Web-based SSH

Last updated May 14, 2023

Web-based SSH refers to the ability to access Secure Shell (SSH) servers through a web browser. SSH is a secure network protocol that is commonly used to remotely control servers, network devices, and other devices. With web-based SSH, users can access and manage these devices using a standard web browser, without the need to install any additional software.

Web-based SSH clients are typically implemented using JavaScript and either Ajax or WebSockets. These clients communicate with the SSH server through a proxy, which allows them to bypass firewalls and other network security measures that may block SSH traffic. This makes web-based SSH a convenient and secure way to access remote servers and devices from any location with an internet connection.

Web-based SSH is useful for a variety of purposes, including system administration, network management, and remote development. It is often used by IT professionals and developers to remotely access and manage servers, as well as by individuals who need to access their home or office computers from a remote location.

Technology

Web-based SSH clients are applications that allow users to access Secure Shell (SSH) servers through a web browser. They consist of two main parts: a client-side component, which is typically implemented using JavaScript and dynamic HTML, and a server-side or web application component, which is typically implemented on an application server.

The client-side component captures keystrokes, transmits messages to and from the server, and displays the results in the user's web browser. The server-side component processes incoming requests and forwards keyboard events to a secure shell client that communicates with the connected SSH server. Terminal output is either passed to the client, where it is converted into HTML using JavaScript, or it is translated into HTML by the server before it is transmitted to the client.

Terminal emulation

Web-based SSH servers can use either client-side or server-side terminal emulation.

Client-side terminal emulation

Client-side terminal emulation transmits the raw terminal output from the SSH server directly to the client, which has the advantage of offloading the process of translating terminal output into HTML onto the client. However, it can be limited by the capabilities of JavaScript and can use a significant amount of the client's CPU and memory.

An example of a client-side terminal emulator is vt100.js.^[1]

Server-side terminal emulation

Server-side terminal emulation keeps track of the terminal screen and state in memory and converts it to HTML when a screen update occurs or when the client requests an update. This method has the advantage of keeping the state of the terminal persistent even if the user connects to their existing session from a different web browser, but it can use more CPU and memory on the server.

An example of a server-side terminal emulator is terminal.py.^[2]

Advantages

The main advantages of web-based SSH can be summarized as follows:

Accessibility: Web-based SSH as described in this article requires no local installation of client software. It is thus possible to access SSH servers through a web browser from anywhere. As communication is based on HTTP or HTTPS it is also possible to access SSH servers from behind a firewall or proxy that restricts Internet access to only ports 80 (HTTP) or 443 (HTTPS).
Anonymous Access: As SSH access is tunneled through an intermediary web application server it is this server which actually communicates with the SSH server. This means that the SSH server will only be aware of the IP address of the web application server, keeping the actual client's IP address hidden.
Auditability: Because all communication between the client and the SSH server must pass through the web application server this communication can be logged. This prevents a malicious client from deleting logs of their activities. The situation is exactly the same as with traditional SSH server.
Resuming Sessions: Some web-based SSH implementations allow the user to resume their SSH sessions after being disconnected. This is not possible with a traditional SSH client.
Embeddable: Web-based SSH implementations can be embedded into any web page allowing them to be integrated into other web-based applications.
Unique Features: Many web-based SSH tools have unique features such as the ability to share terminals with other users, can display images within terminals, and other useful capabilities.

Important issues

The following issues have to be considered and are important when using a web-based SSH client:

Security: It is important to make sure that HTTPS is used when communicating with the web application server. Otherwise all data being sent would be readable by use of simple packet sniffers which could reveal sensitive information.
Trust: The data being sent to the web application server is decrypted there. This is necessary in order to forward the issued commands to the actual SSH server. Even though the operators of web-based SSH solutions usually don't log sensitive data the data is theoretically available to them in plain form. It is unlikely that this will cause a security issue when the web application server and the SSH server are run on the same server or are controlled by the same entity.
Tunneling: Unlike most traditional, application based SSH clients, web-based SSH clients are unable to tunnel ("forward") TCP traffic. For example, running an X session over a web-based SSH session is not possible. However, the lack of ability is caused by implementation issues, and not inherent in some way.^[3]

Free and open source examples

Google's Secure Shell extension for Chrome and Chromium^[4] pairs the JavaScript hterm terminal emulator with OpenSSH client code running on Native Client.^[5] The Secure Shell extension works with non-Google HTTP-to-SSH proxies via proxy hooks, and third-party application nassh-relay^[6] can use those hooks to enable the Secure Shell extension to establish an SSH connection over XMLHttpRequest or WebSocket transport.
shellinabox^[7] operates as a stand-alone service or in conjunction with nginx to provide HTTPS access to a login shell, and is packaged for Debian and RedHat -derived Linux distributions.
webssh^[8] is a similar solution written in Python.
Bastillion^[9] is a self hosted, web-based bastion host with auditing and key management capabilities. Users connect to a centralized server over HTTPS and SSH connections are proxied through a secure WebSocket transport.
FireSSH is a browser plug-in that works on Firefox ESR and Waterfox.

Related Research Articles

In computing, Common Gateway Interface (CGI) is an interface specification that enables web servers to execute an external program, typically to process user requests.

Server-side scripting is a technique used in web development which involves employing scripts on a web server which produces a response customized for each user's (client's) request to the website. The alternative is for the web server itself to deliver a static web page. Scripts can be written in any of a number of server-side scripting languages that are available. Server-side scripting is distinguished from client-side scripting where embedded scripts, such as JavaScript, are run client-side in a web browser, but both techniques are often used together.

Telnet is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet. Telnet consists of two components: (1) the protocol itself which specifies how two parties to communicate and (2) the software application that provides the service. User data is interspersed in-band with Telnet control information in an 8-bit byte oriented data connection over the Transmission Control Protocol (TCP). Telnet was developed in 1969 beginning with RFC 15, extended in RFC 855, and standardized as Internet Engineering Task Force (IETF) Internet Standard STD 8, one of the first Internet standards. Telnet transmits all information including usernames and passwords in plaintext so it is not recommended for security-sensitive applications such as remote management of routers. Telnet's use for this purpose has waned significantly in favor of SSH. Some extensions to Telnet which would provide encryption have been proposed.

<span class="mw-page-title-main">Cross-site scripting</span> Computer security vulnerability

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec up until 2007. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

The Microsoft Windows Script Host (WSH) is an automation technology for Microsoft Windows operating systems that provides scripting abilities comparable to batch files, but with a wider range of supported features. This tool was first provided on Windows 95 after Build 950a on the installation discs as an optional installation configurable and installable by means of the Control Panel, and then a standard component of Windows 98 and subsequent and Windows NT 4.0 Build 1381 and by means of Service Pack 4. The WSH is also a means of automation for Internet Explorer via the installed WSH engines from IE Version 3.0 onwards; at this time VBScript became means of automation for Microsoft Outlook 97. The WSH is also an optional install provided with a VBScript and JScript engine for Windows CE 3.0 and following and some third-party engines including Rexx and other forms of Basic are also available.

<span class="mw-page-title-main">Port forwarding</span> Application of network address translation

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

A server-side dynamic web page is a web page whose construction is controlled by an application server processing server-side scripts. In server-side scripting, parameters determine how the assembly of every new web page proceeds, and including the setting up of more client-side processing.

Twisted is an event-driven network programming framework written in Python and licensed under the MIT License.

In computing, the same-origin policy (SOP) is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, host name, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model.

Push technology or server push is a style of Internet-based communication where the request for a given transaction is initiated by the publisher or central server. It is contrasted with pull / get, where the request for the transmission of information is initiated by the receiver or client.

An SSH client is a software program which uses the secure shell protocol to connect to a remote computer. This article compares a selection of notable clients.

CGI:IRC is a CGI program written in Perl that allows access to IRC via a web browser. It is designed to be flexible and has many uses such as an IRC gateway for an IRC network, a chat-room for a website or to access IRC when stuck behind a restrictive firewall.

Comet is a web application model in which a long-held HTTPS request allows a web server to push data to a browser, without the browser explicitly requesting it. Comet is an umbrella term, encompassing multiple techniques for achieving this interaction. All these methods rely on features included by default in browsers, such as JavaScript, rather than on non-default plugins. The Comet approach differs from the original model of the web, in which a browser requests a complete web page at a time.

A web desktop or webtop is a desktop environment embedded in a web browser or similar client application. A webtop integrates web applications, web services, client–server applications, application servers, and applications on the local client into a desktop environment using the desktop metaphor. Web desktops provide an environment similar to that of Windows, Mac, or a graphical user interface on Unix and Linux systems. It is a virtual desktop running in a web browser. In a webtop the applications, data, files, configuration, settings, and access privileges reside remotely over the network. Much of the computing takes place remotely. The browser is primarily used for display and input purposes.

A single-page application (SPA) is a web application or website that interacts with the user by dynamically rewriting the current web page with new data from the web server, instead of the default method of a web browser loading entire new pages. The goal is faster transitions that make the website feel more like a native app.

ZOC is a popular computer-based terminal emulator and Telnet software client for the Microsoft Windows and Apple Macintosh macOS operating systems that supports telnet, modem, SSH 1 and 2, ISDN, serial, TAPI, Rlogin and other means of communication. Its terminal emulator supports Xterm emulation with full colors, meta-keys and local printing, VT102, VT220 and several types of ANSI as well as Wyse, TVI, TN3270, and Sun's CDE. It supports full keyboard remapping, scripting in REXX and other languages, and support for named pipes.

ZK is an open-source Ajax Web application framework, written in Java, that enables creation of graphical user interfaces for Web applications with little required programming knowledge.

<span class="mw-page-title-main">WebSocket</span> Computer network protocol

WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection. The WebSocket protocol was standardized by the IETF as RFC 6455 in 2011. The current API specification allowing web applications to use this protocol is known as WebSockets. It is a living standard maintained by the WHATWG and a successor to The WebSocket API from the W3C.

Server-Sent Events (SSE) is a server push technology enabling a client to receive automatic updates from a server via an HTTP connection, and describes how servers can initiate data transmission towards clients once an initial client connection has been established. They are commonly used to send message updates or continuous data streams to a browser client and designed to enhance native, cross-browser streaming through a JavaScript API called EventSource, through which a client requests a particular URL in order to receive an event stream. The EventSource API is standardized as part of HTML5 by the WHATWG. The media type for SSE is text/event-stream.

References

↑ "Google Code Archive - Long-term storage for Google Code Project Hosting".
↑ "Terminal.py - A Pure Python Terminal Emulator — Gate One 1.2.0 documentation".
↑ jcterm claims to be able to handle port forwarding, such as X11 forwarding
↑ "Secure Shell App".
↑ Chromium Secure Shell FAQ
↑ nassh-relay GitHub repository
↑ "Shellinabox". GitHub . 28 October 2021.
↑ "Webssh: Web based SSH client".
↑ Bastillion - Web-Based SSH Access and Key Management

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Google Code Archive - Long-term storage for Google Code Project Hosting".

[2] "Terminal.py - A Pure Python Terminal Emulator — Gate One 1.2.0 documentation".

[jcterm-3] term claims to be able to handle port forwarding, such as X11 forwarding

[4] "Secure Shell App".

[Chromium_Secure_Shell_FAQ-5] Chromium Secure Shell FAQ

[nassh-relay-6] ssh-relay GitHub repository

[7] "Shellinabox". GitHub . 28 October 2021.

[8] "Webssh: Web based SSH client".

[bastillion-9] Bastillion - Web-Based SSH Access and Key Management

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]