| ▲ | qudat 2 days ago |
| Co-Founder here, thanks for the interest in our micro-saas powered by SSH. Happy to answer any questions! |
|
| ▲ | LelouBil 2 days ago | parent | next [-] |
| Hey, I was just reading your docs, maybe prose.sh will be what I'll use to finally start a blog ! I noticed this mention here [0]: Because in our Go SSH server we re-implement rsync, many options are currently not supported. For example, --delete and --dry-run are not supported.
But on your front page it says : Upload your static site to us:
rsync --delete -rv ./public/ pgs.sh:/mysite/
So do you support delete ? One of these pages is outdated or did I miss something ?[0] https://pico.sh/file-uploads |
| |
|
| ▲ | WinstonSmith84 a day ago | parent | prev | next [-] |
| So I understand I can redirect my custom domain to Pico Pages, Pico Prose, etc. Can I however do the other way around? Can I create somehow a CNAME on my Pico.sh account (such as username-myapp.pgs.sh points to abc.xyz.com)? In essence, I'd like to be able to get a certificate and set a secure https connection to e.g. my Load Balancer my-alb-12345.us-east-1.elb.amazonaws.com or similar. |
| |
| ▲ | antoniomika a day ago | parent [-] | | Yep! tuns would be the service you want since it can support forwarding arbitrary backends: https://pico.sh/tuns#custom-domains | | |
| ▲ | WinstonSmith84 3 hours ago | parent [-] | | Thanks. Let me know if I misunderstood, but it seems that this is redirecting my custom domain customdomain.example.com to tuns.sh customdomain.example.com. 300 IN CNAME tuns.sh. _sish.customdomain.example.com 300 IN TXT "SHA256:mVPw" What I want to do is: 1- to create a custom domain ON tuns.sh (or another Pico service) 2- redirect this custom domain to another DNS (such as a Load Balancer, an API Gateway, etc.) Something like:
{username}-{proj}.tuns.sh. 300 IN CNAME myalb-123abc.amazonaws.com. |
|
|
|
| ▲ | memset 2 days ago | parent | prev | next [-] |
| I remember seeing this a couple of years ago on HN! Would you be willing to share how it’s doing on the business side? Hints on how you’ve grown users or how many folks are willing to subscribe? I’d love to build a service (in a different domain) that operates as simply as this. |
| |
| ▲ | qudat a day ago | parent [-] | | > Would you be willing to share how it’s doing on the business side? Hints on how you’ve grown users or how many folks are willing to subscribe? Yes, absolutely. Here's our year-end-review where we talk numbers: https://blog.pico.sh/status-011 Ultimately, what keeps us going is we want these services to exist for our own side-project development and it's an extra boost of motivation when others use our services. All of our marketing is through HN/lobsters/reddit since that's our target demo. |
|
|
| ▲ | cfebs 2 days ago | parent | prev | next [-] |
| Sorry if I didn't catch this on the site, but any new upcoming services you are excited about? A ssh or TUI frontend for some git/forge host like: https://forgejo.org/ would be pretty cool! |
| |
|
| ▲ | larodi 2 days ago | parent | prev | next [-] |
| am I getting this right, that for 2 bucks a month I can publish (okay tun) my dockers and very-unsafe-postgres-with-ssl publicly to selected users? |
| |
| ▲ | antoniomika 2 days ago | parent | next [-] | | Correct! The tunnels are protected using ssh auth as well, so you can ensure that only the users you want to access it can. | | |
| ▲ | ryao 2 days ago | parent [-] | | I am not sure how you avoided collisions (network namespaces?) on the localhost port space, but for things like this, you would be better off forwarding to/from UNIX domain sockets. It is more efficient as local tcp sockets have several times the overhead. You probably would want to set StreamLocalBindUnlink yes and StreamLocalBindMask 0117 in sshd_config. Then use UNIX groups with the group sticky bit set on the directory where the unix domain socket is made to allow multiple users access. The directory would be owned by that group while each user with access would be added to that group. It reduces some network overhead and is highly secure. I recently used this trick to connect a bunch of machines to a remote service through a jump host. Also, take it from someone who has been running services over port forwards for years. You want to set ClientAliveInterval and ClientAliveCountMax in sshd_config on the server (if you have not already). Users should be encouraged to set ServerAliveCountMax and ServerAliveInterval In ssh_config on their machines. Furthermore, it would be best if the tunnels were run by daemon tools and had ExitOnForwardFailure set as part of the command that is run. The ssh command used at the client side likely also should set -nNT. It is also good practice for the machines running ssh to have dedicated accounts for the tunnels such that their daemon tools scripts are essentially two lines, a shebang followed by exec setuiduid user ssh -i ... Finally, if people want to do very low overhead and highly secure setups, they should bind the services that they reverse forward to unix domain sockets locally and reverse forward the local unix domain sockets over ssh to remote unix domain sockets. They can use a file mode sticky bit on the parent directory to make the local Unix domain socket accessible by the ssh command running on its own user, which locks things down locally fairly nicely. A typical process running on the machine will not be able to talk to the reverse forwarded service thanks to the Unix file permissions. Lastly, using ed25519 or ecdsa ssh keys would make the initial connection process very quick compared to using RSA. | | |
| ▲ | antoniomika a day ago | parent [-] | | We’re actually using Unix sockets as the underlying transport layer for this. We’re also not using sshd, we custom wrote our own daemon that’s entire job is tunneling. If you’re curious about this, you can find the project here: https://github.com/antoniomika/sish sish was actually my first foray into SSH apps. It was a lot of fun to write and pretty much implements tunnels with a routing system on top. It manages connectivity, routing, and reverse proxying all within user space. No namespaces required! tuns can actually even tunnel UDP traffic over SSH, also entirely in user space. Docs for that can be found here: https://pico.sh/tuns#udp-tunneling |
|
| |
| ▲ | ryao 2 days ago | parent | prev [-] | | Cloudflare makes that free through their zero trust stuff and cloudflared daemon. |
|
|
| ▲ | hakaneskici 2 days ago | parent | prev | next [-] |
| I love your RFC-1, keep up the spirit :) Where are your servers located? |
| |
|
| ▲ | raggi 2 days ago | parent | prev | next [-] |
| What are you doing about TOFU and MITM? |
| |
| ▲ | antoniomika 2 days ago | parent [-] | | Our host keys are published here and are durable: https://pico.sh/host-keys | | |
| ▲ | raggi a day ago | parent [-] | | So approximately nothing? | | |
| ▲ | junon a day ago | parent | next [-] | | Perhaps giving a bit more information than throwing out random acronyms related to SSH would be a bit more fruitful in terms of responses. What about TOFU and MITM would you like them to respond to? TOFU isn't inherently a bad thing. Neither is MITM. It depends on the threat model, the actors involved, etc. Your comment (and the snarky followup) imply they're doing something wrong, but it's unclear what. | |
| ▲ | kpcyrd a day ago | parent | prev [-] | | There is nothing that can be done beyond what they are doing? You can receive their public keys out-of-band through an https-authenticated connection. Which means their approach to "the initial trust problem" is _not_ "trust on first use". | | |
| ▲ | squiggleblaz a day ago | parent [-] | | I don't know what other solutions there are to TOFU, but maybe it's nice if there's something like a standardised /.well-known/ssh-keys.json path for public ssh servers like github and pico.sh. | | |
| ▲ | raggi 21 hours ago | parent [-] | | There’s SSHFP, but it’s off by default and assumes an attacker can’t modify dns, though most mitms would be executed with dns and dnssec deployment is generally a disaster. Currently their host key page is only linked once at the bottom of their page and isn’t referenced in any onboarding docs, so effectively onboarding encourages “yolo”, and if users aren’t savvy they’re likely putting other things at risk, whatever their keys happen to also have access to. The other argument that comes up here then is “well mitms are rare so this doesn’t seem like a big problem in practice”, however there are actually great targets here, for example you go to a conference and hijack the WiFi, then spend your time in hallway track advertising these services to your targets. This kind of thing has a high success rate. The web improves on this problem with PKI, though similar phishing tactics exist in a similar situation where you encourage people to sign up explicitly guiding them to an incorrect domain, but propensity for using search in address bars strongly helps resist this too. SSH is terrible for this use case, no matter how it makes people feel. | | |
|
|
|
|
|
|
| ▲ | swznd 20 hours ago | parent | prev [-] |
| how to manage / remove paste ? |
| |
