Alright, i had plans to use Github (or maybe something Cloudflare ish) but your $2/m has me seriously interested. I'm reviewing now.
I hate when i see fun side projects that cost the same as full subscriptions to other products. There's only a handful of $15/m services i "want" in my life.. it really raises the barrier to entry when i'm so aware and averse to subscription costs.
Yet $2/m? Instantly sold on that price. It's a fun price, it looks like a fun product, it lines up perfectly for me. It's silly that the price has me almost more interested than the product. Love it
Any thoughts on how the review will happen when that barrier is reached?
Traffic isn't actually that expensive outside of big clouds. No idea where pico is hosted, but Hetzner gives you "unlimited" 1Gps connections with a dedicated server, or a 10G uplink charged at $1.20/TB (plus a fixed monthly fee for the uplink itself).
I have good reasons to believe this is hosted on Oracle's free tier. Apart from the fact that pinging pico.sh points to an Oracle IP, the 10TB limit is consistent with Oracle Free Tier's limit.
Good call. Oracle does charge somewhat reasonable $8.50/TB after the first 10TB/month. Despite my dislike of Oracle it's not a terrible choice for this until you get some serious traffic.
hetzner is $1.5/TB for us and eu.
Totally feel you on this and kudos to these guys, low pricing makes it so much easier to actually try something without second-guessing. I’m working on a similar philosophy with my own project, 99dev — simple tools for indie devs at just $1/month. Starting with lightweight analytics (like a mini Plausible), but more tools are on the way. No bloat, just useful stuff for folks like us who are building things and watching our budgets.
Really glad to see more projects like pico.sh embracing low cost, no frills, indie services.
https://99.dev
You could use GitHub pages + cloudflare for free hosting. My neighbor uses that.
$2 is fun for hobbies but hope you are not running in production for your customers with that sort of service level!
Thanks for the comment because I think many -- including myself -- resonate with this sentiment. Our pricing strategy was to be competitive with a user just provisioning their own VPS VM with a cloud provider. Our goal is to be competitive on price with a $5/mo VM.
Further, we are mostly targeting individual/small teams who want to rapidly prototype on the web. We provide enough convenience features (e.g. zero-install, multi-region, site analytics, tunnel connect/disconnect notifications, easy script automation) to entice users to keep their prototypes running in "prod" as long as possible before they feel the need to provision their own VPS.
We could go upstream and try to target larger teams/companies, but honestly, this is just fun for us to do on the side.
We don't make any guarantees about uptime at this point but we take it very seriously (we have alerting and respond quickly) and treat it like our day-jobs (I work at a paas and antonio is a platform engineer wizard).
For static sites is there that much missing? Throw a good CDN in front of this and would it matter much who the host was?
At $2/m SRE is powered by love only.
It is strange, I tried to add my public key but received a response that it was already in use (!). Is there a way to determine the user associated with a public key? Perhaps it's possible I have previously created an account but I feel I would remember the UI.
I stumbled across this clever service when looking for a “pastebin” that handled rendering terminal output with ANSI codes. The irony is that they don’t actually allow that (just plain text can be piped to their pastes service), but I found their whole site and vibe delightful!
And the two authors, qudat, and antoniomima are active on HN, as their responsive comments here demonstrate. Just good work all around.
Co-Founder here, thanks for the interest in our micro-saas powered by SSH.
Happy to answer any questions!
Hey, I was just reading your docs, maybe prose.sh will be what I'll use to finally start a blog !
I noticed this mention here [0]:
Because in our Go SSH server we re-implement rsync, many options are currently not supported. For example, --delete and --dry-run are not supported.
But on your front page it says :
Upload your static site to us:
rsync --delete -rv ./public/ pgs.sh:/mysite/
So do you support delete ? One of these pages is outdated or did I miss something ?
Woops! Delete is supported, will update that as well
So I understand I can redirect my custom domain to Pico Pages, Pico Prose, etc. Can I however do the other way around? Can I create somehow a CNAME on my Pico.sh account (such as username-myapp.pgs.sh points to abc.xyz.com)? In essence, I'd like to be able to get a certificate and set a secure https connection to e.g. my Load Balancer my-alb-12345.us-east-1.elb.amazonaws.com or similar.
Ultimately, what keeps us going is we want these services to exist for our own side-project development and it's an extra boost of motivation when others use our services.
All of our marketing is through HN/lobsters/reddit since that's our target demo.
Sorry if I didn't catch this on the site, but any new upcoming services you are excited about?
A ssh or TUI frontend for some git/forge host like: https://forgejo.org/ would be pretty cool!
am I getting this right, that for 2 bucks a month I can publish (okay tun) my dockers and very-unsafe-postgres-with-ssl publicly to selected users?
Correct! The tunnels are protected using ssh auth as well, so you can ensure that only the users you want to access it can.
I am not sure how you avoided collisions (network namespaces?) on the localhost port space, but for things like this, you would be better off forwarding to/from UNIX domain sockets. It is more efficient as local tcp sockets have several times the overhead. You probably would want to set StreamLocalBindUnlink yes and StreamLocalBindMask 0117 in sshd_config. Then use UNIX groups with the group sticky bit set on the directory where the unix domain socket is made to allow multiple users access. The directory would be owned by that group while each user with access would be added to that group. It reduces some network overhead and is highly secure. I recently used this trick to connect a bunch of machines to a remote service through a jump host.
Also, take it from someone who has been running services over port forwards for years. You want to set ClientAliveInterval and ClientAliveCountMax in sshd_config on the server (if you have not already). Users should be encouraged to set ServerAliveCountMax and ServerAliveInterval In ssh_config on their machines. Furthermore, it would be best if the tunnels were run by daemon tools and had ExitOnForwardFailure set as part of the command that is run. The ssh command used at the client side likely also should set -nNT. It is also good practice for the machines running ssh to have dedicated accounts for the tunnels such that their daemon tools scripts are essentially two lines, a shebang followed by exec setuiduid user ssh -i ...
Finally, if people want to do very low overhead and highly secure setups, they should bind the services that they reverse forward to unix domain sockets locally and reverse forward the local unix domain sockets over ssh to remote unix domain sockets. They can use a file mode sticky bit on the parent directory to make the local Unix domain socket accessible by the ssh command running on its own user, which locks things down locally fairly nicely. A typical process running on the machine will not be able to talk to the reverse forwarded service thanks to the Unix file permissions. Lastly, using ed25519 or ecdsa ssh keys would make the initial connection process very quick compared to using RSA.
We’re actually using Unix sockets as the underlying transport layer for this. We’re also not using sshd, we custom wrote our own daemon that’s entire job is tunneling. If you’re curious about this, you can find the project here: https://github.com/antoniomika/sish
sish was actually my first foray into SSH apps. It was a lot of fun to write and pretty much implements tunnels with a routing system on top. It manages connectivity, routing, and reverse proxying all within user space. No namespaces required!
tuns can actually even tunnel UDP traffic over SSH, also entirely in user space. Docs for that can be found here: https://pico.sh/tuns#udp-tunneling
Cloudflare makes that free through their zero trust stuff and cloudflared daemon.
Perhaps giving a bit more information than throwing out random acronyms related to SSH would be a bit more fruitful in terms of responses.
What about TOFU and MITM would you like them to respond to? TOFU isn't inherently a bad thing. Neither is MITM. It depends on the threat model, the actors involved, etc.
Your comment (and the snarky followup) imply they're doing something wrong, but it's unclear what.
There is nothing that can be done beyond what they are doing?
You can receive their public keys out-of-band through an https-authenticated connection. Which means their approach to "the initial trust problem" is _not_ "trust on first use".
I don't know what other solutions there are to TOFU, but maybe it's nice if there's something like a standardised /.well-known/ssh-keys.json path for public ssh servers like github and pico.sh.
There’s SSHFP, but it’s off by default and assumes an attacker can’t modify dns, though most mitms would be executed with dns and dnssec deployment is generally a disaster.
Currently their host key page is only linked once at the bottom of their page and isn’t referenced in any onboarding docs, so effectively onboarding encourages “yolo”, and if users aren’t savvy they’re likely putting other things at risk, whatever their keys happen to also have access to.
The other argument that comes up here then is “well mitms are rare so this doesn’t seem like a big problem in practice”, however there are actually great targets here, for example you go to a conference and hijack the WiFi, then spend your time in hallway track advertising these services to your targets. This kind of thing has a high success rate.
The web improves on this problem with PKI, though similar phishing tactics exist in a similar situation where you encourage people to sign up explicitly guiding them to an incorrect domain, but propensity for using search in address bars strongly helps resist this too.
SSH is terrible for this use case, no matter how it makes people feel.
DNSSEC would also not work in the conference wifi scenario.
Love the idea, but I couldn't find a "pricing" page and wanted to abandon reading immediately (I have no time for unsustainable services). Then I learned from the discussion that the pricing is $2/m, which, two things: 1) I still can't find that price on the web site, and 2) it seems unsustainable to me, so I'm still worried.
I run a B2B SaaS. Support costs is what eats you alive: in case of a complex B2B app anything below $40/month is unsustainable. This is of course better for simpler apps/services, but even there you have to be super careful.
I had the same frustration as you with finding the pricing information. With some serendipitous clicking, I managed to find it!
Thank you for the feedback and we agree so we have changed the header nav link from "pico+" to "pricing".
In terms of the costs to run a saas, we are actively monitoring hardware utilization and resource allocation. Antonio and I have a lot of experience building and running saas (and paas) products so we feel confident we can manage whatever usage comes our way. We have also been strategic in terms of the services we provide in an effort to keep service support manageable.
> I run a B2B SaaS. Support costs is what eats you alive: in case of a complex B2B app anything below $40/month is unsustainable
I agree to an extent. But it largely depends on the complexity of your offering. If all you do is expose flat data through an API, you can maybe get away with an API Gateway x Lambda x DynamoDB combo, which would cost virtually nothing as the free tier is very generous.
Just my 2c.
$40/month per user, just for support? So for 1000 users, you need to make $40,000 to be sustainable, i.e. like 10 employees?
I'm thinking not much support is needed for user's that are willing and able to do all these tasks over SSH. They've pre-filtered for low support load
Back in early 2000s I ran a shared webhosting business, most customer's were savvy at the time and it was kind of a "you're on your own, let me know if the infra is acting up" type arrangement. I ran it with about 2000 customers for a year or so solo and only got about 2 support emails a day. Back then, 24-72 hour response was acceptable so I never needed to be a 24/7 resource.
Yeah I think this why "Book a call" level customers are really subsidising it. Say $10/m/u and you get 200 seats. You pay $2000/m but the bugs you hit are likely uniform so you loaf support like maybe 20 individual users. 20 individual users only bring in 10%. So you need the whales to keep it going.
Very timely for this to come up. Just this morning I was wiring up a personal blog with Obsidian -> Hugo -> Github Pages. I might swap Github Pages out for Pico.sh, it's definitely my kinda service. Well, either that or self-host it.
Pretty unrelated, but if you are a developer and don't have a lifetime SDF.org membership, you should.
I had never heard of that. What's your use-case for it?
It basically dates back to when having access to a Unix system meant that you needed to be at a university or a big employer or some such. These guys provided one for free.
Currently you can get some basic email, web hosting, etc. for a one time $1 donation. You can get more for a one time $36 donation.
They also have internal “forums” and chat and such as well as offering a bunch of related services like VPS, dial up, VPN, a Minecraft server, etc. Realistically, you can get a lot more for a lot less with modern hosts but between nostalgia and the limited environment having a particular kind of charm, it is kinda neat.
Why SDF over a free limitless VPS?
I joined SDF last year and was disappointed. I was willing to tolerate the limitations (eg. can't change your shell unless "validated"; can't even 'touch' a file...) in exchange for community but it's a ghost town. To make matters worse, IRC for new users is only available on a Sunday!
I would love to give it another shot but I don't understand what its value is in 2025.
So this seems to be a membership to access a remote Unix system and share it with others?
This thing is really cool, I want to pipe data between systems... can I trust you to have that kind of access?
Love the KISS approach to your services. Simple text files, built on fundamental services. Honestly also a great way to build SSH (and associated suite) chops for folks just entering Linux/Unix/BSD/*nix world or who only know Windows.
Going to poke at it this week myself. Looks like a healthy competitor to PikaPods for the basic stuff.
> Promotion/rollback support
> Managed HTTPS for all projects
> Promotion and rollback support
"Promotion and rollback support" twice...
How interesting! I'm excited by all the energy lately that i've seen around more text-based fun stuff, from Gemini to tilde communities to more TUIs/TUI apps, to this ssh powered set of services! Keep 'em coming!
pico.sh is not new by any means. I was using them ~3 years ago (or maybe even for longer), with their lists.sh service.
After I opened my blog, they launched prose.sh, and rest of the services soon after, but since I settled on my blog, and didn't want to change horses, and they discontinued lists.sh, I had to part ways with them.
I admire what they've built though, and wish them best of luck.
I love this! I was about to start using Substack for a personal/professional blog and I was very concerned about the structure they "force" you into. I don't want to socialize in the way they want me to. I just want to write my stuff down, and perhaps help someone, but at the end, all I want is a place to share things with myself in a more elaborated way. Looking at it now!
If all you want is to scp .html files there's always been shared hosting.
I keep a machine which has sshd listening on the IMAPS port (993) for when I'm traveling. It's amazing how many free networks don't allow ssh, but with -J and sshd on port 993, that really doesn't matter.
A NGFW, frequently used in the enterprise environments will block it. They are checking the package signatures, not only the YCP ports.
Not sure if it has to go that far. Probably it's just blocking port 22.
Agreed. You can host both SSH and HTTPS on port 443. I know this used to be possible with HAProxy, but now Nginx can do it as well. This way you are hosting normal HTTPS traffic when a browser is used and SSH otherwise.
Now, if your company is actually blocking the SSH protocol, you’ll have to do something like tunneling SSH through SSL, which is also possible… but not as easier IIRC.
Love the idea.
There are a couple oddities I found in the UI.
1. When you sign up the prompt says “signup”. I didn’t know what it wanted. I finally just guessed username and that was right.
2. I couldn’t get tokens to create (which they say are highly recommended). I hit c for create, entered a name, press enter. Nothing.
Sorry, this is a focus issue with a tui which we'll fix up soon! Should just need to hit <tab> until OK is highlighted and then press enter
This web design is very nice to look at
Hey thanks! I stare at our docs site multiple times a day and sometimes I lose all sense of what looks good so your comment is much appreciated.
At risk of scope creep, the greatest selling point Netlify has for me is automatic form email support for static sites. Would be awesome if pico.sh supported that.
https://pgs.sh was designed to "compete" with netlify. I'm going to look into this feature and see how it could fit into our service. Thanks so much!
> Upload your static site to us
How do you prevent abuse, like illegal material?
I'm not sure why it would be different from any other hosting provider. They do clarify what they consider abuse / forbidden content, and their operational policies though:
This is the challenge. This is tiny and delightful, but most hosting systems are monsters from a compliance perspective not because of a hunger for bureaucracy but that content moderation is SUPER hard.
> content moderation is SUPER hard
That's a bit over-exaggerated, it certainly isn't fun, nor very interesting, but it's doable, even for smaller organizations. Today is even easier as classification/labeling ML models are pretty good even without any fine-tuning/training on your own dataset.
people assuming that LE are going after smalltime hosting
you can easily find entire VMs for 2€/month on sites like LES
Good question.
Right now we run some ML models to check for illegal content and then respond immediately with the ban hammer.
We also monitor content published on our platform with some admin tools we built.
Tangential, how heavy is a NSFW classifier for a VPS? This link leads to a HuggingFace model with Telegram id of author offering premium model.
> how heavy is a NSFW classifier for a VPS?
Not heavy at all, they're really tiny in the grand scale of things and can easily run on CPU only unless you're wanna classify 100s of items per second.
And that's why no one can offer this sustainably for $2/month. There is a cost of policing for illegal stuff as well as outright terrible stuff that requires fair bit of effort.
You can even get full 'root' on a virtual machine for that price, and plenty of webhosting options.
For many years now I've been hosting my IRC bouncer on a $13/yr VPS at netcup and it has been more stable than some of my other VPSes.
Granted, the market for shared hosting has settled closer to $6, but OVH, Hetzner and Netcup all still offer shared hosting for $2/month, with a free domain on top. And all three are in this market for ages now. They limit you to static pages, PHP and a MySQL database, but you can do plenty of illegal stuff with that.
Wait till they get popular, and then they will abandon this.
I'm not sure about netcup, but Hetzner and OVH are very large, very popular hosting providers that have been in this game for decades.
Big fan of pico.sh, been hosting a few small sites on there for a while now, no faster way to get something up and running
Very cool. Though might want to increase contrast on diagrams, for example here https://pico.sh/tuns
I signed up for this awhile back when it was free, it's been hosting bibbidibobbidi.boo ever since. It's very neat.
And we're still free! Just added some payments to help keep things running smoothly and allow us to invest in more infrastructure. pgs (static sites) and tuns (tunneling) are both multi-region for example.
This is a really fun project! I've been trying to think of unique ways to allow non-devs to publish blog posts easily on their own websites and this is some great inspiration for it.
Love to see a midwest/great lakes business address :)
I don't seem to be able to add multiple SSH public keys. When I try to create one, I paste my pub key and hit enter and… no key is added.
We recently changed our tui framework and the functionality for focus is a bit different. You might have to hit <tab> until `ADD` is highlighted. You can also rsync/scp/sftp an authorized_keys file and we'll add that to your account!
I'd actually highly recommend taking a look at vaxis (https://github.com/rockorager/vaxis). We've moved away from wish/bubbletea and have really enjoyed working with vaxis!
Without being open source this is basically just a walled garden version of sr.ht.
We're actually fully open source and all development occurs in the open! Here's the repo https://github.com/picosh/pico and you can find us on Libera IRC
rsync is no SSH tool. I get how that sentence emerged, but it is still a turn off, mixing up terminology like that for convenience.
In my experience, any time you're using scp, you'd be better off with rsync.
rsync uses ssh for remote communication.
I am sure you know this, but rsync works perfectly fine without ssh. In fact, it has its owncustom protocol for remote communcation. It can use ssh to talk to remote machines, but so can any tool via the plain pipe mechanism. Followin that logic, every Linux CLI tool that does stdio is an ssh tool...
This is great! Congratulations.
This looks awesome. Well done.
This is awesome!
I’m sold.
I have fish shell... took me a little bit to realize that this prevents it to create account, once I created it using bash, it works well. Just FYI.
Hrm that's odd! Just tested and everything looks fine. Any logs or errors you can share?
I love this
Didn’t Pico used to be a shell grep like search? Or was that another project?
I thought it was a Windows SSH / terminal tool. I’m probably remembering wrong.
Edit: Found it already. I was definitely thinking of Putty.
And a minimal CSS framework.
this is really cool but something I would want to self-host, especially for pastebin.
These looks like they are the code for the pastebin.
There’s a bunch of other code related to their other services in that repo and in their other repos as well.
[dead]
Sadly the CoC states:
Don't upload "hate speech" (i.e. demeaning race, gender, age, religious or sexual orientation, etc.)
Don't upload material that is threatening, harassing, defamatory, or that encourages violence or crime
This can be contorted to mean almost anything. In times such as these where regimes all across the globe are using "hate speech" as carte blanche to snuff out dissent, it's sad to see others openly follow suite.
Alright, i had plans to use Github (or maybe something Cloudflare ish) but your $2/m has me seriously interested. I'm reviewing now.
I hate when i see fun side projects that cost the same as full subscriptions to other products. There's only a handful of $15/m services i "want" in my life.. it really raises the barrier to entry when i'm so aware and averse to subscription costs.
Yet $2/m? Instantly sold on that price. It's a fun price, it looks like a fun product, it lines up perfectly for me. It's silly that the price has me almost more interested than the product. Love it
Thanks for this, i plan to try it out!
Bandwidth limitations has me chuckling though: https://pico.sh/faq#are-there-any-bandwidth-limitations
Any thoughts on how the review will happen when that barrier is reached?
Traffic isn't actually that expensive outside of big clouds. No idea where pico is hosted, but Hetzner gives you "unlimited" 1Gps connections with a dedicated server, or a 10G uplink charged at $1.20/TB (plus a fixed monthly fee for the uplink itself).
I have good reasons to believe this is hosted on Oracle's free tier. Apart from the fact that pinging pico.sh points to an Oracle IP, the 10TB limit is consistent with Oracle Free Tier's limit.
You are correct, we are also multi-cloud: https://pico.sh/regions
Good call. Oracle does charge somewhat reasonable $8.50/TB after the first 10TB/month. Despite my dislike of Oracle it's not a terrible choice for this until you get some serious traffic.
hetzner is $1.5/TB for us and eu.
Totally feel you on this and kudos to these guys, low pricing makes it so much easier to actually try something without second-guessing. I’m working on a similar philosophy with my own project, 99dev — simple tools for indie devs at just $1/month. Starting with lightweight analytics (like a mini Plausible), but more tools are on the way. No bloat, just useful stuff for folks like us who are building things and watching our budgets.
Really glad to see more projects like pico.sh embracing low cost, no frills, indie services. https://99.dev
You could use GitHub pages + cloudflare for free hosting. My neighbor uses that.
$2 is fun for hobbies but hope you are not running in production for your customers with that sort of service level!
Thanks for the comment because I think many -- including myself -- resonate with this sentiment. Our pricing strategy was to be competitive with a user just provisioning their own VPS VM with a cloud provider. Our goal is to be competitive on price with a $5/mo VM.
Further, we are mostly targeting individual/small teams who want to rapidly prototype on the web. We provide enough convenience features (e.g. zero-install, multi-region, site analytics, tunnel connect/disconnect notifications, easy script automation) to entice users to keep their prototypes running in "prod" as long as possible before they feel the need to provision their own VPS.
We could go upstream and try to target larger teams/companies, but honestly, this is just fun for us to do on the side.
We don't make any guarantees about uptime at this point but we take it very seriously (we have alerting and respond quickly) and treat it like our day-jobs (I work at a paas and antonio is a platform engineer wizard).
For static sites is there that much missing? Throw a good CDN in front of this and would it matter much who the host was?
At $2/m SRE is powered by love only.
It is strange, I tried to add my public key but received a response that it was already in use (!). Is there a way to determine the user associated with a public key? Perhaps it's possible I have previously created an account but I feel I would remember the UI.
I stumbled across this clever service when looking for a “pastebin” that handled rendering terminal output with ANSI codes. The irony is that they don’t actually allow that (just plain text can be piped to their pastes service), but I found their whole site and vibe delightful!
And the two authors, qudat, and antoniomima are active on HN, as their responsive comments here demonstrate. Just good work all around.
Co-Founder here, thanks for the interest in our micro-saas powered by SSH.
Happy to answer any questions!
Hey, I was just reading your docs, maybe prose.sh will be what I'll use to finally start a blog !
I noticed this mention here [0]:
But on your front page it says : So do you support delete ? One of these pages is outdated or did I miss something ?[0] https://pico.sh/file-uploads
Woops! Delete is supported, will update that as well
So I understand I can redirect my custom domain to Pico Pages, Pico Prose, etc. Can I however do the other way around? Can I create somehow a CNAME on my Pico.sh account (such as username-myapp.pgs.sh points to abc.xyz.com)? In essence, I'd like to be able to get a certificate and set a secure https connection to e.g. my Load Balancer my-alb-12345.us-east-1.elb.amazonaws.com or similar.
Yep! tuns would be the service you want since it can support forwarding arbitrary backends: https://pico.sh/tuns#custom-domains
how to manage / remove paste ?
I remember seeing this a couple of years ago on HN!
Would you be willing to share how it’s doing on the business side? Hints on how you’ve grown users or how many folks are willing to subscribe?
I’d love to build a service (in a different domain) that operates as simply as this.
> Would you be willing to share how it’s doing on the business side? Hints on how you’ve grown users or how many folks are willing to subscribe?
Yes, absolutely. Here's our year-end-review where we talk numbers: https://blog.pico.sh/status-011
Ultimately, what keeps us going is we want these services to exist for our own side-project development and it's an extra boost of motivation when others use our services.
All of our marketing is through HN/lobsters/reddit since that's our target demo.
Sorry if I didn't catch this on the site, but any new upcoming services you are excited about?
A ssh or TUI frontend for some git/forge host like: https://forgejo.org/ would be pretty cool!
https://pr.pico.sh/ and https://github.com/picosh/git-pr :-)
am I getting this right, that for 2 bucks a month I can publish (okay tun) my dockers and very-unsafe-postgres-with-ssl publicly to selected users?
Correct! The tunnels are protected using ssh auth as well, so you can ensure that only the users you want to access it can.
I am not sure how you avoided collisions (network namespaces?) on the localhost port space, but for things like this, you would be better off forwarding to/from UNIX domain sockets. It is more efficient as local tcp sockets have several times the overhead. You probably would want to set StreamLocalBindUnlink yes and StreamLocalBindMask 0117 in sshd_config. Then use UNIX groups with the group sticky bit set on the directory where the unix domain socket is made to allow multiple users access. The directory would be owned by that group while each user with access would be added to that group. It reduces some network overhead and is highly secure. I recently used this trick to connect a bunch of machines to a remote service through a jump host.
Also, take it from someone who has been running services over port forwards for years. You want to set ClientAliveInterval and ClientAliveCountMax in sshd_config on the server (if you have not already). Users should be encouraged to set ServerAliveCountMax and ServerAliveInterval In ssh_config on their machines. Furthermore, it would be best if the tunnels were run by daemon tools and had ExitOnForwardFailure set as part of the command that is run. The ssh command used at the client side likely also should set -nNT. It is also good practice for the machines running ssh to have dedicated accounts for the tunnels such that their daemon tools scripts are essentially two lines, a shebang followed by exec setuiduid user ssh -i ...
Finally, if people want to do very low overhead and highly secure setups, they should bind the services that they reverse forward to unix domain sockets locally and reverse forward the local unix domain sockets over ssh to remote unix domain sockets. They can use a file mode sticky bit on the parent directory to make the local Unix domain socket accessible by the ssh command running on its own user, which locks things down locally fairly nicely. A typical process running on the machine will not be able to talk to the reverse forwarded service thanks to the Unix file permissions. Lastly, using ed25519 or ecdsa ssh keys would make the initial connection process very quick compared to using RSA.
We’re actually using Unix sockets as the underlying transport layer for this. We’re also not using sshd, we custom wrote our own daemon that’s entire job is tunneling. If you’re curious about this, you can find the project here: https://github.com/antoniomika/sish
sish was actually my first foray into SSH apps. It was a lot of fun to write and pretty much implements tunnels with a routing system on top. It manages connectivity, routing, and reverse proxying all within user space. No namespaces required!
tuns can actually even tunnel UDP traffic over SSH, also entirely in user space. Docs for that can be found here: https://pico.sh/tuns#udp-tunneling
Cloudflare makes that free through their zero trust stuff and cloudflared daemon.
I love your RFC-1, keep up the spirit :)
Where are your servers located?
Ashburn, VA and Nuremberg, DE!
What are you doing about TOFU and MITM?
Our host keys are published here and are durable: https://pico.sh/host-keys
So approximately nothing?
Perhaps giving a bit more information than throwing out random acronyms related to SSH would be a bit more fruitful in terms of responses.
What about TOFU and MITM would you like them to respond to? TOFU isn't inherently a bad thing. Neither is MITM. It depends on the threat model, the actors involved, etc.
Your comment (and the snarky followup) imply they're doing something wrong, but it's unclear what.
There is nothing that can be done beyond what they are doing?
You can receive their public keys out-of-band through an https-authenticated connection. Which means their approach to "the initial trust problem" is _not_ "trust on first use".
I don't know what other solutions there are to TOFU, but maybe it's nice if there's something like a standardised /.well-known/ssh-keys.json path for public ssh servers like github and pico.sh.
There’s SSHFP, but it’s off by default and assumes an attacker can’t modify dns, though most mitms would be executed with dns and dnssec deployment is generally a disaster.
Currently their host key page is only linked once at the bottom of their page and isn’t referenced in any onboarding docs, so effectively onboarding encourages “yolo”, and if users aren’t savvy they’re likely putting other things at risk, whatever their keys happen to also have access to.
The other argument that comes up here then is “well mitms are rare so this doesn’t seem like a big problem in practice”, however there are actually great targets here, for example you go to a conference and hijack the WiFi, then spend your time in hallway track advertising these services to your targets. This kind of thing has a high success rate.
The web improves on this problem with PKI, though similar phishing tactics exist in a similar situation where you encourage people to sign up explicitly guiding them to an incorrect domain, but propensity for using search in address bars strongly helps resist this too.
SSH is terrible for this use case, no matter how it makes people feel.
DNSSEC would also not work in the conference wifi scenario.
Love the idea, but I couldn't find a "pricing" page and wanted to abandon reading immediately (I have no time for unsustainable services). Then I learned from the discussion that the pricing is $2/m, which, two things: 1) I still can't find that price on the web site, and 2) it seems unsustainable to me, so I'm still worried.
I run a B2B SaaS. Support costs is what eats you alive: in case of a complex B2B app anything below $40/month is unsustainable. This is of course better for simpler apps/services, but even there you have to be super careful.
I had the same frustration as you with finding the pricing information. With some serendipitous clicking, I managed to find it!
https://pico.sh/plus
It does also mention there is a $0 "Starter" tier.
(I found that link on this page:
https://pico.sh/pgs )
EDIT: Mention the Starter tier.
Thank you for the feedback and we agree so we have changed the header nav link from "pico+" to "pricing".
In terms of the costs to run a saas, we are actively monitoring hardware utilization and resource allocation. Antonio and I have a lot of experience building and running saas (and paas) products so we feel confident we can manage whatever usage comes our way. We have also been strategic in terms of the services we provide in an effort to keep service support manageable.
> I run a B2B SaaS. Support costs is what eats you alive: in case of a complex B2B app anything below $40/month is unsustainable
I agree to an extent. But it largely depends on the complexity of your offering. If all you do is expose flat data through an API, you can maybe get away with an API Gateway x Lambda x DynamoDB combo, which would cost virtually nothing as the free tier is very generous.
Just my 2c.
$40/month per user, just for support? So for 1000 users, you need to make $40,000 to be sustainable, i.e. like 10 employees?
I'm thinking not much support is needed for user's that are willing and able to do all these tasks over SSH. They've pre-filtered for low support load
Back in early 2000s I ran a shared webhosting business, most customer's were savvy at the time and it was kind of a "you're on your own, let me know if the infra is acting up" type arrangement. I ran it with about 2000 customers for a year or so solo and only got about 2 support emails a day. Back then, 24-72 hour response was acceptable so I never needed to be a 24/7 resource.
Yeah I think this why "Book a call" level customers are really subsidising it. Say $10/m/u and you get 200 seats. You pay $2000/m but the bugs you hit are likely uniform so you loaf support like maybe 20 individual users. 20 individual users only bring in 10%. So you need the whales to keep it going.
Very timely for this to come up. Just this morning I was wiring up a personal blog with Obsidian -> Hugo -> Github Pages. I might swap Github Pages out for Pico.sh, it's definitely my kinda service. Well, either that or self-host it.
Pretty unrelated, but if you are a developer and don't have a lifetime SDF.org membership, you should.
I had never heard of that. What's your use-case for it?
It basically dates back to when having access to a Unix system meant that you needed to be at a university or a big employer or some such. These guys provided one for free.
Currently you can get some basic email, web hosting, etc. for a one time $1 donation. You can get more for a one time $36 donation.
They also have internal “forums” and chat and such as well as offering a bunch of related services like VPS, dial up, VPN, a Minecraft server, etc. Realistically, you can get a lot more for a lot less with modern hosts but between nostalgia and the limited environment having a particular kind of charm, it is kinda neat.
Why SDF over a free limitless VPS?
I joined SDF last year and was disappointed. I was willing to tolerate the limitations (eg. can't change your shell unless "validated"; can't even 'touch' a file...) in exchange for community but it's a ghost town. To make matters worse, IRC for new users is only available on a Sunday!
I would love to give it another shot but I don't understand what its value is in 2025.
So this seems to be a membership to access a remote Unix system and share it with others?
This thing is really cool, I want to pipe data between systems... can I trust you to have that kind of access?
Love the KISS approach to your services. Simple text files, built on fundamental services. Honestly also a great way to build SSH (and associated suite) chops for folks just entering Linux/Unix/BSD/*nix world or who only know Windows.
Going to poke at it this week myself. Looks like a healthy competitor to PikaPods for the basic stuff.
Keep up the good work!
https://pgs.sh/
> Promotion/rollback support > Managed HTTPS for all projects > Promotion and rollback support
"Promotion and rollback support" twice...
How interesting! I'm excited by all the energy lately that i've seen around more text-based fun stuff, from Gemini to tilde communities to more TUIs/TUI apps, to this ssh powered set of services! Keep 'em coming!
pico.sh is not new by any means. I was using them ~3 years ago (or maybe even for longer), with their lists.sh service.
After I opened my blog, they launched prose.sh, and rest of the services soon after, but since I settled on my blog, and didn't want to change horses, and they discontinued lists.sh, I had to part ways with them.
I admire what they've built though, and wish them best of luck.
I love this! I was about to start using Substack for a personal/professional blog and I was very concerned about the structure they "force" you into. I don't want to socialize in the way they want me to. I just want to write my stuff down, and perhaps help someone, but at the end, all I want is a place to share things with myself in a more elaborated way. Looking at it now!
If all you want is to scp .html files there's always been shared hosting.
How does it compares with https://bearblog.dev/?
My company blocks ssh. Is there a way to tunnel this through HTTP?
Use that from home or a mobile phone connection?
You probably aren't supposed to update your personal website and stuff when you are working for your company anyway.
Cockscrew might fit your usecase[1]
[1] - https://github.com/bryanpkc/corkscrew
Stupid company!
I keep a machine which has sshd listening on the IMAPS port (993) for when I'm traveling. It's amazing how many free networks don't allow ssh, but with -J and sshd on port 993, that really doesn't matter.
A NGFW, frequently used in the enterprise environments will block it. They are checking the package signatures, not only the YCP ports.
I agree. Something like what GitHub offers? https://docs.github.com/en/authentication/troubleshooting-ss...
I have heard that SSH could be tunneled over DNS UDP packets.
This looks like a decent article, will read later.
https://medium.com/@rogergalo/learn-how-easy-is-to-bypass-fi...
Not sure if it has to go that far. Probably it's just blocking port 22.
Agreed. You can host both SSH and HTTPS on port 443. I know this used to be possible with HAProxy, but now Nginx can do it as well. This way you are hosting normal HTTPS traffic when a browser is used and SSH otherwise.
Now, if your company is actually blocking the SSH protocol, you’ll have to do something like tunneling SSH through SSL, which is also possible… but not as easier IIRC.
Love the idea.
There are a couple oddities I found in the UI.
1. When you sign up the prompt says “signup”. I didn’t know what it wanted. I finally just guessed username and that was right.
2. I couldn’t get tokens to create (which they say are highly recommended). I hit c for create, entered a name, press enter. Nothing.
Sorry, this is a focus issue with a tui which we'll fix up soon! Should just need to hit <tab> until OK is highlighted and then press enter
This web design is very nice to look at
Hey thanks! I stare at our docs site multiple times a day and sometimes I lose all sense of what looks good so your comment is much appreciated.
That's fun, I found and subscribed to tuns.sh only 2 weeks ago. (I wrote up my experience, too https://danielittlewood.xyz/notes/self-hosting-with-tunnels)
At risk of scope creep, the greatest selling point Netlify has for me is automatic form email support for static sites. Would be awesome if pico.sh supported that.
https://pgs.sh was designed to "compete" with netlify. I'm going to look into this feature and see how it could fit into our service. Thanks so much!
> Upload your static site to us
How do you prevent abuse, like illegal material?
I'm not sure why it would be different from any other hosting provider. They do clarify what they consider abuse / forbidden content, and their operational policies though:
[1]: https://pico.sh/abuse
[2]: https://pico.sh/ops#code-of-content-publication
This is the challenge. This is tiny and delightful, but most hosting systems are monsters from a compliance perspective not because of a hunger for bureaucracy but that content moderation is SUPER hard.
> content moderation is SUPER hard
That's a bit over-exaggerated, it certainly isn't fun, nor very interesting, but it's doable, even for smaller organizations. Today is even easier as classification/labeling ML models are pretty good even without any fine-tuning/training on your own dataset.
people assuming that LE are going after smalltime hosting
you can easily find entire VMs for 2€/month on sites like LES
Good question.
Right now we run some ML models to check for illegal content and then respond immediately with the ban hammer.
We also monitor content published on our platform with some admin tools we built.
Could be useful to have a tool similar to https://git.0x0.st/mia/0x0#moderation-ui
Tangential, how heavy is a NSFW classifier for a VPS? This link leads to a HuggingFace model with Telegram id of author offering premium model.
> how heavy is a NSFW classifier for a VPS?
Not heavy at all, they're really tiny in the grand scale of things and can easily run on CPU only unless you're wanna classify 100s of items per second.
And that's why no one can offer this sustainably for $2/month. There is a cost of policing for illegal stuff as well as outright terrible stuff that requires fair bit of effort.
You can even get full 'root' on a virtual machine for that price, and plenty of webhosting options.
https://lowendbox.com/blog/2-usd-vps-cheap-vps-under-2-month...
For many years now I've been hosting my IRC bouncer on a $13/yr VPS at netcup and it has been more stable than some of my other VPSes.
Granted, the market for shared hosting has settled closer to $6, but OVH, Hetzner and Netcup all still offer shared hosting for $2/month, with a free domain on top. And all three are in this market for ages now. They limit you to static pages, PHP and a MySQL database, but you can do plenty of illegal stuff with that.
Wait till they get popular, and then they will abandon this.
I'm not sure about netcup, but Hetzner and OVH are very large, very popular hosting providers that have been in this game for decades.
Big fan of pico.sh, been hosting a few small sites on there for a while now, no faster way to get something up and running
Very cool. Though might want to increase contrast on diagrams, for example here https://pico.sh/tuns
I signed up for this awhile back when it was free, it's been hosting bibbidibobbidi.boo ever since. It's very neat.
And we're still free! Just added some payments to help keep things running smoothly and allow us to invest in more infrastructure. pgs (static sites) and tuns (tunneling) are both multi-region for example.
This is a really fun project! I've been trying to think of unique ways to allow non-devs to publish blog posts easily on their own websites and this is some great inspiration for it.
Love to see a midwest/great lakes business address :)
I don't seem to be able to add multiple SSH public keys. When I try to create one, I paste my pub key and hit enter and… no key is added.
We recently changed our tui framework and the functionality for focus is a bit different. You might have to hit <tab> until `ADD` is highlighted. You can also rsync/scp/sftp an authorized_keys file and we'll add that to your account!
That did it. Thanks!
See also:
https://github.com/charmbracelet/wish
I'd actually highly recommend taking a look at vaxis (https://github.com/rockorager/vaxis). We've moved away from wish/bubbletea and have really enjoyed working with vaxis!
Without being open source this is basically just a walled garden version of sr.ht.
We're actually fully open source and all development occurs in the open! Here's the repo https://github.com/picosh/pico and you can find us on Libera IRC
rsync is no SSH tool. I get how that sentence emerged, but it is still a turn off, mixing up terminology like that for convenience.
In my experience, any time you're using scp, you'd be better off with rsync.
rsync uses ssh for remote communication.
I am sure you know this, but rsync works perfectly fine without ssh. In fact, it has its own custom protocol for remote communcation. It can use ssh to talk to remote machines, but so can any tool via the plain pipe mechanism. Followin that logic, every Linux CLI tool that does stdio is an ssh tool...
This is great! Congratulations.
This looks awesome. Well done.
This is awesome!
I’m sold.
I have fish shell... took me a little bit to realize that this prevents it to create account, once I created it using bash, it works well. Just FYI.
Hrm that's odd! Just tested and everything looks fine. Any logs or errors you can share?
I love this
Didn’t Pico used to be a shell grep like search? Or was that another project?
I thought it was a Windows SSH / terminal tool. I’m probably remembering wrong.
Edit: Found it already. I was definitely thinking of Putty.
And a minimal CSS framework.
this is really cool but something I would want to self-host, especially for pastebin.
And we'd be happy for you too! All of our code/tools are open source and available here: https://github.com/picosh/pico
https://github.com/picosh/pico/tree/main/pkg/apps/pastes
https://github.com/picosh/pico/blob/main/cmd/pastes/ssh/main...
These looks like they are the code for the pastebin.
There’s a bunch of other code related to their other services in that repo and in their other repos as well.
[dead]
Sadly the CoC states:
This can be contorted to mean almost anything. In times such as these where regimes all across the globe are using "hate speech" as carte blanche to snuff out dissent, it's sad to see others openly follow suite.