ssh.PublicKey, error) {
+		loadCount++
+		return [][]ssh.PublicKey{
+			{},
+			{clientKey},
+		}[loadCount], nil
+	}
+	auth.LoadAllowlist(loader)
+
 	err = sshd.ConnectShell(target, "foo", func(r io.Reader, w io.WriteCloser) error { return nil })
 	if err != nil {
 		t.Error(err)
 	}

-	clientkey, err := rsa.GenerateKey(rand.Reader, 512)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	clientpubkey, _ := ssh.NewPublicKey(clientkey.Public())
-	auth.Whitelist(clientpubkey, 0)
-
+	auth.SetAllowlistMode(true)
 	err = sshd.ConnectShell(target, "foo", func(r io.Reader, w io.WriteCloser) error { return nil })
 	if err == nil {
-		t.Error("Failed to block unwhitelisted connection.")
+		t.Error(err)
+	}
+	err = sshd.ConnectShellWithKey(target, "foo", clientPrivateKey, func(r io.Reader, w io.WriteCloser) error { return nil })
+	if err == nil {
+		t.Error(err)
+	}
+
+	auth.ReloadAllowlist()
+	err = sshd.ConnectShell(target, "foo", func(r io.Reader, w io.WriteCloser) error { return nil })
+	if err == nil {
+		t.Error("Failed to block unallowlisted connection.")
 	}
 }

-func TestHostKick(t *testing.T) {
-	key, err := sshd.NewRandomSigner(512)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	auth := NewAuth()
-	config := sshd.MakeAuth(auth)
-	config.AddHostKey(key)
-
-	s, err := sshd.ListenSSH("localhost:0", config)
-	if err != nil {
-		t.Fatal(err)
-	}
+func TestHostAllowlistCommand(t *testing.T) {
+	s, host := getHost(t, NewAuth())
 	defer s.Close()
-	addr := s.Addr().String()
-	host := NewHost(s, nil)
 	go host.Serve()

+	users := make(chan *message.User)
+	host.OnUserJoined = func(u *message.User) {
+		users <- u
+	}
+
+	kickSignal := make(chan struct{})
+	clientKey, err := sshd.NewRandomSigner(1024)
+	if err != nil {
+		t.Fatal(err)
+	}
+	clientKeyFP := sshd.Fingerprint(clientKey.PublicKey())
+	go sshd.ConnectShellWithKey(s.Addr().String(), "bar", clientKey, func(r io.Reader, w io.WriteCloser) error {
+		<-kickSignal
+		n, err := w.Write([]byte("alive and well"))
+		if n != 0 || err == nil {
+			t.Error("could write after being kicked")
+		}
+		return nil
+	})
+
+	sshd.ConnectShell(s.Addr().String(), "foo", func(r io.Reader, w io.WriteCloser) error {
+		<-users
+		<-users
+		m, ok := host.MemberByID("foo")
+		if !ok {
+			t.Fatal("can't get member foo")
+		}
+
+		scanner := bufio.NewScanner(r)
+		scanner.Scan() // Joined
+		scanner.Scan()
+
+		assertLineEq := func(expected ...string) {
+			if !scanner.Scan() {
+				t.Error("no line available")
+			}
+			actual := stripPrompt(scanner.Text())
+			for _, exp := range expected {
+				if exp == actual {
+					return
+				}
+			}
+			t.Errorf("expected %#v, got %q", expected, actual)
+		}
+		sendCmd := func(cmd string, formatting ...interface{}) {
+			host.HandleMsg(message.ParseInput(fmt.Sprintf(cmd, formatting...), m.User))
+		}
+
+		sendCmd("/allowlist")
+		assertLineEq("Err: must be op\r")
+		m.IsOp = true
+		sendCmd("/allowlist")
+		for _, expected := range [...]string{"Usage", "help", "on, off", "add, remove", "import", "reload", "reverify", "status"} {
+			if !scanner.Scan() {
+				t.Error("no line available")
+			}
+			if actual := stripPrompt(scanner.Text()); !strings.HasPrefix(actual, expected) {
+				t.Errorf("Unexpected help message order: have %q, want prefix %q", actual, expected)
+			}
+		}
+
+		sendCmd("/allowlist on")
+		if !host.auth.AllowlistMode() {
+			t.Error("allowlist not enabled after /allowlist on")
+		}
+		sendCmd("/allowlist off")
+		if host.auth.AllowlistMode() {
+			t.Error("allowlist not disabled after /allowlist off")
+		}
+
+		testKey := "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUiNw0nQku4pcUCbZcJlIEAIf5bXJYTy/DKI1vh5b+P"
+		testKeyFP := "SHA256:GJNSl9NUcOS2pZYALn0C5Qgfh5deT+R+FfqNIUvpM9s="
+
+		if host.auth.allowlist.Len() != 0 {
+			t.Error("allowlist not empty before adding anyone")
+		}
+		sendCmd("/allowlist add ssh-invalid blah ssh-rsa wrongAsWell invalid foo bar %s", testKey)
+		assertLineEq("users without a public key: [foo]\r")
+		assertLineEq("invalid users: [invalid]\r")
+		assertLineEq("invalid keys: [ssh-invalid blah ssh-rsa wrongAsWell]\r")
+		if !host.auth.allowlist.In(testKeyFP) || !host.auth.allowlist.In(clientKeyFP) {
+			t.Error("failed to add keys to allowlist")
+		}
+		sendCmd("/allowlist remove invalid bar")
+		assertLineEq("invalid users: [invalid]\r")
+		if host.auth.allowlist.In(clientKeyFP) {
+			t.Error("failed to remove key from allowlist")
+		}
+		if !host.auth.allowlist.In(testKeyFP) {
+			t.Error("removed wrong key")
+		}
+
+		sendCmd("/allowlist import 5h")
+		if host.auth.allowlist.In(clientKeyFP) {
+			t.Error("imporrted key not seen long enough")
+		}
+		sendCmd("/allowlist import")
+		assertLineEq("users without a public key: [foo]\r")
+		if !host.auth.allowlist.In(clientKeyFP) {
+			t.Error("failed to import key")
+		}
+
+		sendCmd("/allowlist reload keep")
+		if !host.auth.allowlist.In(testKeyFP) {
+			t.Error("cleared allowlist to be kept")
+		}
+		sendCmd("/allowlist reload flush")
+		if host.auth.allowlist.In(testKeyFP) {
+			t.Error("kept allowlist to be cleared")
+		}
+		sendCmd("/allowlist reload thisIsWrong")
+		assertLineEq("Err: must specify whether to keep or flush current entries\r")
+		sendCmd("/allowlist reload")
+		assertLineEq("Err: must specify whether to keep or flush current entries\r")
+
+		sendCmd("/allowlist reverify")
+		assertLineEq("allowlist is disabled, so nobody will be kicked\r")
+		sendCmd("/allowlist on")
+		sendCmd("/allowlist reverify")
+		assertLineEq(" * Kicked during pubkey reverification: bar\r", " * bar left. (After 0 seconds)\r")
+		assertLineEq(" * Kicked during pubkey reverification: bar\r", " * bar left. (After 0 seconds)\r")
+		kickSignal <- struct{}{}
+
+		sendCmd("/allowlist add " + testKey)
+		sendCmd("/allowlist status")
+		assertLineEq("allowlist enabled\r")
+		assertLineEq(fmt.Sprintf("Keys on the allowlist without connected user: %s\r", testKeyFP))
+
+		sendCmd("/allowlist invalidSubcommand")
+		assertLineEq("Err: invalid subcommand: invalidSubcommand\r")
+		return nil
+	})
+}
+
+func TestHostKick(t *testing.T) {
+	s, host := getHost(t, NewAuth())
+	defer s.Close()
+	go host.Serve()
+
+	g := errgroup.Group{}
 	connected := make(chan struct{})
 	kicked := make(chan struct{})
-	done := make(chan struct{})

-	go func() {
+	g.Go(func() error {
 		// First client
-		err := sshd.ConnectShell(addr, "foo", func(r io.Reader, w io.WriteCloser) error {
+		return sshd.ConnectShell(s.Addr().String(), "foo", func(r io.Reader, w io.WriteCloser) error {
 			scanner := bufio.NewScanner(r)

 			// Consume the initial buffer
@ -252,41 +376,103 @@ func TestHostKick(t *testing.T) {
 			}

 			kicked <- struct{}{}
-
 			return nil
 		})
-		if err != nil {
-			connected <- struct{}{}
-			close(connected)
-			t.Fatal(err)
-			close(done)
-		}
-	}()
+	})

-	go func() {
+	g.Go(func() error {
 		// Second client
-		err := sshd.ConnectShell(addr, "bar", func(r io.Reader, w io.WriteCloser) error {
+		return sshd.ConnectShell(s.Addr().String(), "bar", func(r io.Reader, w io.WriteCloser) error {
 			scanner := bufio.NewScanner(r)
 			<-connected
 			scanner.Scan()

 			<-kicked

-			if _, err := w.Write([]byte("am I still here?\r\n")); err != nil {
-				return err
+			if _, err := w.Write([]byte("am I still here?\r\n")); err != io.EOF {
+				return errors.New("expected to be kicked")
 			}

 			scanner.Scan()
-			return scanner.Err()
+			if err := scanner.Err(); err == io.EOF {
+				// All good, we got kicked.
+				return nil
+			} else {
+				return err
+			}
 		})
-		if err == io.EOF {
-			// All good, we got kicked.
-		} else if err != nil {
-			close(done)
-			t.Fatal(err)
-		}
-		close(done)
-	}()
+	})

-	<-done
+	if err := g.Wait(); err != nil {
+		t.Error(err)
+	}
+}
+
+func TestTimestampEnvConfig(t *testing.T) {
+	cases := []struct {
+		input      string
+		timeformat *string
+	}{
+		{"", strptr("15:04")},
+		{"1", strptr("15:04")},
+		{"0", nil},
+		{"time +8h", strptr("15:04")},
+		{"datetime +8h", strptr("2006-01-02 15:04:05")},
+	}
+	for _, tc := range cases {
+		u := connectUserWithConfig(t, "dingus", map[string]string{
+			"SSHCHAT_TIMESTAMP": tc.input,
+		})
+		userConfig := u.Config()
+		if userConfig.Timeformat != nil && tc.timeformat != nil {
+			if *userConfig.Timeformat != *tc.timeformat {
+				t.Fatal("unexpected timeformat:", *userConfig.Timeformat, "expected:", *tc.timeformat)
+			}
+		}
+	}
+}
+
+func strptr(s string) *string {
+	return &s
+}
+
+func connectUserWithConfig(t *testing.T, name string, envConfig map[string]string) *message.User {
+	s, host := getHost(t, nil)
+	defer s.Close()
+
+	newUsers := make(chan *message.User)
+	host.OnUserJoined = func(u *message.User) {
+		newUsers <- u
+	}
+	go host.Serve()
+
+	clientConfig := sshd.NewClientConfig(name)
+	conn, err := ssh.Dial("tcp", s.Addr().String(), clientConfig)
+	if err != nil {
+		t.Fatal("unable to connect to test ssh-chat server:", err)
+	}
+	defer conn.Close()
+
+	session, err := conn.NewSession()
+	if err != nil {
+		t.Fatal("unable to open session:", err)
+	}
+	defer session.Close()
+
+	for key := range envConfig {
+		session.Setenv(key, envConfig[key])
+	}
+
+	err = session.Shell()
+	if err != nil {
+		t.Fatal("unable to open shell:", err)
+	}
+
+	for u := range newUsers {
+		if u.Name() == name {
+			return u
+		}
+	}
+	t.Fatalf("user %s not found in the host", name)
+	return nil
 }
--- a/identity.go
+++ b/identity.go
@ -1,6 +1,7 @@
 package sshchat

 import (
+	"fmt"
 	"net"
 	"strings"
 	"time"
@ -57,16 +58,25 @@ func (i Identity) Name() string {
 }

 // Whois returns a whois description for non-admin users.
-// TODO: Add optional room context?
-func (i Identity) Whois() string {
+func (i Identity) Whois(room *chat.Room) string {
 	fingerprint := "(no public key)"
 	if i.PublicKey() != nil {
 		fingerprint = sshd.Fingerprint(i.PublicKey())
 	}
+	// TODO: Rewrite this using strings.Builder like WhoisAdmin
+
+	awayMsg := ""
+	if m, ok := room.MemberByID(i.ID()); ok {
+		isAway, awaySince, awayMessage := m.GetAway()
+		if isAway {
+			awayMsg = fmt.Sprintf("%s > away: (%s ago) %s", message.Newline, humantime.Since(awaySince), awayMessage)
+		}
+	}
 	return "name: " + i.Name() + message.Newline +
 		" > fingerprint: " + fingerprint + message.Newline +
 		" > client: " + sanitize.Data(string(i.ClientVersion()), 64) + message.Newline +
-		" > joined: " + humantime.Since(i.created) + " ago"
+		" > joined: " + humantime.Since(i.created) + " ago" +
+		awayMsg
 }

 // WhoisAdmin returns a whois description for admin users.
@ -86,6 +96,9 @@ func (i Identity) WhoisAdmin(room *chat.Room) string {

 	if member, ok := room.MemberByID(i.ID()); ok {
 		// Add room-specific whois
+		if isAway, awaySince, awayMessage := member.GetAway(); isAway {
+			fmt.Fprintf(&out, message.Newline+" > away: (%s ago) %s", humantime.Since(awaySince), awayMessage)
+		}
 		// FIXME: Should these always be present, even if they're false? Maybe
 		// change that once we add room context to Whois() above.
 		if !member.LastMsg().IsZero() {
--- a/issue_template.md
+++ b/issue_template.md
@ -1,8 +0,0 @@
-### Expected Behavior
-
-### Actual Behavior
-
-### Steps to reproduce behavior
-
-
-### Additional Comments
--- a/set/set.go
+++ b/set/set.go
@ -12,9 +12,6 @@ var ErrCollision = errors.New("key already exists")
 // Returned when a requested item does not exist in the set.
 var ErrMissing = errors.New("item does not exist")

-// Returned when a nil item is added. Nil values are considered expired and invalid.
-var ErrNil = errors.New("item value must not be nil")
-
 // ZeroValue can be used when we only care about the key, not about the value.
 var ZeroValue = struct{}{}

@ -100,7 +97,7 @@ func (s *Set) Get(key string) (Item, error) {
 func (s *Set) cleanup(key string) {
 	s.Lock()
 	item, ok := s.lookup[key]
-	if ok && item == nil {
+	if ok && item.Value() == nil {
 		delete(s.lookup, key)
 	}
 	s.Unlock()
@ -108,9 +105,6 @@ func (s *Set) cleanup(key string) {

 // Add item to this set if it does not exist already.
 func (s *Set) Add(item Item) error {
-	if item.Value() == nil {
-		return ErrNil
-	}
 	key := s.normalize(item.Key())

 	s.Lock()
@ -127,9 +121,6 @@ func (s *Set) Add(item Item) error {

 // Set item to this set, even if it already exists.
 func (s *Set) Set(item Item) error {
-	if item.Value() == nil {
-		return ErrNil
-	}
 	key := s.normalize(item.Key())

 	s.Lock()
@ -156,9 +147,6 @@ func (s *Set) Remove(key string) error {
 // Replace oldKey with a new item, which might be a new key.
 // Can be used to rename items.
 func (s *Set) Replace(oldKey string, item Item) error {
-	if item.Value() == nil {
-		return ErrNil
-	}
 	newKey := s.normalize(item.Key())
 	oldKey = s.normalize(oldKey)

--- a/set/set_test.go
+++ b/set/set_test.go
@ -21,14 +21,23 @@ func TestSetExpiring(t *testing.T) {
 		t.Error("not len 1 after set")
 	}

-	item := &ExpiringItem{nil, time.Now().Add(-time.Nanosecond * 1)}
+	item := Expire(StringItem("asdf"), -time.Nanosecond).(*ExpiringItem)
 	if !item.Expired() {
 		t.Errorf("ExpiringItem a nanosec ago is not expiring")
 	}
+	if err := s.Add(item); err != nil {
+		t.Error("Error adding expired item to set: ", err)
+	}
+	if s.In("asdf") {
+		t.Error("Expired item in set")
+	}
+	if s.Len() != 1 {
+		t.Error("not len 1 after expired item")
+	}

 	item = &ExpiringItem{nil, time.Now().Add(time.Minute * 5)}
 	if item.Expired() {
-		t.Errorf("ExpiringItem in 2 minutes is expiring now")
+		t.Errorf("ExpiringItem in 5 minutes is expiring now")
 	}

 	item = Expire(StringItem("bar"), time.Minute*5).(*ExpiringItem)
@ -42,11 +51,13 @@ func TestSetExpiring(t *testing.T) {
 	if err := s.Add(item); err != nil {
 		t.Fatalf("failed to add item: %s", err)
 	}
-	_, ok := s.lookup["bar"]
+	itemInLookup, ok := s.lookup["bar"]
 	if !ok {
-		t.Fatalf("expired bar added to lookup")
+		t.Fatalf("bar not present in lookup even though it's not expired")
+	}
+	if itemInLookup != item {
+		t.Fatalf("present item %#v != %#v original item", itemInLookup, item)
 	}
-	s.lookup["bar"] = item

 	if !s.In("bar") {
 		t.Errorf("not matched after timed set")
--- a/sshd/auth.go
+++ b/sshd/auth.go
@ -5,17 +5,26 @@ import (
 	"encoding/base64"
 	"errors"
 	"net"
+	"time"

 	"github.com/shazow/ssh-chat/internal/sanitize"
 	"golang.org/x/crypto/ssh"
 )

-// Auth is used to authenticate connections based on public keys.
+// Auth is used to authenticate connections.
 type Auth interface {
 	// Whether to allow connections without a public key.
 	AllowAnonymous() bool
-	// Given address and public key and client agent string, returns nil if the connection should be allowed.
-	Check(net.Addr, ssh.PublicKey, string) error
+	// If passphrase authentication is accepted
+	AcceptPassphrase() bool
+	// Given address and public key and client agent string, returns nil if the connection is not banned.
+	CheckBans(net.Addr, ssh.PublicKey, string) error
+	// Given a public key, returns nil if the connection should be allowed.
+	CheckPublicKey(ssh.PublicKey) error
+	// Given a passphrase, returns nil if the connection should be allowed.
+	CheckPassphrase(string) error
+	// BanAddr bans an IP address for the specified amount of time.
+	BanAddr(net.Addr, time.Duration)
 }

 // MakeAuth makes an ssh.ServerConfig which performs authentication against an Auth implementation.
@ -25,7 +34,11 @@ func MakeAuth(auth Auth) *ssh.ServerConfig {
 		NoClientAuth: false,
 		// Auth-related things should be constant-time to avoid timing attacks.
 		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
-			err := auth.Check(conn.RemoteAddr(), key, sanitize.Data(string(conn.ClientVersion()), 64))
+			err := auth.CheckBans(conn.RemoteAddr(), key, sanitize.Data(string(conn.ClientVersion()), 64))
+			if err != nil {
+				return nil, err
+			}
+			err = auth.CheckPublicKey(key)
 			if err != nil {
 				return nil, err
 			}
@ -34,11 +47,31 @@ func MakeAuth(auth Auth) *ssh.ServerConfig {
 			}}
 			return perm, nil
 		},
+
+		// We use KeyboardInteractiveCallback instead of PasswordCallback to
+		// avoid preventing the client from including a pubkey in the user
+		// identification.
 		KeyboardInteractiveCallback: func(conn ssh.ConnMetadata, challenge ssh.KeyboardInteractiveChallenge) (*ssh.Permissions, error) {
-			if !auth.AllowAnonymous() {
-				return nil, errors.New("public key authentication required")
+			err := auth.CheckBans(conn.RemoteAddr(), nil, sanitize.Data(string(conn.ClientVersion()), 64))
+			if err != nil {
+				return nil, err
+			}
+			if auth.AcceptPassphrase() {
+				var answers []string
+				answers, err = challenge("", "", []string{"Passphrase required to connect: "}, []bool{true})
+				if err == nil {
+					if len(answers) != 1 {
+						err = errors.New("didn't get passphrase")
+					} else {
+						err = auth.CheckPassphrase(answers[0])
+						if err != nil {
+							auth.BanAddr(conn.RemoteAddr(), time.Second*2)
+						}
+					}
+				}
+			} else if !auth.AllowAnonymous() {
+				err = errors.New("public key authentication required")
 			}
-			err := auth.Check(conn.RemoteAddr(), nil, sanitize.Data(string(conn.ClientVersion()), 64))
 			return nil, err
 		},
 	}
--- a/sshd/client.go
+++ b/sshd/client.go
@ -30,9 +30,24 @@ func NewClientConfig(name string) *ssh.ClientConfig {
 	}
 }

+func NewClientConfigWithKey(name string, key ssh.Signer) *ssh.ClientConfig {
+	return &ssh.ClientConfig{
+		User:            name,
+		Auth:            []ssh.AuthMethod{ssh.PublicKeys(key)},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	}
+}
+
 // ConnectShell makes a barebones SSH client session, used for testing.
 func ConnectShell(host string, name string, handler func(r io.Reader, w io.WriteCloser) error) error {
-	config := NewClientConfig(name)
+	return connectShell(host, NewClientConfig(name), handler)
+}
+
+func ConnectShellWithKey(host string, name string, key ssh.Signer, handler func(r io.Reader, w io.WriteCloser) error) error {
+	return connectShell(host, NewClientConfigWithKey(name, key), handler)
+}
+
+func connectShell(host string, config *ssh.ClientConfig, handler func(r io.Reader, w io.WriteCloser) error) error {
 	conn, err := ssh.Dial("tcp", host, config)
 	if err != nil {
 		return err
--- a/sshd/client_test.go
+++ b/sshd/client_test.go
@ -4,6 +4,7 @@ import (
 	"errors"
 	"net"
 	"testing"
+	"time"

 	"golang.org/x/crypto/ssh"
 )
@ -15,9 +16,19 @@ type RejectAuth struct{}
 func (a RejectAuth) AllowAnonymous() bool {
 	return false
 }
-func (a RejectAuth) Check(net.Addr, ssh.PublicKey, string) error {
+func (a RejectAuth) AcceptPassphrase() bool {
+	return false
+}
+func (a RejectAuth) CheckBans(addr net.Addr, key ssh.PublicKey, clientVersion string) error {
 	return errRejectAuth
 }
+func (a RejectAuth) CheckPublicKey(ssh.PublicKey) error {
+	return errRejectAuth
+}
+func (a RejectAuth) CheckPassphrase(string) error {
+	return errRejectAuth
+}
+func (a RejectAuth) BanAddr(net.Addr, time.Duration) {}

 func TestClientReject(t *testing.T) {
 	signer, err := NewRandomSigner(512)
--- a/sshd/net_test.go
+++ b/sshd/net_test.go
@ -25,7 +25,7 @@ func TestServerInit(t *testing.T) {
 }

 func TestServeTerminals(t *testing.T) {
-	signer, err := NewRandomSigner(512)
+	signer, err := NewRandomSigner(1024)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/sshd/terminal.go
+++ b/sshd/terminal.go
@ -167,7 +167,9 @@ func (t *Terminal) Close() error {
 	var err error
 	t.closeOnce.Do(func() {
 		close(t.done)
-		t.Channel.Close()
+		if err := t.Channel.Close(); err != nil {
+			logger.Printf("[%s] Failed to close terminal channel: %s", t.Conn.RemoteAddr(), err)
+		}
 		err = t.Conn.Close()
 	})
 	return err
--- a/sshd/terminal/terminal.go
+++ b/sshd/terminal/terminal.go
@ -264,6 +264,10 @@ func (t *Terminal) moveCursorToPos(pos int) {
 		return
 	}

+	if pos > len(t.line) {
+		pos = len(t.line)
+	}
+
 	x := visualLength(t.prompt) + visualLength(t.line[:pos])
 	y := x / t.termWidth
 	x = x % t.termWidth
Author	SHA1	Message	Date
Andrey Petrov	2dc875817d	Merge pull request #439 from jagtalon/jag/readme README: Change whitelist to allowlist	2025-03-06 12:47:46 -05:00
Jag Talon	6dd5f27334	README: Change whitelist to allowlist	2025-03-06 12:34:58 -05:00
Andrey Petrov	635673882b	Update BUG.yml	2024-09-06 14:10:40 -04:00
Andrey Petrov	e16725f08e	Update BUG.yml	2024-09-06 14:09:21 -04:00
Andrey Petrov	89b7218461	Update and rename bug_report.md to BUG.yml	2024-09-06 14:09:03 -04:00
Andrey Petrov	daf4677fe3	Merge pull request #427 from bsiegert/crypto Bump golang.org/x/crypto to 0.17.0 (security)	2023-12-22 13:27:17 -05:00
Benny Siegert	bdd716e621	Bump golang.org/x/crypto to 0.17.0 (security) This fixes the following vulnerabilities, as reported by govulncheck: Vulnerability #1: GO-2023-2402 Man-in-the-middle attacker can compromise integrity of secure channel in golang.org/x/crypto More info: https://pkg.go.dev/vuln/GO-2023-2402 Module: golang.org/x/crypto Found in: golang.org/x/crypto@v0.0.0-20200420104511-884d27f42877 Fixed in: golang.org/x/crypto@v0.17.0 Example traces found: #1: work/ssh-chat-1.10/sshd/client.go:42:33: sshd.ConnectShell calls ssh.Client.NewSession #2: work/ssh-chat-1.10/sshd/client.go:36:23: sshd.ConnectShell calls ssh.Dial #3: work/ssh-chat-1.10/sshd/net.go:49:2: sshd.SSHListener.handleConn calls ssh.DiscardRequests #4: work/ssh-chat-1.10/sshd/net.go:43:55: sshd.SSHListener.handleConn calls ssh.NewServerConn #5: work/ssh-chat-1.10/sshd/terminal.go:222:13: sshd.Terminal.listen calls ssh.Request.Reply #6: work/ssh-chat-1.10/sshd/client.go:46:2: sshd.ConnectShell calls ssh.Session.Close #7: work/ssh-chat-1.10/sshd/client.go:70:30: sshd.ConnectShell calls ssh.Session.SendRequest #8: work/ssh-chat-1.10/sshd/client.go:65:21: sshd.ConnectShell calls ssh.Session.Shell #9: work/ssh-chat-1.10/cmd/ssh-chat/cmd.go:243:14: ssh.main calls fmt.Fprintln, which eventually calls ssh.channel.Read #10: work/ssh-chat-1.10/sshd/terminal/terminal.go:954:17: terminal.Terminal.SetBracketedPasteMode calls io.WriteString, which calls ssh.channel.Write #11: work/ssh-chat-1.10/cmd/ssh-chat/cmd.go:243:14: ssh.main calls fmt.Fprintln, which eventually calls ssh.extChannel.Read Vulnerability #4: GO-2022-0968 Panic on malformed packets in golang.org/x/crypto/ssh More info: https://pkg.go.dev/vuln/GO-2022-0968 Module: golang.org/x/crypto Found in: golang.org/x/crypto@v0.0.0-20200420104511-884d27f42877 Fixed in: golang.org/x/crypto@v0.0.0-20211202192323-5770296d904e Example traces found: #1: work/ssh-chat-1.10/sshd/client.go:36:23: sshd.ConnectShell calls ssh.Dial #2: work/ssh-chat-1.10/sshd/net.go:43:55: sshd.SSHListener.handleConn calls ssh.NewServerConn Vulnerability #5: GO-2021-0356 Denial of service via crafted Signer in golang.org/x/crypto/ssh More info: https://pkg.go.dev/vuln/GO-2021-0356 Module: golang.org/x/crypto Found in: golang.org/x/crypto@v0.0.0-20200420104511-884d27f42877 Fixed in: golang.org/x/crypto@v0.0.0-20220314234659-1baeb1ce4c0b Example traces found: #1: work/ssh-chat-1.10/cmd/ssh-chat/cmd.go:122:19: ssh.main calls ssh.ServerConfig.AddHostKey Vulnerability #6: GO-2021-0227 Panic on crafted authentication request message in golang.org/x/crypto/ssh More info: https://pkg.go.dev/vuln/GO-2021-0227 Module: golang.org/x/crypto Found in: golang.org/x/crypto@v0.0.0-20200420104511-884d27f42877 Fixed in: golang.org/x/crypto@v0.0.0-20201216223049-8b5274cf687f Example traces found: #1: work/ssh-chat-1.10/sshd/net.go:43:55: sshd.SSHListener.handleConn calls ssh.NewServerConn	2023-12-22 18:25:25 +01:00
Andrey Petrov	1fc7f7b10b	Merge pull request #421 from DejavuMoe/build/linux-arm64 add: build releases for linux/arm64	2023-02-02 12:16:01 -05:00
DejavuMoe	c884aee673	add: build releases for linux/arm64	2023-02-02 15:23:02 +08:00
Andrey Petrov	aaf0671f01	go mod update Fixes #419 #409	2022-11-27 20:15:03 -06:00
Andrey Petrov	748fc819e7	Merge pull request #416 from sleibrock/master Fixing emojis being sent in PMs when no theme is set (#414)	2022-07-31 10:08:56 -04:00
Andrey Petrov	4b4270f0ca	Merge pull request #417 from sleibrock/motd-bot-fix host.go: avoiding motd output if bot mode set	2022-07-30 15:05:16 -04:00
Steven Leibrock	ae585079e7	host.go: avoiding motd output if bot mode set	2022-07-29 21:57:49 -04:00
Steven L	1102162d1f	message.go: stripping emoji for when no theme is set	2022-07-28 12:29:53 -04:00
Andrey Petrov	68e9d6880d	Merge pull request #410 from pataquets/master Docker Compose manifest: mount host's keys and few other improvements.	2022-03-07 14:44:07 -05:00
pataquets	3f857cf1f5	Docker Compose manifest: mount host's keys and few other improvements. * Add SSH keys mount (mimicking default non-Docker behaviour). * Increase manifest version to lowest 3.x supporting bind mounts. * Change restart policy from `always` to `unless-stopped`. * Set a container name. * Fix port indentation to 2 spaces, as done elsewhere.	2022-03-07 20:22:01 +01:00
Andrey Petrov	df72223a5f	go mod update	2022-01-29 15:05:59 -05:00
mik2k2	621ae1b0d3	Add /allowlist command (#399 ) * move loading whitelist+ops from file to auth and save the loaded files fro reloading * add /whitelist command with lots of open questions * add test for /whitelist * gofmt * use the same auth (the tests don't seem to care, but htis is more right) * mutex whitelistMode and remove some deferred TODOs * s/whitelist/allowlist/ (user-facing); move helper functions outside the handler function * check for ops in Auth.CheckPublicKey and move /allowlist handling to helper functions * possibly fix the test timeout in HostNameCollision * Revert "possibly fix the test timeout in HostNameCollision" (didn't work) This reverts commit 664dbb0976f8f10ea7a673950a879591c2e7c320. * managed to reproduce the timeout after updating, hopefully it's the same one * remove some unimportant TODOs; add a message when reverify kicks people; add a reverify test * add client connection with key; add test for /allowlist import AGE * hopefully make test less racy * s/whitelist/allowlist/ * fix crash on specifying exactly one more -v flag than the max level * use a key loader function to move file reading out of auth * add loader to allowlist test * minor message changes * add --whitelist with a warning; update tests for messages * apparently, we have another prefix * check names directly on the User objects in TestHostNameCollision * not allowlisted -> not allowed * small message change * update test	2022-01-06 09:09:51 -05:00
Andrey Petrov	84bc5c76dd	go mod update for golang.org/x/crypto/ssh	2021-12-03 11:03:08 -05:00
Andrey Petrov	82526e9123	Update ssh.chat pubkey	2021-10-13 11:30:58 -04:00
Akshay Shekher	d25630020d	/back, /away: Change no-op to return err Fixes #402 When the user is not set as away, using the `/back` or `/away` command should return error. The previous behaviour was inconsistent, `/away` sent a message and `/back` ignored it. New behaviour is error for both cases. Co-authored-by: Akshay <akshay.shekher@gmail.com>	2021-10-13 11:00:11 -04:00
Andrey Petrov	0eebb64c1d	sshd/terminal/terminal.go: Clamp pos to protect from some fuzzing failures	2021-10-13 10:43:49 -04:00
Andrey Petrov	db14517499	cmd/ssh-chat: Accept multiple --identity keys Fixes #401	2021-10-13 10:27:04 -04:00
Andrey Petrov	88fa53fd16	Makefile: deploy tweak	2021-10-11 10:18:06 -04:00
mik2k2	7628a47c4c	set: Allow nil/expired items Fixes #397	2021-07-03 13:37:09 -04:00
mik2k2	7413539965	main, sshd: Refactor authentication, add IP throttling, improve passphrase auth * Move password authentication handling into sshd/auth (fixes #394). Password authentication is now completely handeled in Auth. The normal keyboard-interactive handler checks if passwords are supported and asks for them, removing the need to override the callbacks. Brute force throttling is removed; I'd like to base it on IP address banning, which requires changes to the checks. I'm not sure, but I think timing attacks against the password are fixed: - The hashing of the real password happens only at startup. - The hashing of a provided password is something an attacker can do themselves; It doesn't leak anything about the real password. - The hash comparison is constant-time. * refactor checks, IP-ban incorrect passphrases, renames - s/assword/assphrase/, typo fixes - bans are checked separately from public keys - an incorrect passphrase results in a one-minute IP ban - whitelists no longer override bans (i.e. you can get banned if you're whitelisted) * (hopefully) final changes	2021-05-31 10:08:30 -04:00
Akshay Shekher	c3b589b286	tests: Fixed flaky test by using user joined callback. (#393 ) Instead of relying on the go scheduler to do the expected thing >_> Co-authored-by: Akshay <akshay.shekher@gmail.com>	2021-05-02 13:02:39 -04:00
Akshay Shekher	e1e534344e	Fix SSHCHAT_TIMESTAMP env variables (#392 ) * Fixes Env Vars to pass config to ssh-chat. The env vars were beign parsed and set to the host before the user was even added to the host and hence ignored. This change moves the env var parsing to after initializing the user. TODO: tests, completeness+reliability * cleaned up the test * reduced test flakyness by adding wait instead of being optimistic Co-authored-by: Akshay <akshay.shekher@gmail.com>	2021-05-02 12:18:31 -04:00
Andrey Petrov	46eaf037e3	Merge pull request #390 from shazow/shazow-patch-3 tests: Skip flakey TestHostNameCollision	2021-04-24 12:49:09 -04:00
Andrey Petrov	3c246777a1	tests: Skip flakey TestHostNameCollision	2021-04-24 12:22:42 -04:00
Andrey Petrov	fef128b91f	Merge pull request #389 from shazow/shazow-patch-2 ci: Test all sub-packages	2021-04-24 12:18:44 -04:00
Andrey Petrov	1ef05d0c26	ci: Test all sub-packages	2021-04-24 12:16:10 -04:00
Andrey Petrov	af502977e6	Merge pull request #388 from voldyman/ill-be-back Added /back and tests for all away commands	2021-04-24 12:15:22 -04:00
Andrey Petrov	c3dccfd3eb	chat: /back help formatting.	2021-04-24 12:14:24 -04:00
Akshay	aae5bc8d2e	Added /back and tests for all away commands	2021-04-24 07:54:50 -07:00
Andrey Petrov	fb73ace458	Merge pull request #385 from sytranvn/build-apple-silocon Add build script for apple silicon	2021-04-19 09:45:02 -04:00
Sy Tran	3557bf762d	Add build script for apple silicon	2021-04-18 07:31:13 +07:00
Andrey Petrov	fa3146c800	Makefile: Add deploy helper	2021-04-13 11:32:24 -04:00
Andrey Petrov	badcaa6e3b	/away: Fix output for admin whois cc #377	2021-04-13 11:27:44 -04:00
Andrey Petrov	9bf66ea992	Merge pull request #383 from shazow/add-mute chat: Add /mute command for op	2021-04-13 11:24:53 -04:00
Andrey Petrov	37b101c3c1	chat: Add /mute command for op	2021-04-13 11:21:16 -04:00
Andrey Petrov	b73b45640c	host: Fix /msg vs /reply message formatting Closes #382	2021-04-06 09:28:48 -04:00
Andrey Petrov	7a783d46af	sshd, chat/message: Add more debug logging for close failures	2021-04-05 11:06:44 -04:00
Andrey Petrov	3848014d41	main: Update host_test.go to pass vet, use errgroup	2021-03-26 12:49:08 -04:00
Andrey Petrov	3f81d84cf1	cmd/ssh-chat: Use x/term instead of howeyc/gopass, update prompt Fixes #380	2021-03-26 12:26:18 -04:00
Andrey Petrov	4840634434	go mod update	2021-03-26 12:17:55 -04:00
Andrey Petrov	8257ada10d	host: Factor out PM code, add away status	2021-03-15 11:07:52 -04:00
Andrey Petrov	9329227403	chat: /away tweaks	2021-03-15 10:53:00 -04:00
Akshay	0338cb824d	chat: Added support for user away status, fixes #377 made away toggle status, like irc updated /away feature * added away message * added broadcast away message as emote * updated names list to show away users on the same line, with colors added /away -> back message Update away time to be time since marked away reverted changes made for /list	2021-03-15 10:30:54 -04:00
Andrey Petrov	c8bfc34704	Merge pull request #376 from medinae/reply-to-user-with-symbol-fix Fix ~ Reply to user with symbol returning Err user not found	2021-03-13 10:08:49 -05:00
Abdelkader Bouadjadja	ebbbc3b6d9	Fix ~ Reply to user with symbol returning Err user not found	2021-03-13 14:56:36 +04:00
Andrey Petrov	d8183dd305	Update bug_report.md	2021-02-06 09:33:28 -05:00
Andrey Petrov	37c3e52309	Delete issue_template.md	2021-02-06 09:30:05 -05:00
Andrey Petrov	8eab0c9ead	Update issue templates	2021-02-06 09:29:53 -05:00
Andrey Petrov	1a00bd81f2	go mod update	2020-11-11 15:44:24 -05:00
Andrey Petrov	5fb947fa6e	Merge pull request #366 from Niwla23/dockerfiles Add Dockerfile and docker-compose.yml	2020-10-29 09:48:30 -04:00
Alwin Lohrie	d42996c14b	Add Dockerfile and docker-compose.yml	2020-10-28 16:19:16 +01:00