Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Shhhbb, an SSH BBS (donuts-are-good.github.io)
188 points by lagniappe on April 2, 2023 | hide | past | favorite | 52 comments
Hello all :) I made this BBS for fun and thought you all would enjoy it. It's not perfect, but it's been a fun exercise!

see it: https://asciinema.org/a/Emg6SWrXMV6cehfQxrw1GRu75

try it:

    ssh -p 2223 shhhbb.com
host it: https://github.com/donuts-are-good/shhhbb/releases/latest

why?

Every year I challenge myself in some new way, this year it is to push one project per week. You might recognize my static site generator [0] or my releaser for go [1] from previous posts as one of these weekly projects. If you want to join me in doing this, it's been a blast and I highly recommend it! Maybe we can chat on the bbs about it :)

[0] - bearclaw tiny static generator - https://github.com/donuts-are-good/bearclaw

[1] - release.sh release builder for go - https://github.com/donuts-are-good/bearclaw

need:

I'd love a few co-conspirators, or even some new friends for the bbs software or the bbs itself. A lofty nice-to-have goal is meeting a few other similarly motivated people to conspire with on a weekly basis. If that's you, drop me a line!

goals:

I have about half of an admin interface endpoint pushed up, which I'd like to finish. I realized mid-commit that I'd lacked some other material in a previous commit, and in pushing it up, I ended up pushing half the admin feature. Stay tuned for that.

I'd also like to implement a feature where I surrender the socket to a new process so I can upgrade the binary without dropping all of the connected users. I'm not sure on the feasibility of this, but all the words fit together, so it'll be tried.




The manual encourages bad SSH practices.

The server could collect SSH public keys and use GitHub to resolve them to GitHub users to deanonymize users.

To protect yourself against this kind of problems:

1. Put this block at the end of ~/.ssh/config:

    Host *
    ForwardAgent no
    ForwardX11 no
    PermitLocalCommand no
    # Avoid keys being propose to any SSH server we connect to (ex: whoami.filippo.io)
    PubkeyAuthentication no
    IdentitiesOnly yes
    AddKeysToAgent no
2. Use a separate private SSH key for each organization you connect to. You must create a config entry to tell OpenSSH to use it. Ex:

    Host shhhbb.com
    PubkeyAuthentication yes
    IdentitiesOnly yes
    IdentityFile ~/.ssh/id@shhhbb.com
Disclaimer: I'm the author of https://github.com/dolmen/github-keygen


Ah bollocks, I've been shitposting using my work GH keys. Hopefully I don't get a surprise call from the boss soon.


Don't worry, soon shitposting will be considered "hate speech" and you'll be unable to post anything that is considered inappropriate by surveillance language models' creators.


For a little more context and a PoC illustrating the matter: https://github.com/FiloSottile/whoami.filippo.io?ref=words.f...


Very nice! Now for the real experience, only one person can use it at a time. ;)


This is client side configuration. Not server side.


Thanks everyone for checking out the BBS :) A few hours in now and I've met so many of you. I was not prepared for how positive and appreciative everyone was! It was great heading down memory lane with you all. Even the small amount of criticisms made were actually great advice.

From your suggestions I've come up with a short unsorted list of things I should make for us that we need. I'm going to get a nap in to think about their implementations and I'll have something to push up shortly, likely tomorrow night Monday PM

from the list:

- /exit, /quit and /? :) if you've seen chat you get it

- public api for integrations (nostr, matrix, 3rd party clients)

- TUI for buffering chat input vs output, put chat in a separate window

- comprehensive documentation for usage

- /name for username changes

- pass the socket to the next upgrade binary to upgrade the server without kicking everyone, maybe make a proxy instead.

Again, thanks to you all that I got to meet tonight, I'm thankful to share this experience with you.


I just tried logging in and found that it hangs indefinitely. This seems to be because shhhbb.com has a AAAA record that the BBS isn't listening on:

> debug1: Connecting to shhhbb.com [2a01:4ff:1f0:8a78::] port 2223

If I connect with `ssh 5.78.86.154 -p 2223` instead I get in fine.

Maybe either have the server listen on v6 / adjust the packet filter or stop shhhbb.com resolving its AAAA address, which is currently taking priority for me.


Ah that's my mistake, thanks for finding that. I'll remove the record until I can get that added in later tonight, family time is in full effect right now - we're making enchiladas :)

edit: removed the AAAA for the moment, again thank you!


enchiladas for the win!


This is awesome. I endlessly miss the BBS days and have been toying with the idea of creating a modern one for a private group of friends/friends-of-friends.


I think mono.org is still going


I like this. Have you thought about building this on top a regular shell? Adding commands would be a matter of wrapping and allowing existing application calls. As an example, a tool to message users exists: It is called "mail". There is even federation!


That sounds like way less fun, to me.

One of my toy projects is building a "desktop OS" in the CLI, with its own mini apps (python), and a drawille style GUI and windowing. And ANSI color.

There's no point at all, but it's fun.


Once upon a time I ran a large interactive telnet service (a campus wide information system) that one could run gopher from and connect to various library online public access catalogs and wide area information systems servers. You would telnet to these BSDi boxes from the campus network anonymous and select services from a menu.

We had a special custom hardened shell for this. Originally it was some script that ran from sh; but the campus network of the 90s was pretty adversarial system and it was too easy to bust out of the shell. Even with the hardened shell, we booted from a read only network drive.

When we shut it down for about a year it displayed my phone number. I had some interesting calls from old faculty and researchers.

Anyway, I would not give a full shell to randos from the Internet.

(Sorry, I replied at the wrong level, but this web view won’t let my copy this message)


It'd be fun to make like a modern ZX Spectrum / Commodore style machine - where the shell is also the interpreted language for the actual machine.

It's a shame how complicated modern computers have made stuff like drawing directly to the screen in comparison.


I reckon that would be a Pubnix. Most Pubnixes have, besides the usual tools like mail, local bulletin boards and so on.


The largest forum (PTT) in Taiwan is also a BBS that you can access it with SSH.

https://github.com/ptt/bbs-sshd

Of course, nowadays you can also access PTT through websocket or a web interface.


Would there be anything of interest to an English speaker though? When I was in Taiwan I found very few people that spoke English.

Having said that it was 20 years ago :P


I like this, especially because it's in go. So you can dump it on any small system without having to worry about a maze of dependencies. I'll give it a try!


It was fun and had more people lurking there.

Since you are using SSH keys, why not looking into NOSTR integration?

You are already done the basics, and adopting that protocol would help to keep this project alive since anyone can participate there with their existing account and those posts can also be seen from the outside: https://usenostr.org/


Thanks that's a great idea. I've got plans for an API in the works so that 3rd party integrations and clients can access the BBS (mine or yours)


Remember that leaking your SSH public key may not be what you want.

So if you want to try it, perhaps use a separate keypair just for this service.


More keys the better, though not entirely necessary.

The username is a shortened and hashed representation of your public key, also I don't see the private key or key password, only public key. You can also run with

    ssh -o "ForwardAgent=no" -o "IdentitiesOnly=yes" -p 2223 shhhbb.com
for added surety.


AFAIK if the first pubkey doesn't work for some reason then all of the pubkeys in ~/.ssh/ are tried and thus may reveal information about machines that you're (frequently) logging into.


> leaking your SSH public key may not be what you want

Can you please elaborate why this is not a good idea?


Check this: https://news.ycombinator.com/item?id=35420846


Thanks :-)


GitHub.com/user.keys


Since you're looking for feature ideas, you might want to check out what others have done with their boards; see [0] for a good list organized by software. Even within one base software group (e.g., Mystic), you'll find a lot of variation.

Be advised that a lot of them use CP438, so you might want to get your hands on a BBS client that can handle it gracefully, like Netrunner.

[0] https://www.ipingthereforeiam.com/bbs/?step=software&all=0 [1] http://www.mysticbbs.com/downloads.html


Neat, always nice to see another server available. Now, for your next trick, tie it in with FIDONet or DOVENet (yea, they're still operating, even if most echoes are a ghost town). Or of course, door games (dosemu tends to be the layer of choice to get the classics running on a *nix system).

Synchronet is the big player still in this space, but I have seen some folks running some of the oldschool options such as WWIV or Citadel (never mind the AmigaNet crowd who does everything to keep the old silicon in service). Cool to see some variety popping up to keep things fresh!


Hey man, this is really good stuff and I'd love to conspire with you about the terminal. I can't find your contact info (I looked!), but send me a message (email in bio) and hopefully we find a way to chat. Cheers!


email sent :) from p@ro.com


there is some world-class shit posting happening on this—quite enjoyable!


That's nice. Why no multiline messages though? Perhaps akin to those on modern telnet BBS systems, making use of pseudographics, or simpler ones, like in MUDs, with a line editor.

And SSHFP RRs (along with DNSSEC) would be nice to have for a public SSH service.


Why sHHbbsinstead of sSHbbs, given it's "SSH + BBS"?


i like the name it's like "shhh bb its ok"


It is basically this, but mainly because that's the .com that was available between the two. I've always liked a good abstract domain name hack, but recently I've been moving back to .com so good names can be hard to come by.

It was originally titled anon-chat (no affiliation) because of the way the usernames are formatted (hashed and shortened with @ sign prepended, to prevent name struggles and squatting cool names). Before pushing the project I had a moment's reflection and then hesitation that maybe I might be barking up a different tree with that name.

I took "SSH" and "BBS" and tried the associated names, and eventually settled on this one. it doesn't have a lot of bang-pow to it, but it works and it's a short .com.


For the uninitiated:

https://knowyourmeme.com/memes/shh-bby-is-ok


Oh man, TIL. Now I love the domain. :)


Using the ssh keys to provide the usernames is clever.


I would love to see some public key authentication mechanism !


Correct link:

https://donuts-are-good.github.io/shhhbb/


thanks, i've emailed the admins


Fixed now. Thanks!


your whole description (plus the website) is totally cryptic. unless one knows what BBS actually stands for. I spent several minutes looking for an explanation on your website and in your HN post. still dont know what it is.


https://en.wikipedia.org/wiki/Bulletin_board_system


ah thanks.


Yea googling led me to this comment which led me to that wiki link. Very cryptic indeed but maybe that’s the point


What did you search for? For me a search for bbs gave three good links, but I knew what it was..


It's probably actually gotten easier than it was 10 years ago when I got into some telnet and SSH bbs's (using older platforms that are still developed or have had adapted layers to repurpose them). Back then, searching for BBS would get you all sorts of phpbb sites because at least a good contingent of folks were using the term to refer both to the ANSI systems as well as web fora. Now that web fora are mostly replaced by the likes of Reddit, this seems less an issue.


Having been young in the 80s I also wouldn't have realised that this would have needed an explanation :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: