No need to wait... Just don't use Gate One during a period of intense solar flare activity. TRUST ME on this one! You didn't last time around and it didn't work out so well!
My goal is to get Gate One emulating an xterm as closely as possible. So xterm's terminfo definition should work. However, it might be the case that Gate One ends up with one or two differences that might warrant its own definition. Great question though... It is something I've definitely thought about.
For reference, Gate One can also be used in place of an SSH daemon. Just have it run/bin/login instead of ssh_connect.py. Example
sudo./gateone.py --command=/bin/login
...and you've got yourself a web-based equivalent to logging into the console. This is especially handy if your server is configured to use LDAP/Kerberos authentication and for whatever reason that broke (you can still login as root this way).
Apparently you access a lot of "publicly available" SSH servers? I don't know about you but all the SSH servers I connect to on a regular basis are "private".
Regardless, key-based authentication will be there in Gate One 1.0. Passphrases and all.
I wanted to point out that you're absolutely right: Gate One *could* be modified to record user passwords. But then again, so could the SSH server you're connecting to. The attacker wouldn't even have to change the host keys. So with SSH you have to trust the server you're connecting to and Gate One is no different.
I would *LOVE* to put the encryption on the client end though. That would be one hell of a hack and I'm willing to give it a try. My biggest worry would be that JavaScript might just be too slow to handle it (really, even with all the latest JS engine improvements it is still that slow).
XSS: Since there's no "cross-site" anything in Gate One I'd be really interested to see how this would work! CSRF: Again, there's no "cross-site" to speak of.
The only vulnerability that concerns me with Gate One is the potential for session hijacking... To get around this Gate One uses encrypted cookies but that doesn't stop an attacker from copying the entire cookie. Then again, if the attacker has access to the cookie in such a situation they probably have access to the whole browser so it's probably moot.
If you weren't in such a hurry to be negative you'd realize that the cookies are ENCRYPTED. And I'm not just talking about the fact that Gate One runs over SSL. No, the cookie Gate One uses is itself encrypted. There's a reason why the function is called set_secure_cookie().
Key-based authentication will be available in Gate One 1.0. It used to be there (and work) but it got lost when I wrote Gate One's plugin system and decided that SSH support should simply be a plugin (in case someone wanted to embed Gate One into something else without having all that SSH-specific stuff).
Shouldn't take me long to re-implement it so keep checking for updates.
1) Yes, it can be used to effectively SSH to a box through an HTTP proxy. I do it all the time! The only caveat being that some proxies don't work with WebSockets (old, garbage ones).
2) Ajaxterm uses a completely different method to communicate with the client... long-polling. Essentially, it hits the web server every second (forever--util you close the browser tab) checking for updates to your terminal. This is slow and very inefficient (high latency). Also, it would be silly to use this method to support more than one terminal as you'd have your browser constantly checking for updates * num_terminals. This would gobble up bandwidth and CPU pretty quick:)
Then there's the fact that Gate One has a zillion features that are missing from Ajaxterm... The most important of which is the terminal emulation isn't nearly as buggy! LOL. For reference, I am intimately familiar with Ajaxterm as I wrote an older, similar program a few years ago that was based off of it.
Which variants of WebSockets does it support? Both (there's really only two real-world implementations) by way of the Tornado framework. In earlier builds of Gate One it only worked with the old implementation of WebSockets but once the Tornado guys started supporting the final draft of the protocol Gate One instantly supported it as well.
For reference, I am not aware of a single other web-based terminal emulator that can resume sessions after closing your browser. Even the commercial SaaS vendors don't support this because they're all based on the same code base (Ajaxterm or Shellinabox from what I've seen).
Private key support is forthcoming... I had it working just fine but then I had the bright idea of writing a plugin system for Gate One and making the SSH part just another plugin:)
Key-based SSH authentication and user management thereof should be there in 1.0. Really, it isn't rocket science... Just a matter of wrapping a GUI around the functions that are already there in the code.
I could be feeding a troll here but... The problem with writing a terminal emulator using old-school methods ("HTML4 Powered") is the latency and overhead associated with long-polling and long-held HTTP streams. It would be incredibly slow and inefficient to have more than one terminal open at a time. I know this for a fact. How?
No one ever used it--not even me. Because it sucked. Without WebSockets and Web Workers such a thing will always be slow. Without HTML5's "contentEditable" ability you can't even copy & paste properly.
Ajaxterm, when a connection is open, polls the server every second to see if the terminal has been updated on the server (long polling). Also, when you close your browser window your Ajaxterm session will end. Then there's the fact that Ajaxterm doesn't really support proper copy & paste and it has to run at a specified terminal width and height ahead of time (Gate One auto-adjusts rows/cols to fill your browser window).
Gate One uses WebSockets which stay open... Meaning that whenever any of your terminals have updates available those updates are immediately sent to your client. This has much lower overhead from both a bandwidth and a latency standpoint. It also lowers the CPU load on the server.
Gate One will also resume your session after you close your browser and come back... It will even do this after the Gate One daemon itself has been restarted (if you have the dtach option enabled--which is the default). Then of course there's the eye candy, multiple terminals, the ability to clone open SSH sessions without asking for a password, Kerberos single sign-on support, the sophisticated plugin system, the bookmark manager, session logging, and on and on. They're worlds apart.
Having said all that, some of my earlier builds were based on Ajaxterm so I really appreciate that the author posted it publicly! Even though the code was uncommented and used ambiguous, single-character variables for nearly everything =)
I am developing a web- based terminal emulator and one of the most useful features I added was the ability to record and play back sessions in a video- like way. Have you ever tried to read a text log of someone's vim session? Ever wish you could play back the output of top so you could see the history of a process utilization?
No, you will not be able to swap out the browser in the Metro shell... Metro apps can only be installed via Microsoft's app store and their app store license explicitly forbids apps with GPL or GPL- like licenses.
Also, you can forget about getting around such limitations by implementing something like Chrome Frame... IE 10 won't support plugins!
I don't think I've missed a single story since I started reading Slashdot all those years ago. Seriously! Erinn Clark used to call me, "The walking Slashdot" since at any moment I would reference recent news posted to Slashdot in my arguments with fellow Linux-users at Jacksonville Linux User's group (we had lots of post-meeting social gatherings). Before RSS I would keep track of the last article I read before leaving the site so I could return and pick up where I left off--even if it was weeks later.
So thank you for not only keeping me (mostly) up-to-date with all the latest geek news and controversies but for also making a site with the best comment moderation system that ever existed. I don't think my philosophical beliefs would be where they are today if it weren't for the thousands of +5 insightful comments I've read on Slashdot over the years. Many times I've had my beliefs shattered by some meanie injecting reality into any given discussion... So long libertarianism, I hardly knew ye! (just one example).
Good luck in your future endeavors. May Slashdot be but one of many bountiful legacies you bestow upon the earth.
I have written a few apps using Tornado... So far it is my favorite framework for developing rich web applications. I contributed code/patches that the Tornado devs used to add SSL support to the framework. Also, just the other day I completed a Kerberos/AD/SSO authentication module for Tornado (I'll be making it available soon I hope).
My favorite feature of Tornado is the built-in support for WebSockets. It should also be mentioned that it is one of (if not THE) fastest Python web frameworks.
I also want to mention that for one-off/quick development web applications that don't need to be super fast I almost always use CherryPy. It is much simpler/quicker to develop with CherryPy than Tornado. You lose out big time on speed but the development time of CherryPy apps is very impressive. I wrote a reporting tool for my job that would examine a passwd file and then check it against Active Directory for uid/gid/shell/homedir conflicts and report the results on a pretty page using jqGrid. Users could even click a button to export the grid to spreadsheet format. Total development time: 16 hours (and that includes lunch breaks and five or six hour long conference calls)! Needless to say my boss was ecstatic, my coworkers were amazed, and the people who ended up using the tool asked me how much it cost (as if we bought it).
To bridge the gap between CherryPy and Tornado I actually wrote a MethodDispatcher that lets you port a CherryPy app to Tornado with a trivial amount of effort. Of course, it also lets you write a Tornado app "the CherryPy way" which, while a bit strange sitting on top of Tornado, is much simpler and allows for faster development time.
As for the differences between some popular frameworks I wrote up a pretty good explanation over at Stackoverflow.
For reference, here's some apps I've developed using Tornado: Gate One (still developing it), PyCI (no longer maintaining it though--I hope to revisit it some day when I have time, sigh), Escape From The Web, and here's a writeup of mine on how to develop an application similar to my reporting tool using CherryPy and jqGrid in no time at all.
I dunno, while I don't have a Chromebook I *do* do serious work with Chrome (the browser) every day and I'm not talking about web development. All you need to do serious work, is a decent terminal program:
Gate One should be available for public consumption soon. I hope to make it the best damned terminal program/SSH client that ever existed. It is already superior to PuTTY (as long as you don't need port forwarding or X11).
It is 7 in the morning and I'm working on two laptops side-by-side. Each with copious amounts of tabs open. Probably not a good idea... Adding to my TODON'T list.
Or would that be Toadmometer? I can just imagine the news stories of the future...
"Citizens of San Diego evacuated today in response to a 9.2 reading on the city's recently installed toadmograph. The mayor had this to say, 'We thought it might be a false alarm but we almost hit 10 toadies when one of them didn't make it across the road. Hence the extra two-tenths of a toad. That's not something you take lightly!' The mayor continued saying that if no further toadmic activity is reported citizens can return in five days."
Slashdot Mirror
No need to wait... Just don't use Gate One during a period of intense solar flare activity. TRUST ME on this one! You didn't last time around and it didn't work out so well!
My goal is to get Gate One emulating an xterm as closely as possible. So xterm's terminfo definition should work. However, it might be the case that Gate One ends up with one or two differences that might warrant its own definition. Great question though... It is something I've definitely thought about.
For reference, Gate One can also be used in place of an SSH daemon. Just have it run /bin/login instead of ssh_connect.py. Example
sudo ./gateone.py --command=/bin/login
Apparently you access a lot of "publicly available" SSH servers? I don't know about you but all the SSH servers I connect to on a regular basis are "private".
Regardless, key-based authentication will be there in Gate One 1.0. Passphrases and all.
I wanted to point out that you're absolutely right: Gate One *could* be modified to record user passwords. But then again, so could the SSH server you're connecting to. The attacker wouldn't even have to change the host keys. So with SSH you have to trust the server you're connecting to and Gate One is no different.
I would *LOVE* to put the encryption on the client end though. That would be one hell of a hack and I'm willing to give it a try. My biggest worry would be that JavaScript might just be too slow to handle it (really, even with all the latest JS engine improvements it is still that slow).
Let's see...
XSS: Since there's no "cross-site" anything in Gate One I'd be really interested to see how this would work!
CSRF: Again, there's no "cross-site" to speak of.
The only vulnerability that concerns me with Gate One is the potential for session hijacking... To get around this Gate One uses encrypted cookies but that doesn't stop an attacker from copying the entire cookie. Then again, if the attacker has access to the cookie in such a situation they probably have access to the whole browser so it's probably moot.
If you weren't in such a hurry to be negative you'd realize that the cookies are ENCRYPTED. And I'm not just talking about the fact that Gate One runs over SSL. No, the cookie Gate One uses is itself encrypted. There's a reason why the function is called set_secure_cookie().
Key-based authentication will be available in Gate One 1.0. It used to be there (and work) but it got lost when I wrote Gate One's plugin system and decided that SSH support should simply be a plugin (in case someone wanted to embed Gate One into something else without having all that SSH-specific stuff).
Shouldn't take me long to re-implement it so keep checking for updates.
1) Yes, it can be used to effectively SSH to a box through an HTTP proxy. I do it all the time! The only caveat being that some proxies don't work with WebSockets (old, garbage ones).
2) Ajaxterm uses a completely different method to communicate with the client... long-polling. Essentially, it hits the web server every second (forever--util you close the browser tab) checking for updates to your terminal. This is slow and very inefficient (high latency). Also, it would be silly to use this method to support more than one terminal as you'd have your browser constantly checking for updates * num_terminals. This would gobble up bandwidth and CPU pretty quick :)
Then there's the fact that Gate One has a zillion features that are missing from Ajaxterm... The most important of which is the terminal emulation isn't nearly as buggy! LOL. For reference, I am intimately familiar with Ajaxterm as I wrote an older, similar program a few years ago that was based off of it.
BTW: I HATE debugging the terminal emulator!
Which variants of WebSockets does it support? Both (there's really only two real-world implementations) by way of the Tornado framework. In earlier builds of Gate One it only worked with the old implementation of WebSockets but once the Tornado guys started supporting the final draft of the protocol Gate One instantly supported it as well.
For reference, I am not aware of a single other web-based terminal emulator that can resume sessions after closing your browser. Even the commercial SaaS vendors don't support this because they're all based on the same code base (Ajaxterm or Shellinabox from what I've seen).
Private key support is forthcoming... I had it working just fine but then I had the bright idea of writing a plugin system for Gate One and making the SSH part just another plugin :)
Key-based SSH authentication and user management thereof should be there in 1.0. Really, it isn't rocket science... Just a matter of wrapping a GUI around the functions that are already there in the code.
I could be feeding a troll here but... The problem with writing a terminal emulator using old-school methods ("HTML4 Powered") is the latency and overhead associated with long-polling and long-held HTTP streams. It would be incredibly slow and inefficient to have more than one terminal open at a time. I know this for a fact. How?
I've written such an app
No one ever used it--not even me. Because it sucked. Without WebSockets and Web Workers such a thing will always be slow. Without HTML5's "contentEditable" ability you can't even copy & paste properly.
Ajaxterm, when a connection is open, polls the server every second to see if the terminal has been updated on the server (long polling). Also, when you close your browser window your Ajaxterm session will end. Then there's the fact that Ajaxterm doesn't really support proper copy & paste and it has to run at a specified terminal width and height ahead of time (Gate One auto-adjusts rows/cols to fill your browser window).
Gate One uses WebSockets which stay open... Meaning that whenever any of your terminals have updates available those updates are immediately sent to your client. This has much lower overhead from both a bandwidth and a latency standpoint. It also lowers the CPU load on the server.
Gate One will also resume your session after you close your browser and come back... It will even do this after the Gate One daemon itself has been restarted (if you have the dtach option enabled--which is the default). Then of course there's the eye candy, multiple terminals, the ability to clone open SSH sessions without asking for a password, Kerberos single sign-on support, the sophisticated plugin system, the bookmark manager, session logging, and on and on. They're worlds apart.
Having said all that, some of my earlier builds were based on Ajaxterm so I really appreciate that the author posted it publicly! Even though the code was uncommented and used ambiguous, single-character variables for nearly everything =)
Install the dependencies:
sudo pip install tornado pyopenssl kerberos
sudo easy_install tornado pyopenssl kerberos
Then use git to check out the code:
git clone git@github.com:liftoff/GateOne.git
Then you can run it like so:
cd GateOne/gateone; sudo ./gateone.py
sudo python setup.py install
Which will install /opt/gateone. Then you could run it like so:
sudo /opt/gateone/gateone.py
There's some (incomplete but extensive) HTML documentation included in GateOne/gateone/docs/build/html/. "gateone.py --help" is also useful.
For reference, I haven't written any init scripts yet... Forthcoming (trying to get some .rpm and .deb releases out as well).
If it ever comes up in court I'm going to refer to your comment as evidence of obviousness!
I am developing a web- based terminal emulator and one of the most useful features I added was the ability to record and play back sessions in a video- like way. Have you ever tried to read a text log of someone's vim session? Ever wish you could play back the output of top so you could see the history of a process utilization?
Not only that but it wicked cool :)
No, you will not be able to swap out the browser in the Metro shell... Metro apps can only be installed via Microsoft's app store and their app store license explicitly forbids apps with GPL or GPL- like licenses.
Also, you can forget about getting around such limitations by implementing something like Chrome Frame... IE 10 won't support plugins!
I don't think I've missed a single story since I started reading Slashdot all those years ago. Seriously! Erinn Clark used to call me, "The walking Slashdot" since at any moment I would reference recent news posted to Slashdot in my arguments with fellow Linux-users at Jacksonville Linux User's group (we had lots of post-meeting social gatherings). Before RSS I would keep track of the last article I read before leaving the site so I could return and pick up where I left off--even if it was weeks later.
So thank you for not only keeping me (mostly) up-to-date with all the latest geek news and controversies but for also making a site with the best comment moderation system that ever existed. I don't think my philosophical beliefs would be where they are today if it weren't for the thousands of +5 insightful comments I've read on Slashdot over the years. Many times I've had my beliefs shattered by some meanie injecting reality into any given discussion... So long libertarianism, I hardly knew ye! (just one example).
Good luck in your future endeavors. May Slashdot be but one of many bountiful legacies you bestow upon the earth.
I have written a few apps using Tornado... So far it is my favorite framework for developing rich web applications. I contributed code/patches that the Tornado devs used to add SSL support to the framework. Also, just the other day I completed a Kerberos/AD/SSO authentication module for Tornado (I'll be making it available soon I hope).
My favorite feature of Tornado is the built-in support for WebSockets. It should also be mentioned that it is one of (if not THE) fastest Python web frameworks.
I also want to mention that for one-off/quick development web applications that don't need to be super fast I almost always use CherryPy. It is much simpler/quicker to develop with CherryPy than Tornado. You lose out big time on speed but the development time of CherryPy apps is very impressive. I wrote a reporting tool for my job that would examine a passwd file and then check it against Active Directory for uid/gid/shell/homedir conflicts and report the results on a pretty page using jqGrid. Users could even click a button to export the grid to spreadsheet format. Total development time: 16 hours (and that includes lunch breaks and five or six hour long conference calls)! Needless to say my boss was ecstatic, my coworkers were amazed, and the people who ended up using the tool asked me how much it cost (as if we bought it).
To bridge the gap between CherryPy and Tornado I actually wrote a MethodDispatcher that lets you port a CherryPy app to Tornado with a trivial amount of effort. Of course, it also lets you write a Tornado app "the CherryPy way" which, while a bit strange sitting on top of Tornado, is much simpler and allows for faster development time.
As for the differences between some popular frameworks I wrote up a pretty good explanation over at Stackoverflow.
For reference, here's some apps I've developed using Tornado: Gate One (still developing it), PyCI (no longer maintaining it though--I hope to revisit it some day when I have time, sigh), Escape From The Web, and here's a writeup of mine on how to develop an application similar to my reporting tool using CherryPy and jqGrid in no time at all.
I dunno, while I don't have a Chromebook I *do* do serious work with Chrome (the browser) every day and I'm not talking about web development. All you need to do serious work, is a decent terminal program:
http://vimeo.com/24857127
Gate One should be available for public consumption soon. I hope to make it the best damned terminal program/SSH client that ever existed. It is already superior to PuTTY (as long as you don't need port forwarding or X11).
Doh! Wrong thread.
It is 7 in the morning and I'm working on two laptops side-by-side. Each with copious amounts of tabs open. Probably not a good idea... Adding to my TODON'T list.
First they try to ban the teaching of evolution and now they want to ban actual intelligent design? MAKE UP YOUR MINDS ALREADY!
First they try to ban the teaching of evolution and now they want to ban actual intelligent design? MAKE UP YOUR MINDS ALREADY!
I don't know what you're talking about... people have been sitting in cubes manipulating data in spreadsheets for decades now.
Or would that be Toadmometer? I can just imagine the news stories of the future...
"Citizens of San Diego evacuated today in response to a 9.2 reading on the city's recently installed toadmograph. The mayor had this to say, 'We thought it might be a false alarm but we almost hit 10 toadies when one of them didn't make it across the road. Hence the extra two-tenths of a toad. That's not something you take lightly!' The mayor continued saying that if no further toadmic activity is reported citizens can return in five days."