chore(agent,pkg): migrate from libxcrypt to yescrypt-go

agent/Dockerfile

@@ -3,16 +3,7 @@ FROM golang:1.22.6-alpine3.19 AS base
 
 ARG GOPROXY
 
-RUN apk add --update git ca-certificates build-base bash util-linux setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
-
-RUN ln -sf /bin/bash /bin/sh
+RUN apk add --update ca-certificates util-linux setpriv
 
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 

agent/Dockerfile.amd64

@@ -2,14 +2,7 @@ FROM golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
+RUN apk add --update ca-certificates util-linux setpriv
 
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
@@ -37,7 +30,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-x86_64.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]

agent/Dockerfile.arm32v6

@@ -4,14 +4,7 @@ FROM arm32v6/golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
+RUN apk add --update ca-certificates util-linux setpriv
 
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
@@ -39,7 +32,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-armhf.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]

agent/Dockerfile.arm32v7

@@ -4,14 +4,7 @@ FROM arm32v7/golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
+RUN apk add --update ca-certificates util-linux setpriv
 
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
@@ -39,7 +32,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-armhf.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]

agent/Dockerfile.arm64v8

@@ -4,14 +4,7 @@ FROM arm64v8/golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
+RUN apk add --update ca-certificates util-linux setpriv
 
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
@@ -39,7 +32,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-aarch64.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]

agent/Dockerfile.i386

@@ -2,14 +2,7 @@ FROM golang:1.22.6-alpine3.19
 
 ARG SHELLHUB_VERSION=latest
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
+RUN apk add --update ca-certificates util-linux setpriv
 
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub
 
@@ -37,7 +30,6 @@ COPY --from=0 /usr/bin/nsenter /usr/bin/
 COPY --from=0 /usr/bin/setpriv /usr/bin/
 COPY --from=0 /usr/lib/libcap-ng.so.* /usr/lib/
 COPY --from=0 /lib/ld-musl-*.so.1 /lib/
-COPY --from=0 /usr/lib/libcrypt.so* /usr/lib/
 COPY --from=0 /go/src/github.com/shellhub-io/shellhub/agent/agent /bin/agent
 
 ENTRYPOINT ["/bin/agent"]

agent/Dockerfile.test

@@ -2,16 +2,7 @@ FROM golang:1.22.6-alpine3.19
 
 ARG GOPROXY
 
-RUN apk add --update git ca-certificates util-linux build-base bash setpriv perl xz linux-headers
-
-RUN apk add openssh
-
-# We are using libxcrypt to support yescrypt password hashing method
-# Since libxcrypt package is not available in Alpine, so we need to build libxcrypt from source code
-RUN wget -q https://github.com/besser82/libxcrypt/releases/download/v4.4.36/libxcrypt-4.4.36.tar.xz && \
-    tar xvf libxcrypt-4.4.36.tar.xz && cd libxcrypt-4.4.36 && \
-    ./configure --prefix /usr && make -j$(nproc) && make install && \
-    cd .. && rm -rf libxcrypt-4.4.36*
+RUN apk add --update ca-certificates util-linux setpriv bash openssh
 
 RUN ln -sf /bin/bash /bin/sh
 

agent/go.mod

@@ -1,6 +1,6 @@
 module github.com/shellhub-io/shellhub/agent
 
-go 1.21
+go 1.22.4
 
 require (
 	github.com/Masterminds/semver v1.5.0
@@ -45,6 +45,7 @@ require (
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/openwall/yescrypt-go v1.0.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/sftp v1.13.5 // indirect
 	github.com/sethvargo/go-envconfig v0.9.0 // indirect

agent/go.sum

@@ -84,6 +84,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/openwall/yescrypt-go v1.0.0 h1:jsGk48zkFvtUjGVOhYPGh+CS595JmTRcKnpggK2AON4=
+github.com/openwall/yescrypt-go v1.0.0/go.mod h1:e6CWtFizUEOUttaOjeVMiv1lJaJie3mfOtLJ9CCD6sA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.13.5 h1:a3RLUqkyjYRtBTZJZ1VRrKbN3zhuPLlUc3sphVz81go=

api/go.mod

@@ -1,6 +1,6 @@
 module github.com/shellhub-io/shellhub/api
 
-go 1.22
+go 1.22.4
 
 toolchain go1.22.5
 

cli/go.mod

@@ -1,6 +1,6 @@
 module github.com/shellhub-io/shellhub/cli
 
-go 1.22
+go 1.22.4
 
 toolchain go1.22.8
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/shellhub-io/shellhub
 
-go 1.21
+go 1.22.4
 
 require (
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5
@@ -22,6 +22,7 @@ require (
 	github.com/labstack/echo/v4 v4.10.2
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/mholt/archiver/v4 v4.0.0-alpha.8
+	github.com/openwall/yescrypt-go v1.0.0
 	github.com/oschwald/geoip2-golang v1.8.0
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/sftp v1.13.5

pkg/agent/pkg/yescrypt/yescrypt.go

@@ -0,0 +1,18 @@
+package yescrypt
+
+import (
+	yescrypt "github.com/openwall/yescrypt-go"
+	log "github.com/sirupsen/logrus"
+)
+
+// Verify verifies a yescrypt hash against a given key.
+func Verify(password, hash string) bool {
+	hashed, err := yescrypt.Hash([]byte(password), []byte(hash))
+	if err != nil {
+		log.WithError(err).Debug("failed to hash the password for comparison")
+
+		return false
+	}
+
+	return hash == string(hashed)
+}

pkg/agent/pkg/yescrypt/yescrypt_test.go

@@ -0,0 +1,68 @@
+package yescrypt
+
+import (
+	"crypto/rand"
+	"math/big"
+	"testing"
+
+	"github.com/openwall/yescrypt-go"
+	"github.com/stretchr/testify/assert"
+)
+
+func FuzzVerify(f *testing.F) {
+	const settings = "$y$j9T$AAt9R641xPvCI9nXw1HHW/"
+
+	for i := 0; i < 100; i++ {
+		v, err := rand.Int(rand.Reader, big.NewInt(64))
+		assert.NoError(f, err)
+
+		password := make([]byte, v.Int64())
+		_, err = rand.Read(password)
+		assert.NoError(f, err)
+
+		hash, err := yescrypt.Hash(password, []byte(settings))
+		assert.NoError(f, err)
+
+		f.Add(string(password), string(hash))
+	}
+
+	f.Fuzz(func(t *testing.T, a string, b string) {
+		assert.True(f, Verify(a, b))
+	})
+}
+
+func TestVeirfy(t *testing.T) {
+	cases := []struct {
+		description string
+		password    string
+		hash        string
+		expected    bool
+	}{
+		{
+			description: "invalid password",
+			password:    "invalid",
+			hash:        "$y$j9T$AAt9R641xPvCI9nXw1HHW/$nCv3bckjDEC9Q5ahIEpyXVNGZhySye/ZdjxNxTY5ttB",
+			expected:    false,
+		},
+		{
+			description: "invalid hash",
+			password:    "password",
+			hash:        "invalid",
+			expected:    false,
+		},
+		{
+			description: "valid",
+			password:    "password",
+			hash:        "$y$j9T$AAt9R641xPvCI9nXw1HHW/$nCv3bckjDEC9Q5ahIEpyXVNGZhySye/ZdjxNxTY5ttB",
+			expected:    true,
+		},
+	}
+
+	for _, test := range cases {
+		t.Run(test.description, func(tt *testing.T) {
+			result := Verify(test.password, test.hash)
+
+			assert.Equal(tt, test.expected, result)
+		})
+	}
+}

ssh/go.mod

@@ -1,6 +1,6 @@
 module github.com/shellhub-io/shellhub/ssh
 
-go 1.21
+go 1.22.4
 
 require (
 	github.com/Masterminds/semver v1.5.0

tests/go.mod

@@ -1,6 +1,6 @@
 module github.com/shellhub-io/shellhub/tests
 
-go 1.21
+go 1.22.4
 
 require (
 	github.com/bramvdbogaerde/go-scp v1.4.0