Setting up a private, encrypted and authenticated chat server with Ytalk over SSH

My friends and I have had for a long time the intention of creating our own not-megacorporation-based communications services (i.e. chat, video, etc). Today we got around to a first version of that, and since during the course of investigations leading to getting the server to work I saw people having trouble, I thought it might be worth posting my experience.

The basic characteristics of our chat server setup are:

  • A dedicated machine as the SSH/Ytalk server (a Raspberry pi in our case)
  • The server has a user account for every person taking part in the chat.
  • Password logins are not allowed. Authentication is based on RSA identities.
  • Chat activity actually takes place among SSH sessions within the server. That is, the chat is among local user accounts of the server.

I will try to be both concise but explicit enough so that you can reproduce our results. So, for the sake of the explanation, say we are three people wanting to chat: alice, bob and myself, luis. In my server, a raspberry pi, I start with the default user account pi, which has superuser priviledges. The base system is Debian 7.0. The procedure is divided in the following sections:

  1. Software installation and setup
  2. User accounts creation and configuration
  3. Trial of the chat server

Software installation and setup

  1. As usual, start by upgrading your system:
    sudo apt-get update
    sudo apt-get upgrade
  2. Now proceed with the actual packages. I include the SSH server for completeness:
    sudo apt-get install ytalk openssh-server
    apt-get will ask your confirmation on installing additional packages, in particular, openbsd-inetd and talkd. This is fine.
  3. Here comes the interesting part: The stock talkd configuration for inetd makes a few assumptions that impede ytalk working right after installation. First, we need to create a dummy user account, belonging to the tty group:
    sudo usermod -a -G tty talkd
  4. Then you need to update the /etc/inetd.conf configuration file of inetd so that it invokes talkd in the proper way. The lines:
    talk dgram udp wait nobody.tty /usr/sbin/in.talkd in.talkd
    ntalk dgram udp wait nobody.tty /usr/sbin/in.ntalkd in.ntalkd
    Must be turned into:
    talk dgram udp4 wait talkd.tty /usr/sbin/in.talkd in.talkd
    ntalk dgram udp4 wait talkd.tty /usr/sbin/in.ntalkd in.ntalkd
    (Thanks to this bug report and this tutorial for their illuminating details!)
  5. For sanity, check that the file /etc/hosts assigns the IP address 127.0.0.1 to your hostname, which you can find in the file /etc/hostname.
  6. Finally enable inetd:
    sudo service openbsd-inetd restart
  7. To disable password-based logins into the server, add/modify the following lines in your /etc/ssh/sshd_config file:
    ChallengeResponseAuthentication no
    PasswordAuthentication no
    UsePAM no
    PermitRootLogin no
    (Taken from this blog post). This will force all chat users (and the server owner as well!) to register their SSH public keys, putting them into their user’s ~/.ssh/authorized_keys file.

User accounts creation and configuration

  1. The machine owner will have to create the user accounts for each chat participant, and place their individual public keys into their home directories. The creation is very simple:
    sudo adduser alice
  2. Then comes the registration of the user’s public key to enable logging into the server. The user (i.e. alice) needs to send the contents of its local ~/.ssh/id_rsa.pub file (the public key) to the server owner, through any means available (email, etc). The server owner then does:
    sudo -u alice -i
    mkdir ~/.ssh
    chmod og-wrx ~/.ssh
    vim/nano/emacs ~/.ssh/authorized_keys #The contents of the public key are inserted into this file
    chmod og-wrx,u=rw ~/.ssh/authorized_keys

Trial of the chat server

Usage of the server is very simple: Log into the machine and do:
ytalk alice

Your partner will receive a ytalk notification. To reply, your partner only needs to do:
ytalk luis

And now both you and your partner will be chatting together. Pressing the escape key at any moment will bring up ytalk‘s menu. For more information, read the man pages.

Advertisements

2 thoughts on “Setting up a private, encrypted and authenticated chat server with Ytalk over SSH

  1. Hi Luis,
    Congratulations for this post. I apologize for such a basic question but it seems to be a typo error in ‘Software installation and setup #3’
    sudo useradd -a -G tty talkd
    the -a option does not exist for useradd in my system (raspian) : can I simply ignore it or another option (in addition to -G) needs to be used?
    Best regards
    Jean

    • Hi Jean,
      Thanks for your message, and good catch! It is not ‘useradd’ but ‘usermod’. I have updated the post.
      Best regards,
      Luis

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s