mirror of https://github.com/shazow/ssh-chat.git synced 2025-04-12 15:17:16 +03:00

Go to file

Benny Siegert bdd716e621 Bump golang.org/x/crypto to 0.17.0 (security)

This fixes the following vulnerabilities, as reported by govulncheck:

Vulnerability #1: GO-2023-2402
    Man-in-the-middle attacker can compromise integrity of secure channel in
    golang.org/x/crypto
  More info: https://pkg.go.dev/vuln/GO-2023-2402
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.0.0-20200420104511-884d27f42877
    Fixed in: golang.org/x/crypto@v0.17.0
    Example traces found:
      #1: work/ssh-chat-1.10/sshd/client.go:42:33: sshd.ConnectShell calls ssh.Client.NewSession
      #2: work/ssh-chat-1.10/sshd/client.go:36:23: sshd.ConnectShell calls ssh.Dial
      #3: work/ssh-chat-1.10/sshd/net.go:49:2: sshd.SSHListener.handleConn calls ssh.DiscardRequests
      #4: work/ssh-chat-1.10/sshd/net.go:43:55: sshd.SSHListener.handleConn calls ssh.NewServerConn
      #5: work/ssh-chat-1.10/sshd/terminal.go:222:13: sshd.Terminal.listen calls ssh.Request.Reply
      #6: work/ssh-chat-1.10/sshd/client.go:46:2: sshd.ConnectShell calls ssh.Session.Close
      #7: work/ssh-chat-1.10/sshd/client.go:70:30: sshd.ConnectShell calls ssh.Session.SendRequest
      #8: work/ssh-chat-1.10/sshd/client.go:65:21: sshd.ConnectShell calls ssh.Session.Shell
      #9: work/ssh-chat-1.10/cmd/ssh-chat/cmd.go:243:14: ssh.main calls fmt.Fprintln, which eventually calls ssh.channel.Read
      #10: work/ssh-chat-1.10/sshd/terminal/terminal.go:954:17: terminal.Terminal.SetBracketedPasteMode calls io.WriteString, which calls ssh.channel.Write
      #11: work/ssh-chat-1.10/cmd/ssh-chat/cmd.go:243:14: ssh.main calls fmt.Fprintln, which eventually calls ssh.extChannel.Read

Vulnerability #4: GO-2022-0968
    Panic on malformed packets in golang.org/x/crypto/ssh
  More info: https://pkg.go.dev/vuln/GO-2022-0968
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.0.0-20200420104511-884d27f42877
    Fixed in: golang.org/x/crypto@v0.0.0-20211202192323-5770296d904e
    Example traces found:
      #1: work/ssh-chat-1.10/sshd/client.go:36:23: sshd.ConnectShell calls ssh.Dial
      #2: work/ssh-chat-1.10/sshd/net.go:43:55: sshd.SSHListener.handleConn calls ssh.NewServerConn

Vulnerability #5: GO-2021-0356
    Denial of service via crafted Signer in golang.org/x/crypto/ssh
  More info: https://pkg.go.dev/vuln/GO-2021-0356
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.0.0-20200420104511-884d27f42877
    Fixed in: golang.org/x/crypto@v0.0.0-20220314234659-1baeb1ce4c0b
    Example traces found:
      #1: work/ssh-chat-1.10/cmd/ssh-chat/cmd.go:122:19: ssh.main calls ssh.ServerConfig.AddHostKey

Vulnerability #6: GO-2021-0227
    Panic on crafted authentication request message in golang.org/x/crypto/ssh
  More info: https://pkg.go.dev/vuln/GO-2021-0227
  Module: golang.org/x/crypto
    Found in: golang.org/x/crypto@v0.0.0-20200420104511-884d27f42877
    Fixed in: golang.org/x/crypto@v0.0.0-20201216223049-8b5274cf687f
    Example traces found:
      #1: work/ssh-chat-1.10/sshd/net.go:43:55: sshd.SSHListener.handleConn calls ssh.NewServerConn

2023-12-22 18:25:25 +01:00

.github

ci: Test all sub-packages

2021-04-24 12:16:10 -04:00

chat

message.go: stripping emoji for when no theme is set

2022-07-28 12:29:53 -04:00

cmd/ssh-chat

Add /allowlist command (#399 )

2022-01-06 09:09:51 -05:00

internal

chat, internal/humantime: Tweak departure message

2019-03-17 15:01:41 -04:00

set

set: Allow nil/expired items

2021-07-03 13:37:09 -04:00

sshd

Add /allowlist command (#399 )

2022-01-06 09:09:51 -05:00

.gitignore

vendor: Switch to using go dep

2017-10-12 13:40:35 -04:00

.travis.yml

travisci: Remove explicit dep fetch (#287 )

2018-12-25 14:53:38 -05:00

auth_test.go

Add /allowlist command (#399 )

2022-01-06 09:09:51 -05:00

auth.go

Add /allowlist command (#399 )

2022-01-06 09:09:51 -05:00

build_release

Windows support (fixed #217 )

2016-09-15 13:52:55 -04:00

CODE_OF_CONDUCT.md

Update CODE_OF_CONDUCT.md

2020-08-03 12:32:03 -04:00

CONTRIBUTING.md

Adding a contribituion file and issue template (#248 )

2017-10-03 13:49:52 -04:00

docker-compose.yml

Docker Compose manifest: mount host's keys and few other improvements.

2022-03-07 20:22:01 +01:00

Dockerfile

Add Dockerfile and docker-compose.yml

2020-10-28 16:19:16 +01:00

go.mod

Bump golang.org/x/crypto to 0.17.0 (security)

2023-12-22 18:25:25 +01:00

go.sum

Bump golang.org/x/crypto to 0.17.0 (security)

2023-12-22 18:25:25 +01:00

godoc.go

Better comments

2019-02-24 09:40:47 -06:00

Gopkg.lock

/uptime and /whois relative timestamps made more precise

2018-01-19 12:35:45 -05:00

Gopkg.toml

vendor: Switch to using go dep

2017-10-12 13:40:35 -04:00

host_test.go

Add /allowlist command (#399 )

2022-01-06 09:09:51 -05:00

host.go

host.go: avoiding motd output if bot mode set

2022-07-29 21:57:49 -04:00

identity.go

/away: Fix output for admin whois

2021-04-13 11:27:44 -04:00

LICENSE

LICENSE, todo.

2014-12-12 17:52:05 -08:00

logger.go

Better comments

2019-02-24 09:40:47 -06:00

Makefile

add: build releases for linux/arm64

2023-02-02 15:23:02 +08:00

motd.txt

/motd: Add reload functionality when msg is @

2020-08-03 13:26:12 -04:00

NOTICE

legal: Put sshd/terminal notice in root

2019-03-18 15:36:21 -04:00

README.md

Docker Compose manifest: mount host's keys and few other improvements.

2022-03-07 20:22:01 +01:00

README.md

ssh-chat

Custom SSH server written in Go. Instead of a shell, you get a chat prompt.

Demo

Join the party:

$ ssh ssh.chat

Please abide by our project's Code of Conduct while participating in chat.

The host's public key is ssh.chat ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPrQofxXqoz2y9A7NFkkENt6iW8/mvpfes3RY/41Oyt and the fingerprint is SHA256:yoqMXkCysMTBsvhu2yRoMUl+EmZKlvkN+ZKmL3115xU (as of 2021-10-13).

If you see something different, you might be MITM'd.

(Apologies if the server is down, try again shortly.)

Downloading a release

Recent releases include builds for MacOS (darwin/amd64) and Linux (386, amd64, and ARM6 for your RaspberryPi).

Grab the latest binary release here.

Play around with it. Additional deploy examples are here.

Compiling / Developing

Most people just want the latest binary release. If you're sure you want to compile it from source, read on:

You can compile ssh-chat by using make build. The resulting binary is portable and can be run on any system with a similar OS and CPU arch. Go 1.8 or higher is required to compile.

If you're developing on this repo, there is a handy Makefile that should set things up with make run.

Additionally, make debug runs the server with an http pprof server. This allows you to open http://localhost:6060/debug/pprof/ and view profiling data. See net/http/pprof for more information about pprof.

Quick Start

Usage:
  ssh-chat [OPTIONS]

Application Options:
  -v, --verbose    Show verbose logging.
      --version    Print version and exit.
  -i, --identity=  Private key to identify server with. (default: ~/.ssh/id_rsa)
      --bind=      Host and port to listen on. (default: 0.0.0.0:2022)
      --admin=     File of public keys who are admins.
      --whitelist= Optional file of public keys who are allowed to connect.
      --motd=      Optional Message of the Day file.
      --log=       Write chat log to this file.
      --pprof=     Enable pprof http server for profiling.

Help Options:
  -h, --help       Show this help message

After doing go get github.com/shazow/ssh-chat/... on this repo, you should be able to run a command like:

$ ssh-chat --verbose --bind ":22" --identity ~/.ssh/id_dsa

To bind on port 22, you'll need to make sure it's free (move any other ssh daemons to another port) and run ssh-chat as root (or with sudo).

Frequently Asked Questions

The FAQs can be found on the project's Wiki page. Feel free to submit more questions to be answered and added to the page.

License

MIT