https://www.clockwork.com/insights/ssh-agent-hijacking/ (SSH Agent Hijacking)
ssh -a -i /dev/null terminal.shop
ssh terminal.shop
If you want to make sure no keys are offered, you'd want:
ssh -a -o IdentitiesOnly=yes terminal. Shop
2. Can't you disable agent forwarding in a config file, so as not to have to clutter the command line?
$ bwrap --dev-bind / / --tmpfs ~ ssh terminal.shop(And as the siblings mentioned this won't work to prevent your key from being sent if you're using an agent)
They can't get your private keys, but they could "perform operations on the keys that enable them to authenticate using the identities loaded into the agent" (quoting the man page). This would also only be possible while you are connected.
If you enable agent forwarding for all hosts then yes, data will be forwarded.
Your link says:
> Don’t enable agent forwarding when connecting to untrustworthy hosts. Fortunately, the ~/.ssh/config syntax makes this fairly simple
Which honestly should always be disabled. There are no trusted hosts.
Just use ssh-add -c to have the ssh-agent confirm every use of a key.
...your own (headless) server that's in the same room as you, when you're using your laptop as a thin-client for it?
Not at all specific to this.
I have a private key for my prod server, a private key for GitHub, and a private junk key for authenticating to misc stuff. I can discard any without affecting anything else that's important.
If I authenticated with my junk key, would my other keys still be at risk?
Yes, if you authenticate with your junk key (or no key), and SSH agent forwarding is enabled, you are still at risk. It lets the remote machine login to any server with any keys that are on your local SSH agent. Parent's link shows how this can be abused.
Fortunately, it's disabled by default, at least on newer versions.
ssh -o PubkeyAuthentication=no -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -a nobody@terminal.shop
The article you cited makes it clear that you can turn this on for specific hosts in your private SSH config (and probably should do it that way).
So why wouldn't you?
Turning on forwarding globally and then having to remember to disable it for some untrusted hosts with -a looks silly and error-prone to me.
It's also good to see if any malicious process tries to make use of the agent locally!
Processing credit card data has a high compliance burden if you're unwilling to use a secure widget made by an already-authorized provider like Stripe. That's for a good reason, most web and mobile apps are designed such that their backend servers never see your full credit card number and CVV. You can't do this over SSH.
I also wonder whether you could even do this if you had to handle PSD2 2-factor authentication (AKA 3d Secure), which is a requirement for all EU-based companies. This is usually implemented by displaying an embed from your bank inside an iframe. The embed usually asks you to authenticate in your banking app or enter a code that you get via SMS.
You can take the easy way out of course and make the payment form a web page and direct the user to it with an URL and/or a Unicode-art rendition of a QR code.
PS: I work at Stripe but I don't really work on the PCI compliant part of the company.
For most websites that use the Stripe widget, the website owner can never see the full card number, because the credit card number entry fields are iframed in on the page. That means website owners in this scenario are PCI compliant just by filling out PCI SAQ A (self assessment questionnaire A), which is for "Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced": https://listings.pcisecuritystandards.org/documents/SAQ_A_v3...
But that questionnaire is only for merchants where "Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions;" For e-commerce merchants who CAN see the card number, they need to use SAQ D, https://listings.pcisecuritystandards.org/documents/SAQ_D_v3.... This includes additional requirements and I believe stuff like a pen test to be PCI compliant.
In the past one of my banks required me to put in a One-Time Password on the frame I'm shown. While it's different right now, you do need to show that page in the general case. That would really break the immersion of their process :/
And if everything fails, they can just render the 3DS page in the terminal! (e. g. using Browsh [1]) Although I'm not sure if that would be compliant with the regulations.
It's still not clear to me if they are compliant.
To make it work like in the browser it would require some sort of SSH multiplexing where your client is connected to both the shop and Stripe's SSH server and you enter your card data into a terminal region that is being rendered by stripe's ssh server. And then the triangle is completed by Stripe notifying the shop that the payment is ok.
Even if you're using a third party provider that handles both credit card entry and processing, you need to comply with some subset of the PCI/DSS requirements.
In the case of terminal.shop it's not even true, since they can see the credit card number on their side, even if all they do is to forward that number to Stripe and forget about it.
For small and medium-sized merchants, PCI/DSS classifies different types of handling through the concept of which SAQ (Self-Assessment Questionnaire) you have to fill in. Different SAQ have different subset of requirements that you need to fulfill. For e-commerce use cases, there are generally 3 relevant SAQs, in order of strictness:
- SAQ A: Applicable when the merchant redirects payment requests to the payment processor's page or shows an iframe that is hosted by the processor. This is the level required for Stripe Checkout or Stripe Elements.
- SAQ A-EP: Applicable when the merchant handles input on the browser, but sends the data directly to the processor without letting it pass through the merchant's server. This is equivalent to the classic Stripe.js.
- SAQ D: Applicable when the card data is transmitted, stored or processed on the merchant's own server, even if the merchant just receives the card number and passes that on to the payment provider. Stripe calls this type of usage "Direct API Integration" [1].
The level of compliance required for terminal.shop should be SAQ-D for Merchants, which is quite onerous. It covers almost all of the full set of PCI/DSS requirements.
But even if a merchant just uses Stripe.js, the PCI SSC still cares about the possibility of an attacker siphoning card data from the merchant's site through an XSS vulnerability.
And even if the merchant is using an iframe or a redirect (with something like Stripe Checkout or Stripe Elements) there is still the possibility of hard-to-detect phishing, where an attacker could replace the iframe or redirect target with their own site, made to look exactly like Stripe.
---
[ EDIT: worried to the point that we actually implemented a telnet version of the store in parallel with the http/html one for a few months before abandoning it ]
I also remember telnet BBS's became popular for a few years when I was in college 91-93.
[0] https://sbnonline.com/article/visionary-in-obscurity-charles...
Were people just that trusting back then, or had they figured out some kind of pre-SSL way of securing things?
Even back in 2010 lots of sites were http, like Facebook, & there was FireSheep which would snoop on public wifi for people logging into sites over HTTP
we'll be back in a few weeks with proper inventory and fulfillment
we'll also be opensourcing the project and i can answer any questions people have about this
Also you guys should post over on Threads -- a bunch of people over there are really into the idea as well: https://www.threads.net/@mockapapella/post/C5_vLdDP0J1
This joke is a clever play on words that merges elements of computer programming and coffee culture. Let's break it down:
New startup sells coffee through SSH: SSH stands for Secure Shell, which is a network protocol that allows for secure communication between two computers. In this context, the joke suggests that this new startup is selling coffee through a secure connection, presumably online.
Is it /usr/locally grown and single .'ed?: This part of the joke is a play on the directory structure in Unix-like operating systems, where /usr typically contains user-related programs and data. "Locally grown" suggests that the coffee is sourced locally, and "single .'ed" is a wordplay on "single origin," a term used in coffee culture to denote coffee that comes from a single geographic origin. The /usr/locally grown part humorously combines Unix directory structure with the concept of coffee sourcing.
How quickly can they mv it to my ~?: Here, "mv" is a command in Unix systems used to move files or directories, and "~" represents the user's home directory. So, "mv it to my ~" is a playful way of asking how quickly they can deliver the coffee to the customer's home. It's also a pun on the idea of moving the coffee to the user's home directory.> Cloudflare Tunnel can connect HTTP web servers, SSH servers, remote desktops, and other protocols safely to Cloudflare.
https://developers.cloudflare.com/cloudflare-one/connections...
> In addition to HTTP, cloudflared supports protocols like SSH, RDP, arbitrary TCP services, and Unix sockets.
https://developers.cloudflare.com/cloudflare-one/connections...
If you want the client to not require special software, they provide a web based terminal emulator for ssh, and a web based VNC client.
will be talking more about this soon
It would be possible to support other protocols with a single IP address (either because they are running on the same computer, or for any other reason) if they support virtual hosting.
Of the "small web" protocols: Gopher and Nex do not support virtual hosting; Gemini, Spartan, and Scorpion do support virtual hosting. (Note that Scorpion protocol also has a type I request for interactive use.)
NNTP does not support virtual hosting although depending on what you are doing, it might not be necessary, although all of the newsgroups will always be available regardless of what host name you use (which requires that distinct newsgroups do not have the same names). This is also true of IRC and SMTP.
However, if you are connecting with TLS then it is possible to use SNI to specify the host name, even if the underlying protocol does not implement it.
(This will be possible without the client requiring special software, if the protocol is one that supports virtual hosting. There may be others that I have not mentioned above, too.)
[1]: https://developers.cloudflare.com/workers/reference/protocol...
┌──────────┬────────┬─────────┬───────┬────────────────────┐
│ terminal │ s shop │ a about │ f faq │ c checkout $ 0 [0] │
└──────────┴────────┴─────────┴───────┴────────────────────┘
nil blend coffee
whole bean | medium roast | 12oz
$25
Dive into the rich taste of Nil, our delicious semi-sweet
coffee with notes of chocolate, peanut butter, and a hint
of fig. Born in the lush expanses of Fazenda Rainha, a
280-hectare coffee kingdom nestled in Brazil's Vale da
Grama. This isn't just any land; it's a legendary
volcanic valley, perfectly poised on the mystical borders
between São Paulo State and Minas Gerais. On the edge of
the Mogiana realm, Fazenda Rainha reigns supreme, a true
coffee royalty crafting your next unforgettable cup.
sold out!
────────────────────────────────────────────────────────────
+ add item - remove item c checkout ctrl+c exitSomething like hypercard implemented with 80x24 ncurses UI
Also, check gopher and gopher://magical.fish under Lynx or Sacc. The news section it's pretty huge for what you can get with very, very little bandwidth.
gopher://midnight.pub and gopher:/sdf.org are fun too.
And, OFC, the tilde/pubnix concept. SDF it's awesome.
Word perfect had good mouse support, as did Editor.
Someone complained to me a while back about the size of icons on the windows desktop being too small - I told them they can hold Ctrl and scroll the mouse wheel to change the zoom level. They've complained about the same thing a couple times since, and so far as I can tell have made no effort to fix it.
Perhaps the problem there is incentives.
> ssh terminal.shop
Oops, I thought I was supposed to enter it directly into the prompt on the webpage. The styling makes it look like an interactive console, I figured they included an embedded javascript SSH client for users who might not have one.
> this one waits exactly 17 seconds (!), then opens a telnet session to our coffee-machine (we had no frikin idea the coffee machine is on the network, runs linux and has a TCP socket up and running) and sends something like `sys brew`. Turns out this thing starts brewing a mid-sized half-caf latte and waits another 24 (!) seconds before pouring it into a cup. The timing is exactly how long it takes to walk to the machine from the dudes desk.
I wrote up a little demo and explainer at
https://mitm.terminal.shop.rag.pub
ssh mitm.terminal.shop.rag.pubThey give you the ed25519 host key to insert into your known_hosts file on their homepage, which itself is served over TLS with all of the protections you describe in your article. They could go into more detail on being careful with not falling into the tofu trap perhaps, but I don't see that there's an inherent PCI-critical problem here. ssh tells you who, cryptographically, you're connecting to.
If I mess with my DNS and point it at your "little demo", this happens:
$ ssh foo@terminal.shop
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
And guess what? My browser lets me bypass HTTPS warnings too! Yes, even when HSTS is enabled I can take steps to bypass the warning.
Users will fall into the TOFU trap, most users who've sent them cash certainly did.
Most users won't put their credit card credentials into a page that they've had to bypass a cert warning on.
That shots from my parents balcony in Bermuda
letsencrypt is free, you might hate the browser for many fair reasons, but PKI and the CA/B forum are actually effective.
duckduckgo just says PSA is Prostate specific antigen. What did you mean?
Can I pipe that order through to a payment processor and delivery method? Script my meals for the week?
In that game you can type /pizza and it'll get ordered and delivered
Strong disagree. The encryption is the easy part, the hard part is the symmetric key exchange. And PKI used by browsers is much more robust for this usecase then TOFU model of ssh. Of course the proper way to fix this is checking the ssh key fingerprint, but almost nobody does this.
(I know this is considered an atrocity by some, but I happen to not really care enough about my terminal color to change the default)
shipped an improved light mode today!
SSH: ascii.theater was mentioned here, so was mapscii.me There's a bunch of games at https://overthewire.org/wargames/ (and there's likely still dozens of other small muds running over telnet as well) chat.shazow.net is a chat server
Non-ssh (the games mostly require registration): `curl wttr.in` for weather `finger help@graph.no` for weather `cat | nc termbin.com 9999` for a pastebin `telnet telehack.com` `telnet freechess.org` `telnet gt.gamingmuseum.com` `telnet fibs.com 4321` to pay backgammon
There's used to be Nyan cat through telnet, which I'd hacked into running on ssh but AFAICT there's no longer any servers around (my own server is no longer around either) https://nyancat.dakko.us
Unknown how many of these are running still: https://info.cern.ch/hypertext/DataSources/Yanoff.html There's a much more recent list that includes ssh and telnet services here: https://github.com/chubin/awesome-console-services
---
On a related note, http://shells.red-pill.eu/ lists a bunch of free shell services.
My constructive feedback is that the text contrast is so low (in iTerm2 anyway) I can barely read anything. I thought only web pages had that problem, but I guess sufficiently sophisticated TUI apps have designer color problems too! What's next, incredibly tiny terminal fonts? (jk, designers...sort of)
It is SMS based. Each week they offer a different bean from a different roaster, and you reply with the number of bags you want. I've discovered a number of great roasters this way.
The rule is that if you have a good reason for your cookies (i.e., basically one that isn't user-hostile), you have nothing to worry about and don't need a cookie banner.
It's only when you engage in user-hostile practices, such as tracking, that you need to ask for consent.
I'm being sightly snarky, but that's really the essence of it.
>No need for a cookie banner.
That's a bit different than the key listed
You can check that in your local known_hosts file (after having connected at least once) with "ssh-keygen -F terminal.shop -l" and "ssh-keygen -F terminal.shop -lv". (Yes, it is confusing that the command is named "ssh-keygen" but does lots of things that are not about generating any keys)
If you want to do it without connecting, try "ssh-keyscan terminal.shop".
"Before Google, Sergey Brin tried (and failed) to let us order pizza by fax"
EDIT: image here: https://blog.adafruit.com/2022/01/31/the-story-of-sun-micros...
So no, not a normal price.
but as an anecdote, I get a lot of coffee from the Fellow Drops subscription service, and those bags average around $25 - often for less than 12oz.
The lowest price specialty coffee I could find online is about $12 for a little over 10oz from a place called S&W.
So $25 is a very bad value in my opinion.
ssh -a -i /dev/null -o StrictHostKeyChecking=no watch.ascii.theatertelnet mapscii.me
Edit: somebody was able to order coffee through them (see below).
But I do kinda like the idea of something as... niche as this popping up in a highly tech area and then offering the ability to buy and get your coffee without ever seeing someone.
Like you just walk into a room with a rotating door (like one you might see at a doctors office for samples) or something like that.
Feels very... introvert and would be kinda fun.
https://podcasts.apple.com/us/podcast/how-about-tomorrow/id1...
will Nil make me a better developer?
legally we cannot guarantee that it will, but...
is it true your coffee contains the sweat of @theprimeagen?
we can neither confirm nor deny these rumors.
is it true your coffee contains the tears of @thdxr?
yes, this is true.> is ordering via ssh secure? you bet it is. arguably more secure than your browser. ssh incorporates encryption and authentication via a process called public key cryptography. if that doesn’t sound secure we don’t know what does.
Doesn’t TLS use public key cryptography too?
> ssh terminal.shop "register foo $pubkey"
> ssh foo@terminal.shop "set shipping address to $addr, credit card info $info, email address $email"
> ssh foo@terminal.shop "order one 12oz light roast"
EDIT Pizza Party is what I am thinking about.
As an aside kind of funny to see this pop up. I was just talking about if anyone was doing ordering through a cli a while ago: https://news.ycombinator.com/context?id=39817617
$ ssh sshtron.zachlatta.comThe "enter your email for restock updates" part of the screen showed up as white-on-white on my light-mode-by-default Gnome Terminal on my first try and so I was slightly confused; sshing from `uxterm` worked fine though.
Did you go and source it from farms? Is this sourced from another company? Whose blend? Do you provide the roast date on the bag?
The massive simplification this provides over rendering HTML/CSS should be attractive to startups.
Now I wish we had a CLI/TUI for things like Amazon...
I was curious to see if I could connect using mosh. I could, but I wasn't able to use the hotkeys to browse the different screens like I was when I connected via ssh.
scp foo.txt terminal.shop:.
scp evil_passwd_file terminal.shop:/etc/passwd
scp evil_authorized_keys terminal.shop:.ssh/authorized_keys
> wip: terminal (initial commit)
Not sure how the stripe payments intake work but very cool!
People make cafes and coffee shops all the time without taking money or at least VC money.
This is the whole point, I think. Things can exist just because they're fun :)