
Secure Shell chrome (killer) app - cgs1019
https://chrome.google.com/webstore/detail/pnhechapfaindjhompbnflcldabbghjo
======
ajross
I don't know that this really rises to the level of a "killer" app. Serious
ssh users are, of course, already quite happy with their terminal emulators
and use platforms that support them natively. I find it very hard to believe
(though I'm willing to be surprised) a chrome extension is going to present me
with the performance, platform integration, or keyboard navigability I get and
demand from gnome-terminal. I'd probably be happy using it from friends
machines, etc...

What this _will_ do, however, is hopefully end for good the mess of "How do I
expose a command line application to my windows-using friends such that they
aren't confused and won't hate me.". And there's a whole lot of value to that.

~~~
rsl7
Why are we happy? We are not. Terminal emulation needs to die, but as you
point out, there is no reasonable substitute yet. I have enjoyed toying with
interesting experiments like the MPW shell, and I support every attempt to
replace or kill the ridiculous anachronism that is termcap. It's like we're
the SCA and unix is our ren fest.

~~~
ajross
I'm not sure that I disagree: the terminal _implementation_ in modern unix is
a terrible mess. But the terminal _metaphor_ (a command line being fed by a
keyboard and displaying to a scrolling window of text) is nearly perfect, and
won't by dying any time soon. And ssh is fundamentally just a data pipe for
that metaphor anyway.

~~~
jrabone
The terminal metaphor isn't so great either; in fact I think it's miserable,
compared to the workbook-type approach provided by something like Mathematica
from 15 years ago (last time I worked somewhere that could afford it) I find
it depressing that all command line interfaces aren't like that.

Also, in-band signalling, escape characters, magic select() timing loops to
distinguish from "real" input, hackarounds for the fact that the original
terminal was a separate computer and had local and remote modes and some keys
never sent anything... is that metaphor REALLY still relevant?

~~~
ajross
Your second paragraph is confusing what I was trying to distinguish as
"implementation" from "metaphor". Yes, I agree all that is a mess (though good
luck trying to fix it -- won't ever happen). But it's a tolerable mess,
because it enables the command line.

And your first point is just verifiably wrong. If there were truly better
workflow metaphors for software development, you'd think at least _some_ of
the best hackers would have discovered it and moved to it at some point in the
last four (!) decades. Instead, all of the most productive developers in our
subculture (almost quite literally every single one of them) work at a command
line. They haven't moved elsewhere, because it won't happen, because your
thesis is simply incorrect: no better metaphors have been discovered.

------
gfodor
this is insanely awesome. as it stands right now, yes its "just ssh". But open
up the developer toolbar and you'll notice this thing is rendering HTML inside
of webkit. It doesn't take a genius to see this is a few baby steps from
making it possible to render arbitrary graphics in the shell. edit: I might go
out on a limb here and say this project is something that is going to be
looked at as a real inflection point a few years from now.

~~~
gcb
as the day SSH became vulnerable to CSS cross-domain exploits :)

~~~
adgar
Any input receivable by OpenSSH, regardless of whether it is valid user input
or malicious input being delivered by a cross-domain attacker, mustn't result
in exploit. If so, it's a bug in OpenSSH, not the fault of the developer who
integrating the existing OpenSSH code into a new environment.

Unless, of course, the developer integrating the existing OpenSSH code did so
in a way that's not the formal OpenSSH interface. Like if he had to do some
kind of dirty hack. But he shouldn't have to for this project.

~~~
jsight
I don't see how the OpenSSH code is expected to automagically insure that
keystrokes sent from Google Chrome came from intentional user generated
actions.

Any XSS type vulnerabilities in this are likely the result of issues with the
extension itself rather than OpenSSH, IMO.

------
sequoia
I opened chrome to check this out, but it wants me to "sign in" to install the
extension. For me this is a bridge too far: I don't care to tell google about
every single extension/application (extensplication?) I'm using.

Like many people, I'm trying to step _back_ from google/facebook snooping, and
this would be a solid step _toward_ such big brothering. I suppose next
they'll see what email providers I use and whom I correspond with with mutt or
whom I chat with on other services with finch etc.. Why expand google's data-
gathering "attack surface"? And all this for... (?) what does this offer that
sets it above my current terminal client?

Someone please tell me if there is _any_ technical reason I should need to
sign in to add an extension (in particular this, or some game).

~~~
Karunamon

      >For me this is a bridge too far: I don't care to tell google about every single extension/application (extensplication?) I'm using.
    

Oh for pete's sake...

Is there anything to this " I suppose next they'll see what email providers I
use and whom I correspond with with mutt or whom I chat with on other services
with finch etc.. Why expand google's data-gathering "attack surface"?

Or is it further chicken-little, slippery slope conjecture with no basis in
reality? Keep in mind that you're connecting to their web store to download
this, even sans login. That means they have your IP, and a metric ton of
identifying information about you via your browser fingerprint (ala
Panopticlick). Complaining about signing in just seems rather silly. Oh noes!
They know that you downloaded an extension!

You'll have to forgive me for being blunt. This particular absurd line of
thought is starting to seriously become an annoyance - even the chans have
latched onto it. Correcting people who have the wrong idea is getting old.

~~~
mverwijs
> You'll have to forgive me for being blunt.

"You'll have to forgive me for being rude, obnoxious, conclusion-jumping."

Fixed that for ya.

You're welcome.

~~~
Karunamon
Rude? I wasn't aware that pointing out something has no basis in reality is
rude.

Obnoxious? Don't post misinformation and you won't be challenged.

Conclusion jumping? What conclusion did I jump to?

And as far as making "Fixed" posts go.. doctor, heal thyself ;)

~~~
Dunkirk
It got Slashdot-y real quick up in here.

~~~
Produce
Have you noticed that this keeps happening on different forums? It seems to be
an effect of a population threshold being reached and (possibly) the time the
forum has existed (separate from the population size - how comfortable the
members are and, therefore, how loose they are with their words).

------
eridius
Can someone please explain to me why I would possibly want to run a terminal
emulator inside of my web browser, instead of just using the terminal emulator
app that my system ships with?

~~~
notatoad
the complete list of software i use day-to-day consists of a web browser and a
terminal emulator. if i switched over to this, that list goes down to just a
browser.

maybe some people don't care, but i think it's pretty cool.

~~~
pooriaazimi
I don't like the idea of using a single app for everything. I have tons and
tons of (personal) reasons, but the most obvious and un-solvable reason is: I
can switch between terminal emulator and web browser with Command+Tab. If they
were both the same thing, I couldn't do it and I would be very disturbed and
confused. The same reason I don't use GMail web app and use Mail.app instead,
or Reeder.app or iCal.app or iTunes.app.

~~~
jmaygarden
On Windows and *nix--well Ubuntu at least--you can drag a browser tab into a
new window and then Alt-Tab between them. Is there no equivalent on a Mac?

~~~
pooriaazimi
Yes. It's Cmd-` (~ without holding down shift. and it works in all apps, not
just browsers). But there are more benefits to a native app than a browser tab
(for me at least): <http://news.ycombinator.com/item?id=3912689>

------
ig1
Has anyone code reviewed this to make sure it's not stealing credentials, etc.
?

~~~
dangrossman
Beyond that, you must trust the author, since Chrome may auto-update the
extension to a future version that could steal credentials.

~~~
mgurlitz
The author (rginda, <http://www.hacksrus.com/~ginda/>) is a Google Chrome
developer. You're probably already trusting his code by running Chrome.

~~~
eps
Can you vouch that he packages this extension on a machine free of trojans,
viruses and backdoors? Hm.

------
javajosh
To all those who question the value of this, it's that we now have a new ssh
client that runs everywhere Chrome runs. Additionally and non-trivially, the
innards of the terminal UI is now exquisitely accessible to the legions of
developers who know HTML and CSS. Presumably it's a small step to embedding
cross-domain SSH into a webapp.

That said, there are minuses. The big minus is that Chrome, like literally
every piece of software that handles the download and installation of other
software, provides an entirely new way to discover, download, and install
software. The instructions for downloading putty for windows is simple and
stable over time. The instructions for installing this plugin are Chrome
specific and unstable over time.

Overall, I'd say this plugin has marginal positive value.

~~~
hughw
_runs everywhere Chrome runs._

Does it run on ARM?

~~~
adgar
[https://play.google.com/store/apps/details?id=com.android.ch...](https://play.google.com/store/apps/details?id=com.android.chrome&hl=en)

~~~
bzbarsky
That _Chrome_. The questions is whether this app runs there, since it's using
NaCl, which is not exactly portable across hardware architectures.

~~~
nextparadigms
I think Nacl is portable. But it wouldn't run on Android right now anyway
since the Chrome browser on Android doesn't have access to the Chrome webstore
and extensions.

~~~
teraflop
NaCL is not portable, unless you happen to be running the same architecture
that the software was compiled for. You might be thinking of PNaCL which is
still very experimental: <http://www.chromium.org/nativeclient/pnacl>

~~~
nextparadigms
Well that's just dumb. They should've made ARM a first citizen for ChromeOS
from day one. I saw a rumor about a future Samsung Chromebook that will use a
dual core 2 Ghz Cortex A15 chip, so maybe it's coming soon.

------
Nitramp
As someone who occasionally ends up on Windows having to do Terminal work,
thank you. A proper terminal emulator on every platform (well, every platform
I care about) is a huge win.

I might even move to this entirely if it adds support for key auth; having a
consistent environment across all devices on which you work is a big win, even
if the native terminal emulator might be integrated better with the OS.

On a related note, I used to cringe whenever I had to do anything on Windows;
such a foreign environment. Nowadays so much has moved to the browser that I
hardly notice, modulo some text editing shortcuts. The browser is really about
to become the operating system.

------
comex
I'm not very impressed... although it's partly implemented in HTML (only
partly - even though modern JavaScript engines should be more than capable of
handling SSH, the implementation is just OpenSSH in Native Client), this is no
citizen of the web, and never can be, as trusting an app to connect directly
to arbitrary ports and handle all your SSH connections fundamentally subverts
the web's security model. Benefits over a native app:

\- It's sandboxed - big deal, if sandboxing SSH were a real concern then it's
a call to sandbox-exec(1) away.

\- It could theoretically be extended to support HTML-based console interfaces
- but sticking a web view in a regular terminal would solve this just as well
with less overhead.

(Note the lack of benefits that usually apply to webapps: multiple browser
implementations; written in a high-level language, which increases hackability
[you might be able to get some of that]; don't need to trust the app; page-
based paradigm allows deep linking.)

Drawbacks:

\- Slow. The FAQ says it's intended to compete performance-wise, and it's
reasonably fast, but comparing the behavior of 'ls' or, more dramatically,
'cat /usr/share/dict/words' or 'yes' (try interrupting it) demonstrates that
it doesn't quite hold up. *

\- You have to trust a silently updating, non-downgradeable app with your
data. I guess people already do this with Chrome, but terminal emulators don't
exactly benefit from constant updates in the way browsers do.

\- Non-native - if you're on Chrome OS, this is a benefit, because Web _is_
native, but on other operating systems, you lose the look and feel of the OS
(from Terminal.app: useful cmd-tab, transparent window backgrounds, Lion
fullscreen mode, Lion auto reopen, other applications can launch the terminal,
native keyboard shortcuts, ctrl-w...) for no reason.

\- The current version requires an account(!!)

\- The current version is buggy - when I try it, just typing "ls" messes up
the terminal so that it's not fully scrolled down. I guess this will be ironed
out soon, but existing terminal emulators are highly stable.

*edit: or 'bb', heh - Terminal doesn't exactly handle it well (it's a good demonstration of the superior performance of xterm), but at least it doesn't hang like this terminal

~~~
rginda
I fixed a terminal "hang" just after the 0.7.9 version was released:
[http://git.chromium.org/gitweb/?p=chromiumos/platform/assets...](http://git.chromium.org/gitweb/?p=chromiumos/platform/assets.git;a=commit;h=b0d9b83e670a68a1b5ee54a40a3748fc4963e811)
This may be what you're seeing in 'bb'.

The difficulty interrupting something like 'yes' is a known issue. We need to
add some flow control to deal with cases where the network overwhelms the UI.
This also makes hterm appear slow when cat'ing /usr/share/dict/words, and
running aafire. A fix is in the works.

Yes, as you mention, automatic updates are something you already accept with
Chrome. It also seems to be the way Firefox is heading. And Android and iOS
apps. Anyone is free to build a version locally if they really want to stick
with a particular version.

The webstore may require an account, but the source is open. You're welcome to
build it yourself. Or, create a throw-away account and download the CRX, then
install it in your "real" account.

Of course the current version is buggy, it says that right in the web store
description! I've been working on it for a few months now, but it's difficult
to get everything right in a terminal without _a lot_ of users. I fixed an
issue after the 0.7.9 release that may be what you're describing, but I can't
know for sure without more details.

FWIW, as the FAQ says, the terminal emulator and the NaCl SSH client are
essentially two codebases. Maybe you could impress people by creating a good-
web-citizen version of the SSH command and combine it with hterm.

That would most definitely require an HTML-to-SSH relay in the middle (which
hterm supports). Then you'd have to trust that though, at which point you have
to decide where you really want your potentially untrustworthy code to live.

------
philjackson
I can't believe how great it looks and how responsive it is. I've been running
an emacs client in it for a while and other than C-n opening a new window it's
practically perfect. Huge props to the team who wrote this.

~~~
cgs1019
I think you can run it in some kind of app window mode which avoids issues
like c-n, c-w, etc. Not sure if it works in a tab though.

------
tantalor
Public/private key authentication seems a bit spotty. From the FAQ,

    
    
        > Can I connect using a public key pair or certificate?
        Sorry, not yet.
    

I successfully authenticated with a private key,

    
    
        debug1: read PEM private key done: type DSA
        debug1: Authentication succeeded (publickey).
    

However, authentication agent forwarding (ssh -A) did _not_ work,

    
    
        Permission denied (publickey).
    

Also notable is that this app does not have access to the OS X Keychain, so I
have to type in my lengthy passphrase before authenticating.

~~~
bryogenic
Can you post the syntax of how you included the identity file. The parsing
keeps grabbing my user@host in with the -i id.pem

    
    
       Connecting to -i id.pem user@host, port 22...
       Loading NaCl plugin... done.
       Warning: Identity file  id.pem user@host not accessible: No such file or directory.

~~~
tantalor
I first ssh'd into me@localhost. From that point, ssh automatically discovers
key files in ~/.ssh.

This explains why my Keychain did not work, since I was logged into a "remote"
host.

~~~
bryogenic
Ah, that makes sense and is a nice workaround. Thanks for the reply!

------
lawnchair_larry
This is cool hack but a terrible idea. Why do I want some bloated web browser
wrapping a lightweight terminal?

~~~
serge2k
because having a web browser just be a web browser is apparently an outdated
concept. Or something.

I mean sure, opening up an ssh client is 4 keystrokes for me (on windows) but
we need to have it integrated into the browser so firefox (or chrome in this
case) can find a way to be even more of a bloated memory pig.

------
gabeiscoding
Very cool, but I fired up an emacs session and hit Ctrl+N to start scrolling
through a file.... doh!

~~~
roadnottaken
_htop_ breaks it, too -- but it actually does a pretty good job considering
how complex the output is.

~~~
rginda
I think the htop bug was fixed by <https://gerrit.chromium.org/gerrit/21255>.
You should get it in the next version of Secure Shell.

------
iandanforth
This is freaking awesome. I have been waiting for this for so long. I look
forward to using this all day to see how it holds up.

------
rufugee
On Ubuntu 12.04, I get this, and then it seems to hang. Anyone have this
working on Linux?

    
    
      Welcome to Secure Shell version 0.7.9.
      The list of Frequently Asked Questions is available here: http://goo.gl/m6Nj8
      Connecting to wellsj@greensboro.timco.aero, port 22...
      Loading NaCl plugin...

~~~
nextparadigms
So it doesn't work? Maybe Google didn't enable NaCl by default in Linux. You
can enable it yourself.

~~~
rufugee
Correct...doesn't seem to work for me. This is in chromium, which, unless
something has changed, appears to have problems:
[http://askubuntu.com/questions/91789/why-is-nacl-disabled-
fo...](http://askubuntu.com/questions/91789/why-is-nacl-disabled-for-chromium)

Downloading the official chrome build works.

Thanks.

------
simonster
This already exists for Firefox: <https://addons.mozilla.org/en-
US/firefox/addon/firessh/>

------
zobzu
Yay NaCl chrome only app! Yay for standards!

Oh wait a minute...

------
sprayk
I believe this is the same terminal that replaces urxvt as the non-VT terminal
in the newest version of ChromeOS (IE the one you access with Ctrl-Alt-T). I
was worried when I switched to the dev channel on my Cr-48 and crosh opened in
a new tab instead of a chromeless window.

------
AjithAntony
Edit: I take back my comments about the keyboard shortcuts:
[http://git.chromium.org/gitweb/?p=chromiumos/platform/assets...](http://git.chromium.org/gitweb/?p=chromiumos/platform/assets.git;a=blob;f=chromeapps/hterm/doc/faq.txt#l392)

~~~
ecspike
Why? Can't you just make it full-screen, that's what I do.

------
VeejayRampay
As killer as it is, it says it's a beta and it has known bugs on the page. Use
with caution.

------
c0nsumer
Neat, but it's be very nice if it automatically used the configured HTTPS
proxy.

------
sedachv
If you just want a terminal emulator in a web browser, Paddy Mullen ported
urxvt to JavaScript a few years ago: <https://github.com/paddymul/rxvt-js>

------
aidos
Works really well, nice and quick. Call me stupid, but I'm not actually sure
how to launch it (clicking on "Launch App" from within the webstore works but
that's surely not the only way).

~~~
driverdan
Open a new tab and click the arrow on the right or click "Apps" at the bottom
of the screen.

~~~
magicalist
I believe there's also omnibox completion on app names (though maybe you have
to use it a few times first)

~~~
Karunamon
Would be nice if they installed an ssh:// URI handler

~~~
magicalist
oh, good idea. I wonder if navigator.registerProtocolHandler works in apps?

I tried adding it manually in settings->Content Settings...->Handlers, but it
only allows you to select handlers on sites that have already requested
permission, not add new ones (as far as I can tell).

------
vhost
Tmux seems to work wonderfully. I bet Chrome Book users are stoked.

~~~
ecspike
Yup, I am. Because I changed my prefix to Ctrl-a, none of my combos clash.

------
Karunamon
Works pretty well considering its status, though it doesn't like to play along
with the hard status bar on my screen sessions.

------
Produce
This is an amazing killer app. Never before could I SSH into a remote machine
from a desktop computer. </sarcasm>

------
driverdan
Very cool and so close to being useful. Until you can use certs and use them
safely it isn't very useful though.

------
mp3jeep01
Really interesting, would be even better if it parsed my SSH config file.
Interested to see how this progresses.

------
thenonsequitur
I like this because it allows me to ssh into a machine and then run lynx to
browse the web. Meta-browser, baby!

------
hiker
I used to spend 99% of my time in Terminal and Chrome. Now I can start
spending 99% of my time in Chrome.

------
api
Honestly, I don't like the browser for everything. Neat, but not something
that would shake my world.

------
andrewguenther
I think this is the same shell as the one included with the latest release of
Chrome OS (Aura UI).

------
kalmi10
Can someone explain how this is possible within the web's standard security
model?

------
Arcanis
Does not work with local area network. I've tried to ssh on my VM.

~~~
no-espam
FYI, seems to work me. I was able to connect to my server in VMware.

~~~
Arcanis
Indeed. I've missed the "username@" part.

------
president
Tabbing and zoom support did it for me. Very. Awesomee.

------
base698
GREAT! Now Google can mine my shell for AdWords. I look forward to seeing what
Ads I get on android after a good fsck

------
drivebyacct2
I thought NaCl couldn't open raw (tcp) sockets? I thought it was limited to
WebSockets.

~~~
rginda
This app is part of a small whitelist of apps that can make this type of
connection. It's a temporary solution though. The Chrome team is working on
ways to make the functionality more widely available.

~~~
trotsky
Just got through scouring the pepper 19 docs for any mention for how this was
done. Exciting to see this kind of functionality enabled, but apprehensive
about chrome apps developing into an android style permission nightmare.
Perhaps if the user always had the ability to arbitrarily revoke permissions
and block them by default.

------
andyl
Is there a way to install this plugin without signing in to Google?

------
wavephorm
Does it work in the latest (hexxeh) ChromeOS release?

