
Onion Terminal  is a Web Browser Unix Terminal - X4
http://www.coralbits.com/oterm/
======
richo
Pretty much immediately I found a bug in his session generation:

[https://github.com/davidmoreno/onion/blob/master/src/onion/s...](https://github.com/davidmoreno/onion/blob/master/src/onion/sessions.c#L34-L55)

The fact that in amongst the doc comment is "not really safe" should probably
be a big red flag.

Then this happens:

[https://github.com/davidmoreno/onion/blob/master/src/onion/s...](https://github.com/davidmoreno/onion/blob/master/src/onion/sessions.c#L65)

Not to mention that here:

[https://github.com/davidmoreno/onion/blob/master/src/onion/h...](https://github.com/davidmoreno/onion/blob/master/src/onion/handlers/auth_pam.c#L53-L54)

It'll just let you in if you can guess someone else's session.

Seriously. Systems ship with crypto API's. And uuid libraries.

USE THEM, FFS.

~~~
dmoreno
Good eye. Patches are welcome. I will add right now these errors to the issue
tracker, although caching if you are logged in (last link) is the standard
behaviour: I dont think that if you change the password on the console you are
inmediately logged out.

~~~
dmoreno
I just fixed at master the most important one, the first.

~~~
richo
Your patch.. fixes.. one of the issues. Kinda.

I commented with a link to the CPRNG you should be using.

------
blhack
Can somebody help me understand why you would ever want this? SSH is included
by default in almost every mac or windows machine I've ever used, and putty is
a pretty tried-and-true executable to run.

Who on earth is thinking "man, I wish I could run a terminal in my browser!"

\--

Cool project, and I love the "because we can, and because it's cool" aspect of
it, I'm just curious if I'm missing a use case for "why".

~~~
icebraining
Restrictive networks where you can't SSH out.

Restrictive computers where you can't run Putty or SSH (though you shouldn't
connect from those anyway, but well).

I can't think of any other reasons.

~~~
possibilistic
If you can't SSH out, how does this program get around that fact?

~~~
vidarh
It needs to proxy via either straight HTTP or websockets (I haven't checked
which) to be able to serve things up to the browser.

------
mikkom
I thought that this would have something to do with TOR or anonymity in
general. Not the best name to select for your framework if you ask me.

The product itself seems very useful.

~~~
publicfig
I was thinking the same thing, and was really struggling to figure out how
this, in any way, was secure enough to work with Tor over a standard browser.

------
justinwr
Chrome/Chromium have had something similar...
[https://chrome.google.com/webstore/detail/secure-
shell/pnhec...](https://chrome.google.com/webstore/detail/secure-
shell/pnhechapfaindjhompbnflcldabbghjo)

~~~
aus_
The Secure Shell Chrome Extension is actually quite different than what is
being offered here. The Chrome extensions is effectively a SSH client, like
PuTTY, in a browser. You still need a network path to the host.

Onion Terminal is a HTTP server that serves a Javascript-powered terminal
connected to the box through HTTP in your browser.

The benefit of the latter is you can get a shell on your box behind a
restrictive firewall where only HTTP(S) traffic is allowed.

------
aus_
Similar Web-based SSH[0] projects include:

• shellinabox

• GateOne

• AnyTerm

• AjaxTerm

• tty.js

I currently use GateOne. It's a little bloated and buggy though. I may give
tty.js a shot. I've heard good things.

[0]: [http://en.wikipedia.org/wiki/Web-
based_SSH](http://en.wikipedia.org/wiki/Web-based_SSH)

------
dmoreno
This is David, the author of oterm.

Thanks for all the positive comments. I'm glad people are like it.

Actually oterm was designed as an advanced example of a use of the onion http
library (agreed, not the best name, accepting suggestions).

Maybe I should make it a separate project.

~~~
possibilistic
Cool project. I originally thought this was a joke by "The Onion" due to the
title, but I think I get what you were aiming for: layers of an onion ::
layers of the OSI?

What kind of projects do you intend to use the HTTP library for? That sounds
almost more interesting than the terminal use case.

~~~
dmoreno
Initially it started when I was working on the AISoy1 Robot (www.aisoy.com)
which was using a very limited ARM processor. We decided to give upgrade and
management capabilities via a web application to the robot; we tried first
with a Python based one, but it was consuming too much memory, so I started
this project. We continued using it, although now we use Raspberry Pi which is
quite more powerful.

Nice projects are right now rasppi-style projects where you are interested in
doing an application that almost does not consume resources: 2MB RAM for
example for oterm, not including shared libraries, as fast as the fastest.

Also I use it as a platform to easily develop C/C++ web services where
performance is paramount, on real big servers.

------
thrillgore
Looks great. But how does one secure that insecure connection between you and
the box you're hosting the terminal on? Anyterm offers SSL at least.

~~~
icebraining
According to the Github page, Oterm supports SSL:
[https://github.com/davidmoreno/onion/wiki/Oterm](https://github.com/davidmoreno/onion/wiki/Oterm)

------
ortuna
Another cool project is [https://github.com/petethepig/devtools-
terminal](https://github.com/petethepig/devtools-terminal)

------
paws
Happy to see the terminal-in-browser space get more attention!

Check out [https://github.com/chjj/tty.js](https://github.com/chjj/tty.js)

------
nfoz
Very nice, looks great!

