Add event and tutorial page - haunted-hosts - Unnamed repository; edit this file 'description' to name the repository.
DIR Log
DIR Files
DIR Refs
DIR README
---
DIR commit 9a758eeaaf5338944b9ceb5eb90ccce2f8274c62
HTML Author: Scarlett McAllister <no+reply@roygbyte.com>
Date: Sun, 3 Nov 2024 08:38:33 -0400
Add event and tutorial page
Diffstat:
A README | 47 +++++++++++++++++++++++++++++++
A event-page.gph | 62 +++++++++++++++++++++++++++++++
A tutorial.org | 56 +++++++++++++++++++++++++++++++
3 files changed, 165 insertions(+), 0 deletions(-)
---
DIR diff --git a/README b/README
@@ -0,0 +1,46 @@
+# Usage
+
+Start the sshd for debugging using `./debug.sh`
+Start the sshd for production using `./start.sh`
+
+# Installation
+
+Follow the instructions in Server section to run this haunted host.
+
+# Server
+
+## Configuration
+
+Allow connections from port 666 in firewall.
+
+```
+pass in on egress proto tcp from any to egress port 666
+```
+
+Create users and groups.
+
+```
+useradd -d /var/empty -s /bin/sh -p "" trick
+usermod -A haunted trick
+```
+
+Setup folder and file permissions for haunted hosts data and scripts.
+
+```
+# Location of executables
+mkdir -p /var/haunted-hosts/
+chown -R :haunted /var/haunted-hosts/
+cd /var/haunted-hosts
+# Scripts executed by the users
+chmod +x trick
+chmod +x treat
+# File storing hashed IPs from connections
+touch client_ips
+chown :haunted client_ips
+chmod g+w client_ips
+```
+
+# Bugs
+
+- There is no treat script
+- The trick script seems to hang around after a visitor closes their connection.
+\ No newline at end of file
DIR diff --git a/event-page.gph b/event-page.gph
@@ -0,0 +1,62 @@
+ .=-.
+ / .`
+ |\_/| | | ,-+-,
+ |-,-| \ ', ; ^v^ ;
+ _|(=)| `..+ ;'|+|'' /\_/\
+ | / | /;_Y_;\ / \
+ | /| | |\_:_/ \ / O O \
+ | / \ | |/ ' \ / | \./ |
+ | / _ \ | /_____\` | |
+ |/| | |\| ||| | |
+ | | | __/__ ||| ;~,~.~,~;
+ | | | // |`\ _|||_ | | |
+ ...._|_|_|_...\`___,/....II'II...... /__|__\rgb...
+
+ Announcing the first annual:
+ Bitreich "HAUNTED HOSTS" Hallowe'en
+ October 31, 2024, 9:00PM CEST
+
+This Hallowe'en, hosts from around the world open their ports to
+festive trick or treaters. Be spooked, scared, or delighted by hosts
+haunting their `ssh` connections with a ghoulish `Banner`, cob-webbed
+`ChrootDirectory`, or evil `ForceCommand`!
+
+To participate as a host: Announce your intent to participate by
+contacting ROYGBYTE on #bitreich-en:irc.bitreich.org before the event
+date. Then, prepare your hauntings: make or modify your =sshd= to
+include passwordless authentication for =trick= and/or =treat= users;
+and, configure your choice of =sshd= options to create a
+correspondingly delightful... or frightful... visitor experience!
+
+To participate as a trick or treater: on October 31, 2024, 9:00PM
+CEST, connect via `ssh` as `trick` or `treat` user to participating
+hosts. Hosts may be using non-standard `sshd` ports, so for full
+connection details check this event page on Hallowe'en eve!
+
+--
+
+Tutorials and writings
+
+[1|someodd's tutorial|/phlog/bitreich-haunted-hosts.gopher.txt|gopher.someodd.zip|70]
+[1|ROYGBYTE's tutorial|/haunted_hosts_tutorial_for_running_spooky_server_daemons.gph|roygbyte.com|70]
+
+--
+
+Host participants as of Thu 31 Oct 2024 16:12:58 ADT
+
+pi31415
+[1|gopher://tilde.pink/1/~bencollver/boo|/~bencollver/boo|tilde.pink|70]
+
+__20h__
+[h|ssh trick@bitreich.org|URL:ssh://trick@bitreich.org|server|port]
+[h|ssh treat@bitreich.org|URL:ssh://treat@bitreich.org|server|port]
+[1|witchcrash|/witchcrash.gph|bitreich.org|70]
+[1|lawn hallowe'en theme|/lawn|bitreich.org|70]
+annna on irc.bitreich.org now does trick and treat, speaks zombie and ghost
+
+pazz0
+[h|ssh trick@main.0xfa.de|URL:ssh://trick@main.0xfa.de|server|port]
+[h|ssh treat@main.0xfa.de|URL:ssh://treat@main.0xfa.de|server|port]
+
+ROYGBYTE
+[h|ssh -T -p 666 trick@roygbyte.com|URL:ssh://trick@roygbyte.com:666|server|port]
DIR diff --git a/tutorial.org b/tutorial.org
@@ -0,0 +1,56 @@
+#+TITLE: Haunted hosts tutorial for running spooky server daemons
+
+The text below describes a simple passwordless login configuration for =sshd=. This type of login configuration is excellent for providing kiosk services to server visitors, interesting server easter eggs, or participation in events like "Haunted Hosts". Creating a configuration compatible with this last use case will be the tutorial.
+
+So, to participate in "Haunted Hosts", I need to create two passwordless logins for each the =trick= and =treat= user. The logins should be very restricted, having the least amount of system services and privileges required to invoke a forced command to run after login.
+
+
+* User configuration
+
+I need to create two new users, =trick= and =treat=. I will give them no password, and no home directory. They will get a shell, which is necessary to invoke the =ForceCommand= configured for =sshd=.
+
+=doas useradd -d /var/empty -s /bin/sh -p "" trick=
+
+I will also narrow capabilities by assigning these users to a new login class, =haunted=. This class will be configured with a limited =PATH=. I will come back and update this article when I figure out how to do this!
+
+* sshd_config
+
+I define a new =sshd= configuration file in my project's folder. I add rules sufficient to permit passworldess logins, which is achieved with =PasswordAuthentication yes= and =PermitEmptyPasswords yes=.
+
+Next, I disable other =sshd= features of TTY, X11, tunneling, and port forwarding. It's maybe overkill, but I set a timeout for killing the session if the user hasn't any channel (e.g.: shell, program) running. Oh, and to especially capture the festive symbols of horror, I use port =666=. >:)
+
+#+begin_src
+ Port 666
+ HostKey /etc/ssh/ssh_host_ed25519_key
+ AuthenticationMethods none
+ PasswordAuthentication yes
+ PermitEmptyPasswords yes
+ PermitTTY no
+ PermitTunnel no
+ PermitUserEnvironment no
+ PermitX11 no
+ PermitListen none
+ PermitOpen none
+ PermitRootLogin no
+ UnusedConnectionTimeout 30
+ X11Forwarding no
+ AllowUsers trick treat
+ Match User trick
+ ForceCommand /bin/ed
+ Match User treat
+ ForceCommand /bin/ed
+#+end_src
+
+For now, I am forcing =ed= to be invoked for both users. Later, I will change this to another program.
+
+I test my configuration by invoking =sshd= absolutely:
+
+=doas /usr/sbin/sshd -d -E logs -f sshd_config=
+
+The daemon is kept in the foreground with =-d=. =-E= creates a puts output into a log file. This log file can be read to debug the connection. Verbosity can be increased with =-v= flag.
+
+It is necessary to invoke =sshd= with an absolute path. A StackOverflow post cites this part of the release notes for 3.9 as the reason:
+
+"Make sshd(8) re-execute itself on accepting a new connection. This security measure ensures that all execute-time randomisations are reapplied for each connection rather than once, for the master process' lifetime. This includes mmap and malloc mappings, shared library addressing, shared library mapping order, ProPolice and StackGhost cookies on systems that support such things."
+
+The =-d= flag keeps the daemon in the foreground and provides debugging output.