Web-based SSH explained
Web-based SSH is the provision of Secure Shell (SSH) access through a web browser. SSH is a secure network protocol that is commonly used to remotely control servers, network devices, and other devices. With web-based SSH, users can access and manage these devices using a standard web browser, without the need to install any additional software.
Web-based SSH clients are typically implemented using JavaScript and either Ajax or WebSockets. These clients communicate with the SSH server through a proxy, which allows them to bypass firewalls and other network security measures that may block SSH traffic. This makes web-based SSH a convenient and secure way to access remote servers and devices from any location with an internet connection.
Web-based SSH is useful for a variety of purposes, including system administration, network management, and remote development. It is often used by IT professionals and developers to remotely access and manage servers, as well as by individuals who need to access their home or office computers from a remote location.
Technology
Web-based SSH clients are applications that allow users to access Secure Shell (SSH) servers through a web browser. They consist of two main parts: a client-side component, which is typically implemented using JavaScript and dynamic HTML, and a server-side or web application component, which is typically implemented on an application server.
The client-side component captures keystrokes, transmits messages to and from the server, and displays the results in the user's web browser. The server-side component processes incoming requests and forwards keyboard events to a secure shell client that communicates with the connected SSH server. Terminal output is either passed to the client, where it is converted into HTML using JavaScript, or it is translated into HTML by the server before it is transmitted to the client.
Terminal emulation
Web-based SSH servers can use either client-side or server-side terminal emulation.
Client-side terminal emulation
Client-side terminal emulation transmits the raw terminal output from the SSH server directly to the client, which has the advantage of offloading the process of translating terminal output into HTML onto the client. However, it can be limited by the capabilities of JavaScript and can use a significant amount of the client's CPU and memory.
An example of a client-side terminal emulator is vt100.js.[1]
Server-side terminal emulation
Server-side terminal emulation keeps track of the terminal screen and state in memory and converts it to HTML when a screen update occurs or when the client requests an update. This method has the advantage of keeping the state of the terminal persistent even if the user connects to their existing session from a different web browser, but it can use more CPU and memory on the server.
An example of a server-side terminal emulator is terminal.py.[2]
Advantages
The main advantages of web-based SSH can be summarized as follows:
- Accessibility: Web-based SSH as described in this article requires no local installation of client software. It is thus possible to access SSH servers through a web browser from anywhere. As communication is based on HTTP or HTTPS it is also possible to access SSH servers from behind a firewall or proxy that restricts Internet access to only ports 80 (HTTP) or 443 (HTTPS).
- Anonymous Access: As SSH access is tunneled through an intermediary web application server it is this server which actually communicates with the SSH server. This means that the SSH server will only be aware of the IP address of the web application server, keeping the actual client's IP address hidden.
- Auditability: Because all communication between the client and the SSH server must pass through the web application server this communication can be logged. This prevents a malicious client from deleting logs of their activities. The situation is exactly the same as with traditional SSH server.
- Resuming Sessions: Some web-based SSH implementations allow the user to resume their SSH sessions after being disconnected. This is not possible with a traditional SSH client.
- Embeddable: Web-based SSH implementations can be embedded into any web page allowing them to be integrated into other web-based applications.
- Unique Features: Many web-based SSH tools have unique features such as the ability to share terminals with other users, can display images within terminals, and other useful capabilities.
Important issues
The following issues have to be considered and are important when using a web-based SSH client:
- Security: It is important to make sure that HTTPS is used when communicating with the web application server. Otherwise all data being sent would be readable by use of simple packet sniffers which could reveal sensitive information.
- Trust: The data being sent to the web application server is decrypted there. This is necessary in order to forward the issued commands to the actual SSH server. Even though the operators of web-based SSH solutions usually don't log sensitive data the data is theoretically available to them in plain form. It is unlikely that this will cause a security issue when the web application server and the SSH server are run on the same server or are controlled by the same entity.
- Tunneling: Unlike most traditional, application based SSH clients, web-based SSH clients are unable to tunnel ("forward") TCP traffic. For example, running an X session over a web-based SSH session is not possible. However, the lack of ability is caused by implementation issues, and not inherent in some way.
Free and open source examples
- Google's Secure Shell extension for Chrome and Chromium[3] pairs the JavaScript hterm terminal emulator with OpenSSH client code running on Native Client. The Secure Shell extension works with non-Google HTTP-to-SSH proxies via proxy hooks, and third-party application nassh-relay can use those hooks to enable the Secure Shell extension to establish an SSH connection over XMLHttpRequest or WebSocket transport.
- shellinabox[4] operates as a stand-alone service or in conjunction with nginx to provide HTTPS access to a login shell, and is packaged for Debian and RedHat -derived Linux distributions.
- webssh[5] is a similar solution written in Python.
- Bastillion is a self hosted, web-based bastion host with auditing and key management capabilities. Users connect to a centralized server over HTTPS and SSH connections are proxied through a secure WebSocket transport.
- FireSSH is a browser plug-in that works on Firefox ESR and Waterfox.
References
- Web site: Google Code Archive - Long-term storage for Google Code Project Hosting.
- Web site: Terminal.py - A Pure Python Terminal Emulator — Gate One 1.2.0 documentation.
- Web site: Secure Shell App.
- Web site: Shellinabox. . 28 October 2021.
- Web site: Webssh: Web based SSH client.
[6] [7] [8] [9]