Gate One 0.9 Released, Brings SSH To the Web

Riskable writes "Dan McDougall (full disclosure: That's me) just publicly released the source code to Gate One, which is an HTML5-powered terminal emulator and SSH client. It is unique in that it doesn't require any browser plugins (it uses WebSockets) and supports multiple simultaneous terminals/SSH sessions in a single browser tab. It can resume users' sessions after being disconnected, and supports both client and server-side session recording/playback (view as a log or like a video). Gate One can also be embedded into other web-based applications such as administration interfaces, serial port concentrators, virtual appliances, or whatever."

This isn't new.

[lolcutusofbong]

Shellinabox has been doing this in JavaScript for a while now. There's source and binary packages for everything from Red Hat to Debian armel.

!HTML5 Powered

Um, it's written in Python and runs as a service with a HTML5 frontend.

Re:!HTML5 Powered

[Riskable]

I could be feeding a troll here but... The problem with writing a terminal emulator using old-school methods ("HTML4 Powered") is the latency and overhead associated with long-polling and long-held HTTP streams. It would be incredibly slow and inefficient to have more than one terminal open at a time. I know this for a fact. How?

I've written such an app

No one ever used it--not even me. Because it sucked. Without WebSockets and Web Workers such a thing will always be slow. Without HTML5's "contentEditable" ability you can't even copy & paste properly.

Re:!HTML5 Powered

[Timmmm]

Well obviously. The client is written in HTML5. If you knew anything at all about HTML5 you'd know it is impossible to write a "true" ssh client using HTML5. Instead this connects to a python server which then goes on to connect to the actual sshd. The point is that you don't need an ssh binary installed on the client.

You could actually remove ssh from the equation, but it looks like the gate server allows you to connect to *any* ssh server, so I guess that's why they didn't do that.

Finally, an ssh client as secure as a browser!

[Vellmont]

I've always dreamed that one day, someone will make an SSH client in a browser so all the fun XSS,, CSRF, and the bevy of other web vulnerabilities could come to SSH. SSH has just been to darn secure over the years, but now with this new application, an SSH client can be just as insecure as everything on the web. Thanks!

Re:Finally, an ssh client as secure as a browser!

[Animats]

Mod parent up.

Not everything should be done in a web browser.

Take a look at the source code which stores SSH authentication information in browser cookies. In plaintext. In JSON. Idiots will start using this, and they'll open a back door into a remote server.

Re:Finally, an ssh client as secure as a browser!

[Vellmont]

It isn't the programming language that makes it insecure, it is the programmer.

It's the programmer, AND the environment the application was written in. A web browser isn't exactly a secure environment.

Re:Finally, an ssh client as secure as a browser!

[Riskable]

If you weren't in such a hurry to be negative you'd realize that the cookies are ENCRYPTED. And I'm not just talking about the fact that Gate One runs over SSL. No, the cookie Gate One uses is itself encrypted. There's a reason why the function is called set_secure_cookie().

Re:Emulator?

[cornface]

Because it is emulating a terminal, which back in the stone age was an actual piece of physical hardware.

Sometimes they were magical interactive typewriters which is where the abbreviation 'TTY' comes from.

Key pairs?

[Neil+Watson]

In the demo the author uses a password to login via SSH. In the documentation I see no option to use a private key.

Re:Key pairs?

[Riskable]

Private key support is forthcoming... I had it working just fine but then I had the bright idea of writing a plugin system for Gate One and making the SSH part just another plugin :)

Key-based SSH authentication and user management thereof should be there in 1.0. Really, it isn't rocket science... Just a matter of wrapping a GUI around the functions that are already there in the code.

Web 2.0

[Sduic]

So I can use HTML5 to SSH into my Linux on Javascript server, so I can play a game of TF2 with WebGL?

Now if only I could surf the web...

...but does require a server plugin

[david.given]

You need a daemon to proxy between the WebSocket connection (which, remember, isn't a straight TCP stream) and the ssh server proper. Although it appears this doesn't need to be on the machine that the ssh server is running on, so it doesn't look like too much of a hardship. Also, I can't find any reference of which of the umpteen different WebSocket variants it supports.

There's actually a number of these things out already, such as ConsoleFish or ShellInABox. There's also an HTML5 VNC client, which looks very interesting.

FireSSH

[jasonla]

FireSSH is better. The client runs locally on your machine through FF. No server plugin required. And you don't have to worry about the server hosting the HTML5 frontend going down with FireSSH, unlike this Gate One's 404 and 500 errors.

Re:Cool

No more downloading putty!

Instead you need to download and install python and a python based server.