I recently decided to experiment with OpenSSH's ForceCommand directive to see how far I could push a "headless" user experience. The result? XZAP, a terminal-based arcade game that you play by literally just SSHing into a server.
The Experiment
The goal was simple: test how to securely host a public interactive process without ever granting a user a shell. I wanted to see if I could create a seamless transition where the SSH handshake acts as the "Play" button.
By using the Match User and ForceCommand directives in sshd_config, I locked the gozap user directly into the game binary. When the user connects, the game starts; when they quit or die, the session drops. No bash, no filesystem access, just pure terminal logic.
How it Works
The game is written in Go, utilizing raw terminal mode to capture keypresses (W/A/S/D) and ANSI escape codes for rendering. It's lightweight, fast, and lives entirely in the buffer of your local terminal emulator.
The Stack
- Language: Go (Golang)
- Deployment: Linux (Ubuntu/Debian)
- Gatekeeper: OpenSSH (with a hardened, shell-less configuration)
Why?
Honestly? Mostly for fun. There's something nostalgic about "BBS-style" access where the connection itself is the interface. It's a great way to test SSH security hardening while providing a 30-second distraction for anyone with a terminal.
If you have a terminal handy, give it a try:
ssh gozap@eringen.com
source: https://github.com/eringen/gozap
No password required. Just gobble the berries and avoid the aliens.
