From 3c133bd28f38054e9fc31dd70473039fbc1b8345 Mon Sep 17 00:00:00 2001
From: "Community Hass.io Add-ons Bot" <bot@addons.community>
Date: Wed, 15 Dec 2021 16:48:39 +0000
Subject: [PATCH] :tada: Release of add-on SSH & Web Terminal 10.0.0

---
 README.md        |  6 +++---
 ssh/CHANGELOG.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
 ssh/DOCS.md      | 36 ------------------------------------
 ssh/README.md    |  5 ++---
 ssh/config.yaml  |  4 +---
 5 files changed, 52 insertions(+), 47 deletions(-)

diff --git a/README.md b/README.md
index 8f417d5d..09e64e00 100644
--- a/README.md
+++ b/README.md
@@ -880,10 +880,10 @@ SOFTWARE.
 [sqlite-web-armhf-shield]: https://img.shields.io/badge/armhf-yes-green.svg
 [sqlite-web-armv7-shield]: https://img.shields.io/badge/armv7-yes-green.svg
 [sqlite-web-i386-shield]: https://img.shields.io/badge/i386-yes-green.svg
-[addon-ssh]: https://github.com/hassio-addons/addon-ssh/tree/v9.1.1
-[addon-doc-ssh]: https://github.com/hassio-addons/addon-ssh/blob/v9.1.1/README.md
+[addon-ssh]: https://github.com/hassio-addons/addon-ssh/tree/v10.0.0
+[addon-doc-ssh]: https://github.com/hassio-addons/addon-ssh/blob/v10.0.0/README.md
 [ssh-issue]: https://github.com/hassio-addons/addon-ssh/issues
-[ssh-version-shield]: https://img.shields.io/badge/version-v9.1.1-blue.svg
+[ssh-version-shield]: https://img.shields.io/badge/version-v10.0.0-blue.svg
 [ssh-aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
 [ssh-amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
 [ssh-armhf-shield]: https://img.shields.io/badge/armhf-yes-green.svg
diff --git a/ssh/CHANGELOG.md b/ssh/CHANGELOG.md
index 75ecf55a..b69553e8 100644
--- a/ssh/CHANGELOG.md
+++ b/ssh/CHANGELOG.md
@@ -1,6 +1,50 @@
 ## What’s changed
 
+👋  Hi there! Time for a big update, **v10.0.0**
+
+⚠️ Please read this carefully, as this release comes with a bunch of breaking changes.
+
+The add-on has upgraded to Alpine 3.15, which means all tools are now running the latest versions.
+
+The `homeassistant_cli` has been removed. This (third-party) CLI has some upstream updates, which broke add-on compatibility.
+It, therefore, has now been removed. One can still install it using the `command_init` option if wanted, however, is no longer part of the default distribution.
+
+The Have I Been Pwned checks have been removed from the add-on, as this is a built-in feature of the Supervisor nowadays. This means the `i_like_to_be_pwned` option has been removed from the add-on configuration. If you have this option set, you will need to remove this from your add-on options.
+
+Lastly, the `addon.stdin` service has been removed. And I want to explain a little about the reasoning behind it.
+
+The `addon.stdin` service allowed to run commands on this add-on, which could be helpful. However, I got contacted about this service as it has the potential to be used as an attack surface in combination with social engineering. Quite a lot of social engineering, as this is not a one-click accept kinda attack. It requires a lot of steps.
+
+For this matter, me (@frenck) and the reporting person didn't agree on the type of issue this imposes. A CVE has been requested at MITRE by the reporter, however, I do not recognize it and do not agree on the vulnerability. For that reason, this person and the CVE are also not listed in these release notes.
+
+The service has not been removed because I think it is a vulnerability (as a matter of fact, I don't agree it is), but the service is removed as I think we should protect users, even against possible complex social engineering; if this helps, I think we should do that. 
+
+The above all said... You can use the plain `ssh` command as a replacement for this service; which is generally already done and has been around for ages 👍  And always check any third-party code and configuration you get from others of course! 🙏 
+
+If these changes impacted your automations or scripts, please accept my sincere apologies.
+
+Kind regards,
+
+../Frenck
+
+PS: I hope the Firefox rendering issues is finally resolved! Please let me know :)
+
+## 🚨 Breaking changes
+
+- 🔥 Remove STDIN service @frenck (#349)
+- 🔥 Remove hibp checks @frenck (#350)
+- 🔥 Remove homeassistant_cli @frenck (#352)
+
+## 🧰 Maintenance
+
+- Update CI Workflows @frenck (#347)
+- 🔥 Remove left over hass-cli auto completion @frenck (#353)
+
+## 📚 Documentation
+
+- Fix privileged mode instructions for HASS 2021.12 @tigattack (#346)
+
 ## ⬆️ Dependency updates
 
-- ⬆️ Upgrades mariadb-client to 10.5.13-r0 @frenck (#343)
-- ⬆️ Upgrades add-on base image to 10.2.3 @frenck (#344)
+- ⬆️ Upgrades add-on base image to 11.0.0 @frenck (#348)
+- ⬆️ Upgrades ttyd to 3e37e33 @frenck (#351)
diff --git a/ssh/DOCS.md b/ssh/DOCS.md
index ae96e517..8242c060 100644
--- a/ssh/DOCS.md
+++ b/ssh/DOCS.md
@@ -30,7 +30,6 @@ well. Additionally, it comes out of the box with the following:
   - Limits login attempts to hold off brute-force attacks better.
   - Many more security tweaks, _this addon passes all [ssh-audit] checks
     without warnings!_
-- Passwords are checked with HaveIBeenPwned using K-anonymity.
 - Comes with an SSH compatibility mode option to allow older clients to connect.
 - Support for Mosh allowing roaming and supports intermittent connectivity.
 - SFTP support is disabled by default but is user configurable.
@@ -54,8 +53,6 @@ well. Additionally, it comes out of the box with the following:
 - Contains a sensible set of tools right out of the box: curl, Wget, RSync, GIT,
   Nmap, Mosquitto client, MariaDB/MySQL client, Awake (“wake on LAN”), Nano,
   Vim, tmux, and a bunch commonly used networking tools.
-- Has the Home Assistant CLI (`hass-cli`) command line tool pre-installed and
-  pre-configured.
 - Support executing commands inside using a Home Assistant service call, e.g.,
   for use with automations.
 
@@ -231,39 +228,6 @@ Customize your shell environment even more with the `init_commands` option.
 Add one or more shell commands to the list, and they will be executed every
 single time this add-on starts.
 
-#### Option: `i_like_to_be_pwned`
-
-Adding this option to the add-on configuration allows to you bypass the
-HaveIBeenPwned password requirement by setting it to `true`.
-
-**Note**: _We STRONGLY suggest picking a stronger/safer password instead of
-using this option! USE AT YOUR OWN RISK!_
-
-## Executing commands in this add-on using a Home Assistant service call
-
-This add-on uses the `hassio.addon_stdin` service to expose a shell interface
-to Home Assistant. This allows you to execute commands and scripts within
-the SSH & Web Terminal add-on, straight from Home Assistant.
-
-This is particularly helpful when you want to execute custom scripts or
-commands from automations.
-
-Example automation running `my_command`:
-
-```yaml
-automation:
-  - alias: "Example my script"
-    trigger:
-      platform: state
-      entity_id: binary_sensor.motion_sensor
-      to: "ON"
-    action:
-      service: hassio.addon_stdin
-      data:
-        addon: a0d7b954_ssh
-        input: "/config/scripts/my_command"
-```
-
 ## Known issues and limitations
 
 - The add-on fails to start when a password that is listed by HaveIBeenPwned
diff --git a/ssh/README.md b/ssh/README.md
index 2c34fdf2..31c2ff36 100644
--- a/ssh/README.md
+++ b/ssh/README.md
@@ -46,7 +46,6 @@ well. Additionally, it comes out of the box with the following:
   - Many more security tweaks, *this addon passes all [ssh-audit] checks
     without warnings!*
     ![Result of SSH-Audit][ssh-audit-image]
-- Passwords are checked with HaveIBeenPwned using K-anonymity.
 - Comes with an SSH compatibility mode option to allow older clients to connect.
 - Support for Mosh allowing roaming and supports intermittent connectivity.
 - SFTP support is disabled by default but is user configurable.
@@ -99,8 +98,8 @@ If you are more interested in stable releases of our add-ons:
 [patreon-shield]: https://frenck.dev/wp-content/uploads/2019/12/patreon.png
 [patreon]: https://www.patreon.com/frenck
 [project-stage-shield]: https://img.shields.io/badge/project%20stage-production%20ready-brightgreen.svg
-[release-shield]: https://img.shields.io/badge/version-v9.1.1-blue.svg
-[release]: https://github.com/hassio-addons/addon-ssh/tree/v9.1.1
+[release-shield]: https://img.shields.io/badge/version-v10.0.0-blue.svg
+[release]: https://github.com/hassio-addons/addon-ssh/tree/v10.0.0
 [screenshot]: https://github.com/hassio-addons/addon-ssh/raw/main/images/screenshot.png
 [ssh-audit-image]: https://github.com/hassio-addons/addon-ssh/raw/main/images/ssh-audit.png
 [ssh-audit]: https://github.com/arthepsy/ssh-audit
diff --git a/ssh/config.yaml b/ssh/config.yaml
index fad17a66..a91ac206 100644
--- a/ssh/config.yaml
+++ b/ssh/config.yaml
@@ -58,7 +58,6 @@ privileged:
 - SYS_TIME
 - SYS_NICE
 schema:
-  i_like_to_be_pwned: bool?
   init_commands:
   - str
   log_level: list(trace|debug|info|notice|warning|error|fatal)?
@@ -81,8 +80,7 @@ services:
 - mqtt:want
 slug: ssh
 startup: services
-stdin: true
 uart: true
 url: https://github.com/hassio-addons/addon-ssh
 usb: true
-version: 9.1.1
+version: 10.0.0