chore(agent,pkg): migrate from libxcrypt to yescrypt-go

agent/Dockerfile

@@ -3,17 +3,6 @@ FROM golang:1.22.6-alpine3.19 AS base
 
 ARG GOPROXY
 
-RUN apk add --update git ca-certificates build-base bash util-linux setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
-RUN ln -sf /bin/bash /bin/sh
-
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
 COPY ./go.mod ./

agent/Dockerfile.amd64

@@ -2,15 +2,6 @@ FROM golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
 COPY ./go.mod ./
@@ -37,7 +28,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-x86_64.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]

agent/Dockerfile.arm32v6

@@ -4,15 +4,6 @@ FROM arm32v6/golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
 COPY ./go.mod ./
@@ -39,7 +30,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-armhf.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]

agent/Dockerfile.arm32v7

@@ -4,15 +4,6 @@ FROM arm32v7/golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
 COPY ./go.mod ./
@@ -39,7 +30,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-armhf.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]

agent/Dockerfile.arm64v8

@@ -4,14 +4,6 @@ FROM arm64v8/golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
 
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
@@ -39,7 +31,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-aarch64.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]

agent/Dockerfile.i386

@@ -2,15 +2,6 @@ FROM golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
 COPY ./go.mod ./
@@ -37,7 +28,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-*.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]

agent/Dockerfile.test

@@ -2,17 +2,6 @@ FROM golang:1.22.6-alpine3.19
 
 ARG GOPROXY
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-RUN apk add openssh
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
 RUN ln -sf /bin/bash /bin/sh
 
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub

agent/go.mod

@@ -1,6 +1,8 @@
 module github.com/shellhub-io/shellhub/agent
 
-go 1.21
+go 1.22.4
+
+toolchain go1.23.0
 
 require (
 	github.com/Masterminds/semver v1.5.0
@@ -45,6 +47,7 @@ require (
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/openwall/yescrypt-go v1.0.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/sftp v1.13.5 // indirect
 	github.com/sethvargo/go-envconfig v0.9.0 // indirect
@@ -55,10 +58,10 @@ require (
 	go.opentelemetry.io/otel/metric v1.26.0 // indirect
 	go.opentelemetry.io/otel/trace v1.26.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.2.0 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
 	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/sys v0.19.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	gotest.tools/v3 v3.5.1 // indirect
 )
 

agent/go.sum

@@ -84,6 +84,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/openwall/yescrypt-go v1.0.0 h1:jsGk48zkFvtUjGVOhYPGh+CS595JmTRcKnpggK2AON4=
+github.com/openwall/yescrypt-go v1.0.0/go.mod h1:e6CWtFizUEOUttaOjeVMiv1lJaJie3mfOtLJ9CCD6sA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.13.5 h1:a3RLUqkyjYRtBTZJZ1VRrKbN3zhuPLlUc3sphVz81go=
@@ -141,8 +143,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -173,19 +175,19 @@ golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
-golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
+golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
+golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

api/go.mod

@@ -1,8 +1,8 @@
 module github.com/shellhub-io/shellhub/api
 
-go 1.22
+go 1.22.4
 
-toolchain go1.22.5
+toolchain go1.23.0
 
 require (
 	github.com/cnf/structhash v0.0.0-20201127153200-e1b16c1ebc08

cli/go.mod

@@ -1,8 +1,8 @@
 module github.com/shellhub-io/shellhub/cli
 
-go 1.22
+go 1.22.4
 
-toolchain go1.22.8
+toolchain go1.23.0
 
 require (
 	github.com/shellhub-io/shellhub v0.13.4

go.mod

@@ -1,6 +1,8 @@
 module github.com/shellhub-io/shellhub
 
-go 1.21
+go 1.22.4
+
+toolchain go1.23.0
 
 require (
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5
@@ -22,16 +24,17 @@ require (
 	github.com/labstack/echo/v4 v4.10.2
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/mholt/archiver/v4 v4.0.0-alpha.8
+	github.com/openwall/yescrypt-go v1.0.0
 	github.com/oschwald/geoip2-golang v1.8.0
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/sftp v1.13.5
 	github.com/sethvargo/go-envconfig v0.9.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.9.0
 	github.com/testcontainers/testcontainers-go/modules/redis v0.32.0
-	golang.org/x/crypto v0.22.0
-	golang.org/x/sync v0.6.0
-	golang.org/x/sys v0.19.0
+	golang.org/x/crypto v0.25.0
+	golang.org/x/sync v0.7.0
+	golang.org/x/sys v0.22.0
 )
 
 require (
@@ -116,7 +119,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.26.0 // indirect
 	go4.org v0.0.0-20200411211856-f5505b9728dd // indirect
 	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda // indirect
 	google.golang.org/grpc v1.63.2 // indirect

pkg/agent/pkg/yescrypt/yescrypt.go

@@ -0,0 +1,18 @@
+package yescrypt
+
+import (
+	"github.com/openwall/yescrypt-go"
+	log "github.com/sirupsen/logrus"
+)
+
+// Verify verifies a yescrypt hash against a given key.
+func Verify(password, hash string) bool {
+	hashed, err := yescrypt.Hash([]byte(password), []byte(hash))
+	if err != nil {
+		log.WithError(err).Debug("failed to hash the password for comparision")
+
+		return false
+	}
+
+	return hash == string(hashed)
+}