Forgot your password?
typodupeerror
Cloud Encryption Communications Open Source The Internet Technology IT Linux

Gate One 0.9 Released, Brings SSH To the Web 151

Posted by timothy
from the vewwy-vewwy-quiet dept.
Riskable writes "Dan McDougall (full disclosure: That's me) just publicly released the source code to Gate One, which is an HTML5-powered terminal emulator and SSH client. It is unique in that it doesn't require any browser plugins (it uses WebSockets) and supports multiple simultaneous terminals/SSH sessions in a single browser tab. It can resume users' sessions after being disconnected, and supports both client and server-side session recording/playback (view as a log or like a video). Gate One can also be embedded into other web-based applications such as administration interfaces, serial port concentrators, virtual appliances, or whatever."
This discussion has been archived. No new comments can be posted.

Gate One 0.9 Released, Brings SSH To the Web

Comments Filter:
  • by bolthole (122186)
    When is sshd in html5 coming, then?
  • I looked over the source code.... so how do i use this?
    • Looks like it runs as its own service, like a single-purpose http server. So it's not really pure HTML5 then, it's a service with an HTML5 frontend.

      • by omnichad (1198475)

        Yeah - It's Python. No mention of that in the summary. My first thought was that it used WebSockets to make a connection to the real server, not an intermediate server. Shouldn't that be possible with a little more robust coding??

        • Unless there's a way in JS to open arbitrary network connections (and I don't think there is) it's not possible, since all WebSockets traffic is actually specialized traffic that runs on port 80. JS can only do WebSockets and regular HTTP requests AFAIK.

          • by omnichad (1198475)

            Oh, right. I guess that's why they don't just call it Sockets. Still a misleading summary.

          • Unless there's a way in JS to open arbitrary network connections (and I don't think there is) it's not possible, since all WebSockets traffic is actually specialized traffic that runs on port 80. JS can only do WebSockets and regular HTTP requests AFAIK.

            You can open arbitrary network sockets in JavaScript, if you are using JavaScript in an environment that supports it (node.js, for instance), but, largely for security reasons, no browser-based JS implementation (at least, that I know of) supports this.

            This

            • Exactly. If you could open arbitrary connection in JS, then your entire internal network would be vulnerable to the simplest of JS code.
    • by Riskable (19437)

      Install the dependencies:

      sudo pip install tornado pyopenssl kerberos

      ...or if you don't have pip:

      sudo easy_install tornado pyopenssl kerberos

      Then use git to check out the code:

      git clone git@github.com:liftoff/GateOne.git

      Then you can run it like so:

      cd GateOne/gateone; sudo ./gateone.py

      ...or you could just cd into the GateOne directory and run:

      sudo python setup.py install

      Which will install /opt/gateone. Then you could run it like so:

      sudo /opt/gateone/gateone.py

      There's some (incomplete but extensive) HTML do

    • Use it.

      Accept for bells and whistles, how is this different from Ajaxterm.

      I like all the eye candy and features and no doubt they are an improvement over what ajaxterm offers, however, ajaxterm is already a plugin free html based ssh terminal. Put it behind a apache https reverse proxy and block the real ajaxterm port from internet access and you get a pretty good pure html/ajax ssh shell.

      • by Riskable (19437)

        Ajaxterm, when a connection is open, polls the server every second to see if the terminal has been updated on the server (long polling). Also, when you close your browser window your Ajaxterm session will end. Then there's the fact that Ajaxterm doesn't really support proper copy & paste and it has to run at a specified terminal width and height ahead of time (Gate One auto-adjusts rows/cols to fill your browser window).

        Gate One uses WebSockets which stay open... Meaning that whenever any of your ter

  • by pinkeen (1804300)
    No more downloading putty!

    From what I see ncurses apps work great too.
    • I'll second the coolness. Very nice work.

      cheers,

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      No more downloading putty!

      Instead you need to download and install python and a python based server.

  • Honestly the first practical thing I have done with HTML5. This thing is nice, clean, and fast!
    • by Desler (1608317)

      Except it's a python app with an html frontend. Not that impressive.

      • by Tsingi (870990)
        I was looking for this exact thing just this morning. It's not hugely impressive, but it looks like no one else has done it. I did come across a lot of messages saying how it should be done.

        Happy to see the code, I'll try it out. Much better than having to write it myself.

  • Shellinabox [google.com] has been doing this in JavaScript for a while now. There's source and binary packages for everything from Red Hat to Debian armel.
    • by Anonymous Coward

      what about FireSSH? http://firessh.mozdev.org/

    • by oakgrove (845019)
      Can you automatically resume the connection when closing and reopening the browser? Gate One does this.
  • awesome job. Cant wait to try it on the intranet

  • such as administration interfaces, serial port concentrators, virtual appliances, or whatever.

    What is the "Whatever" part? Toasters? Refrigerators? :-)

  • !HTML5 Powered (Score:5, Informative)

    by Anonymous Coward on Thursday October 13, 2011 @02:41PM (#37705440)
    Um, it's written in Python and runs as a service with a HTML5 frontend.
    • by nam37 (517083)
      My thoughts exactly unless I'm missing something.
    • Re:!HTML5 Powered (Score:4, Informative)

      by Timmmm (636430) on Thursday October 13, 2011 @03:59PM (#37706336)

      Well obviously. The client is written in HTML5. If you knew anything at all about HTML5 you'd know it is impossible to write a "true" ssh client using HTML5. Instead this connects to a python server which then goes on to connect to the actual sshd. The point is that you don't need an ssh binary installed on the client.

      You could actually remove ssh from the equation, but it looks like the gate server allows you to connect to *any* ssh server, so I guess that's why they didn't do that.

      • > it is impossible to write a "true" ssh client using HTML5

        Not so fast. Assuming you mean HTML5 + JavaScript, I think you could, provided you were allowed to hop through an HTTP proxy that supports the CONNECT method.

        For those of you about to suggest that a crypto stack written in JS would be slow -- I don't think it would be as slow as the CPU in my 15-year-old Cisco switches.

        • by Timmmm (636430)

          Wouldn't work. You can still only send HTTP or websockets, and websockets have hand-shaking and framing that you can't remove.

      • by msobkow (48369)

        Ooo. A web app. That really deserved the front page of Slashdot.

        Tomorrow on Slashdot: Someone compiles a program.

  • by Vellmont (569020) on Thursday October 13, 2011 @02:47PM (#37705530) Homepage

    I've always dreamed that one day, someone will make an SSH client in a browser so all the fun XSS,, CSRF, and the bevy of other web vulnerabilities could come to SSH. SSH has just been to darn secure over the years, but now with this new application, an SSH client can be just as insecure as everything on the web. Thanks!

    • by Pharmboy (216950)

      An SSH client can be insecure without it being in a web browser. It isn't the programming language that makes it insecure, it is the programmer.

      I can picture plenty of ways to use this as a lame method to exploit, but they are all more effort than the current methods. I guess someone could embed this in a hidden webpage popup, use the persons computer to then try to hack various sites via ssh, but that seems like it is more work than using a simple trojan to install a background process to do the

      • by Vellmont (569020)


        It isn't the programming language that makes it insecure, it is the programmer.

        It's the programmer, AND the environment the application was written in. A web browser isn't exactly a secure environment.

    • by Animats (122034)

      Mod parent up.

      Not everything should be done in a web browser.

      Take a look at the source code which stores SSH authentication information in browser cookies. [github.com] In plaintext. In JSON. Idiots will start using this, and they'll open a back door into a remote server.

      • by Tacvek (948259)

        No ssh authentication information is stored in cookies. Only the username used to authenticate to GateOne itself lives in the cookie, and it is a signed unforgeable cookie.

      • by Riskable (19437)

        If you weren't in such a hurry to be negative you'd realize that the cookies are ENCRYPTED. And I'm not just talking about the fact that Gate One runs over SSL. No, the cookie Gate One uses is itself encrypted. There's a reason why the function is called set_secure_cookie().

    • by Riskable (19437)

      Let's see...

      XSS: Since there's no "cross-site" anything in Gate One I'd be really interested to see how this would work!
      CSRF: Again, there's no "cross-site" to speak of.

      The only vulnerability that concerns me with Gate One is the potential for session hijacking... To get around this Gate One uses encrypted cookies but that doesn't stop an attacker from copying the entire cookie. Then again, if the attacker has access to the cookie in such a situation they probably have access to the whole browser so it'

  • I'm curious why is the term "emulator" used? What about this makes in an emulator of a SSH terminal? Is it just because it's being run in a web browser?

    • by Sancho (17056) *

      http://en.wikipedia.org/wiki/Terminal_emulator [wikipedia.org]

      That may help you understand.

    • Re:Emulator? (Score:4, Informative)

      by cornface (900179) on Thursday October 13, 2011 @02:55PM (#37705634)

      Because it is emulating a terminal, which back in the stone age was an actual piece of physical hardware.

      Sometimes they were magical interactive typewriters which is where the abbreviation 'TTY' comes from.

      • by msobkow (48369)

        It won't be too many years before someone would have posted in response to your comment:

        "What's a typewriter?"

        Just a matter of time. My nieces were already baffled by a couple cassettes I had lying around.

      • by cburley (105664) *

        Because it is emulating a terminal, which back in the stone age was an actual piece of physical hardware.

        Sometimes they were magical interactive typewriters which is where the abbreviation 'TTY' comes from.

        Pretty sure 'TTY' comes from "Teletype".

    • A terminal is a peice of hardware with a keyboard and a screen or printer that you use to access a computer.

      A terminal emulator is a software program that runs on a general purpose computer that has a local keyboard and mouse and emulates a terminal. Usually a fairly advanced terminal.

      A ssh client is a peice of software used to log into a remote computer over ssh and connect your terminal to it.

      On *nix terminal emulators and ssh clients are usually seperate but ones designed for use in other environments ar

  • by Anonymous Coward

    Seems to be that Python is doing the real work and being a web server, and the HTML/js part interfcaes to there. Not bad, but... not ssh in html5/js either.

  • What kind of server-side support does this require? I bet I can not just run it from a static HTML file.
  • Key pairs? (Score:5, Interesting)

    by Neil Watson (60859) on Thursday October 13, 2011 @02:56PM (#37705644) Homepage

    In the demo the author uses a password to login via SSH. In the documentation I see no option to use a private key.

    • Re:Key pairs? (Score:4, Informative)

      by Riskable (19437) <YouKnowWho@YouKnowWhat.com> on Thursday October 13, 2011 @04:02PM (#37706366) Homepage Journal

      Private key support is forthcoming... I had it working just fine but then I had the bright idea of writing a plugin system for Gate One and making the SSH part just another plugin :)

      Key-based SSH authentication and user management thereof should be there in 1.0. Really, it isn't rocket science... Just a matter of wrapping a GUI around the functions that are already there in the code.

      • by dolmen.fr (583400)

        I had the bright idea of writing a plugin system for Gate One and making the SSH part just another plugin :)

        Key-based SSH authentication and user management thereof should be there in 1.0.

        Are theese the parts that you plan to make your businness with? At least they do not seem to be in the GitHub repo...

        • by Riskable (19437)

          The business parts will be selling support/indemnification contacts and proprietary licenses ( so companies can embed Gate One without having to comply with the terms of the AGPLv3).

          The key management parts of the code are sitting in an archive directory on my laptop at the moment. Just have to do some copying, pasting, and a little bit of logic rework.

  • by Sduic (805226)

    So I can use HTML5 to SSH [slashdot.org] into my Linux on Javascript [slashdot.org] server, so I can play a game of TF2 with WebGL [slashdot.org]?

    Now if only I could surf the web...

  • by david.given (6740) <dgNO@SPAMcowlark.com> on Thursday October 13, 2011 @03:06PM (#37705764) Homepage Journal

    You need a daemon to proxy between the WebSocket connection (which, remember, isn't a straight TCP stream) and the ssh server proper. Although it appears this doesn't need to be on the machine that the ssh server is running on, so it doesn't look like too much of a hardship. Also, I can't find any reference of which of the umpteen different WebSocket variants it supports.

    There's actually a number of these things out already, such as ConsoleFish [serfish.com] or ShellInABox [google.com]. There's also an HTML5 VNC client [github.com], which looks very interesting.

    • by Riskable (19437)

      Which variants of WebSockets does it support? Both (there's really only two real-world implementations) by way of the Tornado framework [tornadoweb.org]. In earlier builds of Gate One it only worked with the old implementation of WebSockets but once the Tornado guys started supporting the final draft of the protocol Gate One instantly supported it as well.

      For reference, I am not aware of a single other web-based terminal emulator that can resume sessions after closing your browser. Even the commercial SaaS vendors don't

      • by david.given (6740)

        Yes, that is a neat trick --- the most obvious way I can think of of doing that is to do all the ssh processing on the client, and make the daemon a simply proxy; but a quick look at the source code shows you don't appear to be doing that. Or at least, I couldn't find it.

        Unfortunately the platform I'd really like this to work on, my Kindle, doesn't support WebSockets (of any kind)...

        I have, in fact, been vaguely thinking about trying to recompile a Java ssh client library under GWT and trying to make th

    • by Riskable (19437)

      For reference, Gate One can also be used in place of an SSH daemon. Just have it run /bin/login instead of ssh_connect.py. Example

      sudo ./gateone.py --command=/bin/login

      ...and you've got yourself a web-based equivalent to logging into the console. This is especially handy if your server is configured to use LDAP/Kerberos authentication and for whatever reason that broke (you can still login as root this way).

  • I have a few questions (so I only skimmed TFA...)

    1) Does this handle the actual SSL connection server side, not client side (as certain web based IRC clients I've seen will), so then, for example, this could be used to effectively ssh to a box through an HTTP proxy, assuming the proxy was between you and the webpage, not the webpage and the target box to ssh to?

    2) Assuming the answer to number 1 is yes, how does this differ from Ajaxterm? Is it less of a royal pain in the ass to configure? Is it fast
    • by Riskable (19437)

      1) Yes, it can be used to effectively SSH to a box through an HTTP proxy. I do it all the time! The only caveat being that some proxies don't work with WebSockets (old, garbage ones).

      2) Ajaxterm uses a completely different method to communicate with the client... long-polling. Essentially, it hits the web server every second (forever--util you close the browser tab) checking for updates to your terminal. This is slow and very inefficient (high latency). Also, it would be silly to use this method to su

      • by dolmen.fr (583400)

        Then there's the fact that Gate One has a zillion features that are missing from Ajaxterm... The most important of which is the terminal emulation isn't nearly as buggy! LOL. For reference, I am intimately familiar with Ajaxterm as I wrote an older, similar program a few years ago that was based off of it.

        BTW: I HATE debugging the terminal emulator!

        Do you plan to provide a terminfo definition for your terminal?

        • by Riskable (19437)

          My goal is to get Gate One emulating an xterm as closely as possible. So xterm's terminfo definition should work. However, it might be the case that Gate One ends up with one or two differences that might warrant its own definition. Great question though... It is something I've definitely thought about.

      • Thanks Dan. Sounds promising. I eventually gave up on Ajaxterm just because of how frustratingly slow it was. I'm gonna give your Gate One a shot and see what I think.
  • by jasonla (211640) on Thursday October 13, 2011 @04:46PM (#37706842)
    FireSSH [mozilla.org] is better. The client runs locally on your machine through FF. No server plugin required. And you don't have to worry about the server hosting the HTML5 frontend going down with FireSSH, unlike this Gate One [liftoffsoftware.com]'s 404 and 500 errors.
    • by dbIII (701233)
      The downside of such things is trying to use them over free WiFi that blocks anything apart from port 80 - or other situations that stop you just getting in with normal ssh. Getting the server to do it all via a web page gets around that problem.
      • by daid303 (843777)

        Port 443 I hope. You better run you web-ssh session over https instead of http.

        • by dbIII (701233)
          I'd hope so too but what do you do when everything other than port 80 is blocked? I'll have to admit my solution when I hit that problem was to go into the office, but there must be some measures that can be taken with cgi scripts that can prevent a proxy getting somehting meaningful out of a web ssh session on port 80.
          • by Riskable (19437)

            There's nothing stopping you from running Gate One on port 80 with SSL still enabled. Your proxy might block the tunnel but it's worth a shot.

    • by jago25_98 (566531)

      Bear in mind that this may still have firewalling problems

  • by markdavis (642305)

    OK, but if you can get X11 tunneling though and displaying in the browser, too, then I will be REALLY impressed ;)

    • by Riskable (19437)

      Believe it or not, I have this in the TODO for Gate One 2.0. It will require implementing the X11 protocol in JavaScript using the canvas element. It shouldn't be too difficult... Just extremely time consuming. Which is something I don't have much of these days.

  • doesn't ajaxterm already do this?

    http://wiki.kartbuilding.net/index.php/Ajaxterm [kartbuilding.net]

    • by daid303 (843777)

      Guess Slashdot is falling for buzzwords like HTML5. Other then that, it's not special at all.

    • Yeah I was going to say, I have been using ajaxterm for a few years now. It has its quirks, but it works and gives me access to my home network. For those times when you just can't tolerate the company firewall, it will do.

That does not compute.

Working...