Artix Linux Forum

I'm surprised this isn't more popular.

Is there something bad that I don't know? I do have big derps, so it's possible.

Seems like you could point it at, say 127.0.0.1:2222, create a tor hidden service that listens there... then as simple as "torsocks ssh [email protected] [-p 2222]" and poof, you have your own private chat server with all the benefits of ssh identity verification and encryption etc... piped through tor, now nobody knows crap...

Here's an old thing I read, which I don't fully understand yet: https://steemit.com/security/@webzak/installation-of-ssh-chat-on-ubuntu-16-04-server

Seems like support for this would be right up Artix's alley, but I can only get it in AUR... Which I don't really trust...

Yes, yes, I know. It's not supported by Artix. But, it seems odd that it isn't part of official Artix repos given what it is/does. I'm not asking you to help me figure out why I can't make it go. I'm saying, hey, look at this nifty doodad. It seems like a super-simple sorty of secure chat privacy thing that is oddly missing from Artix...

Maybe I don't know the whole story and there's a reason it's not part of Artix...

Imma go play with it a bit, maybe become slightly less stupid...

Seems like it's still under active development, unlike torchat...
https://github.com/shazow/ssh-chat/wiki/FAQ
https://github.com/shazow/ssh-chat

In the AUR it has 0 votes, 0 popularity. Which means nobody is using it on arch linux.

Its github page says they have issues with DoS attacks

They have 8 dependencies that are vulnerable which means it opens up security holes.

https://golangissues.com/issues/1347636

Not something we want or should be trusted.

Bummer, it seemed like such a cool idea...

Thanks.

https://security-tracker.debian.org/tracker/CVE-2019-11840 (https://security-tracker.debian.org/tracker/CVE-2019-11840)
https://ubuntu.com/security/CVE-2017-3204 (https://ubuntu.com/security/CVE-2017-3204)
https://security.archlinux.org/package/go (https://security.archlinux.org/package/go)
But those CVE's are long since fixed and Arch Linux Go has no unfixed CVE's currently.
The linked GitHub page actually has some Ubuntu user asking how to fix those issues, and the reply at the bottom from the dev says:
"Yup, grab the source, do go get -u ./... and you're good to go. :)"
"go get -u" means download and update deps apparently
https://stackoverflow.com/questions/66753231/what-is-the-difference-between-go-get-and-go-get-u (https://stackoverflow.com/questions/66753231/what-is-the-difference-between-go-get-and-go-get-u)

So I can use it?

Most likely, I've never tried it myself, but there is this other recent golang bug that is awaiting a fix:
https://github.com/shazow/ssh-chat/issues/409 (https://github.com/shazow/ssh-chat/issues/409)
So not sure if it is working at present, or if that only affects some particular feature.
With anything online though,  government authorities etc. can most likely gain access if they wanted.

I just want a lightweight, private chat thing for a small group of friends. Something that doesn't have a fascist bolshevik "provider" injecting itself where I don't need it.

I hate cloud crap. I hate handing everything over to big brother, or I'm forced to do without. Even if it's not perfect, it's something. ..and it looks like they're working on it. It'll get better. They'll find stuff. They'll fix stuff. How's that different from any other software?

A tiny, lightweight chat client that I can run myself, using a HSv3 to have a static address regardless of where the VM moves. Tor HS penetrates any IP proxy/firewall mess. You could run this from pretty much any network connection, anywhere in the world with near-zero setup... It's obnoxiously simple because it inherits most of it's functionality from ssh.

It makes too much sense to fail. I think they're going to make it work. It's one of those things that makes so much sense and is so simple it's inevitable.

Eh, regardless of what the corrupt government/corporation capabilities are, at least it's not facebook messenger. The bastards will have to work for it instead of having it handed to them on a silver platter.

I haven't done much with it yet, but it appears that the user launching it has to have a valid keypair.

I'm going to play with it. I sucked it in from the AUR. It's in it's own VM jail so whatever...

All you gotta do is type:

ssh-chat --bind=127.0.0.1:2222

and uncomment a few lines in your torrc... That is so simple. And it inherits all the security bits from ssh, which is as solid as you can ask for...

What software doesn't need a little more work?

I'm not going to make a huge stink out of it, but I stand by my original statement that it seems like this belongs in Artix. It's a philosophy match even if it's a work in progress. Isn't Artix a work in progress, too?

No, I'm not saying "OMG add it to universe naow!" It looks very underappreciated for what it is, and the general moron masses will probably never notice it. "OMG! Y ARTIX NO HAZ GRAPHICAL PACKAGE MANAGER?!?!"

Whether it gets votes in the AUR is useless information. I don't care if a mob of morons popularize X or not. Getting rid of systemd didn't get any votes over in Archland, either...

Just because someone can aggregate data does not mean that data has value or meaning. Can you accurately count the number of molecules in Leonard Nimoy's butt? Even if you can; so what?

I see the use-case for a self-maintained chat server for your small group of friends. Simple. Low feature count. It doesn't need hosting. Add tor, not for security, but for convenience. You can run it on any computer with an Internet connection because of how tor HS works. No hosting, domain, blah blah blah. Chat is not a high-bandwidth application. You could do it on dial-up. Forget the security. Lets pretend that doesn't even work. Setup is minimal. It's super-convenient. If the security actually works, that's two layers of point-to-point encryption. One of which obfuscates the very existence of itself and it's participants; while still verifying them. That's a major step above GPG/email. And, it's so simple to implement, even a moron like me can do it... Nobody can even try connecting to it unless they have the HSv3 address. Set a whitelist of ssh pubkeys.

Is there someone who doesn't want exactly this in their lives? Perfect for your Librem 5. Pi Zero w/ ZimKey... LoRaWAN private network instead of Internet/tor, your neighborhood has it's own comms. Sure, the five eyes degenerates can probably break in someway, somehow; but why make it easy for them?

I dunno if it has sendfile capabilities.

Yeah, I ramble and repeat myself. My brain is fried from stress. Please pardon...

This is where I am right now:

$ ssh-chat --bind=127.0.0.1:2222
Failed to read identity private key: failed to load identity: open /home/[muhusername]/.ssh/id_rsa: no such file or directory
$ 

Seems pretty straight-forward.

I need to create a dedicated user for the service and generate an ssh keypair for it to launch.

Then, as long as tor has a hidden service on 2222, my peeps can:

torsocks ssh [email protected]

It's just two lines in torrc:

HiddenServiceDir /var/lib/tor/ssh-chat/
HiddenServicePort 2222 127.0.0.1:2222

I've got the ssh-chat server running. Tor is catching it. It's trying to do ssh stuffs, but fails.

I am attempting to log in with a generated key, and I get this:

Unable to negotiate with [redacted] port [redacted]: no matching host key type found. Their offer: ssh-rsa

This proves that I am, indeed, reaching the ssh-chat server and communicating with it. I'm just not doing it right...

I did a big look into the intartoobz and found this:
https://stackoverflow.com/questions/69875520/unable-to-negotiate-with-40-74-28-9-port-22-no-matching-host-key-type-found-th

I note that when I generate the key, it defaults to SHA-256. What I glean from the above link is that ssh-chat wants an SHA-1 (which is lame).

So, I can either:

1) Get ssh-chat to accept SHA-256 keys instead:
RTFM?
Ask the devboi of ssh-chat?

2) Generate a lame, weak SHA-1 soykey.

Option #1 is preferred.
Option #2 would at least let me prove this infernal contraption works, then I can unsoy it later.

I'm trying Option #2...
https://www.freebsd.org/cgi/man.cgi?query=ssh-keygen&sektion=1&manpath=OpenBSD

     -t	dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk |	rsa
	     Specifies the type	of key to create.  The possible	values are
	     "dsa", "ecdsa", "ecdsa-sk", "ed25519", "ed25519-sk", or "rsa".

	     This flag may also	be used	to specify the desired signature type
	     when signing certificates using an	RSA CA key.  The available RSA
	     signature variants	are "ssh-rsa" (SHA1 signatures,	not recom-
	     mended), "rsa-sha2-256", and "rsa-sha2-512" (the default).

No matter what I specify, I get a SHA-256...

ssh-keygen does not obey.

Answers why: https://levelup.gitconnected.com/demystifying-ssh-rsa-in-openssh-deprecation-notice-22feb1b52acd

So, I need to figure out why ssh-chat is defaulting to this thing that shouldn't exist, and how to make it do SHA-256.

This was the better option anyway.

This seems to include a borked language "don't know how to words" problem... The error doesn't mean what the error means, because words don't mean what words mean... Walking away for a while, maybe try again another day.

This. If you need a private chat, there's Tox (https://tox.chat/). Otherwise, plain old IRC is more than enough.

@camosoul @Chris Cromer already answered the thread. As with any AUR package, refer to the AUR page (https://aur.archlinux.org/packages/ssh-chat) and upstream (https://github.com/shazow/ssh-chat) for support.

Spoke to the project admin.
There's something fail in golang about negotiating hash, and the version in AUR is old...
Gonna use the project binaries on github.

The latest release, provided in source and binary, defaults to ed25519 which avoids the other nonsense and it better anyway.

So, make yourself an ed25519 key pair and it Just Works^TM.

Copy/paste into /usr/bin/ and enjoy. Super simple. Whitelist/allowlist. Config in the command line.

Server:

HiddenServiceDir /var/lib/tor/ssh-chat/
HiddenServicePort [muhport] 127.0.0.1:[muhport]

# runuser -u ssh-chat -- ssh-chat --bind=127.0.0.1:[muhport] --identity=/path/to/server/user/key/file --motd=/path/to/motd.txt --allowlist=/only/these/pubs/allowed/file &

Client:

torsocks ssh [email protected] -i muhchatkeyfile

And that's with lots of fancy stuff... You could leave out tor, the motd, the whitelist, and skip the client key for a chat server that lets pretty much anyone connect... You could skip the isolated service user, too... It could be a guerrilla chat server pretty much anywhere given how portable the binary is...

Yeah, it's still under construction. But, it's a super-simple private chat server. Client doesn't have to install anything, it's ssh.

LoRaWAN next...
https://unsigned.io/15-kilometre-ssh-link-with-rnode/
https://www.youtube.com/watch?v=IDjnK5Pp3hk