
Rtty – Access a device’s terminal from anywhere via the web - zhaojh329
https://github.com/zhaojh329/rtty
======
mad182
> Access your device's terminal from anywhere via the web

Nah, nice try, but I'm good with ssh, key based authentication and few white-
listed IPs.

~~~
mr_toad
It’d be nice if you could just outbound ssh from anywhere that has a browser,
but sadly this isn’t the case.

~~~
mikorym
What do you mean by that?

~~~
fifnir
As an an example, at my work you cannot make any outbound ssh connection. The
only way to get one is to apply for a specific connection , where you have to
explain why you need an outbound connection, in which case they open a port
for you and the remote machine you specified.

~~~
W4ldi
if it's just filtering of certain ports, you can just set your ssh port to 80
or 443

~~~
kryptiskt
At my last job we used corkscrew
([https://github.com/bryanpkc/corkscrew](https://github.com/bryanpkc/corkscrew))
to tunnel ssh through HTTP proxies without needing the ssh server to use
another port.

I guess if that work depends on how the proxy is set up.

------
dirkc
As much as I get, "make it simple for users" and "you can always read the
script being downloaded", seeing a wget piped to sudo makes me think nothing
in this world will ever be secure :(

~~~
taneq
Even if it’s not piped to sudo, how many people have their personal files and
documents (ie. the stuff that can’t just be re-downloaded) owned by a user
other than the one they log in as?

Desktop permissions are based on protecting a user’s data from other users,
not from anything that they themselves are running.

------
ARandomerDude
What could go wrong?

~~~
marcelnita
Haven't checked the code. Any obvious security flaws? Or is it the fact that
it's not peer tested and proven?

~~~
RL_Quine
The intended use of this is "maintaining" internet of things devices.

So it's not really meant to be a secure system, think of it as a botnet CnC
and this makes a lot more sense.

It's why the system is supposed to be run on OpenWRT (which most cheap IOT
things are based on), it why there's not hostnames, it's why it supports
hundreds or thousands of devices.

~~~
tastroder
> The intended use of this is "maintaining" internet of things devices.

> So it's not really meant to be a secure system, think of it as a botnet CnC
> and this makes a lot more sense.

Is there anything to back this up? While the mtls initialization looks less
than ideal and there's downright stupid stuff in the README like credentials
in URI parameters, this doesn't look any different than the other web terminal
gateways we've seen on HN over the last few weeks.

> which most cheap IOT things are based on

Most cheap IoT devices I'm aware of aren't remotely capable of running
OpenWRT, do you happen to have examples for this?

------
Hamuko
Yeah, I wouldn't install this on any machine that I own or use.

------
vsviridov
I use Butterfly
([https://github.com/paradoxxxzero/butterfly](https://github.com/paradoxxxzero/butterfly))
with ssl client certificates for auth.

------
ttobias
I‘m using ttyd
([https://github.com/tsl0922/ttyd](https://github.com/tsl0922/ttyd)) behind an
nginx reverse proxy with client certificates. This gives me access from
locations where ports other than https are blocked.

~~~
nirui
This kind of tools is basically always less safe than straight SSH. This one
specifically, by-passed the authenticator of your OS.

Yes, you can run `login` instead of a shell, but doing so require the tool to
be executed as root, still sound bad.

I'd recommend to use a proxy that supports converting socket to Websocket(wss)
and back, then you can by-pass the blockage from there. And since it's a
proxy, it should not decrypt the SSH traffic.

~~~
ttobias
That is an interesting idea do you know of any tool that can do the websocket
to socket translation in combination with an xterm.js webpage?

~~~
nirui
Not with a webpage. But there are many two-part proxies supports Websocket or
even HTTP as their back-end transport protocol.

The idea is basically:

Your SSH client <\---SSH-Traffic---> Proxy front-end <\----Websocket---->
Proxy back-end <\---SSH-Traffic---> Target SSH server

You can deploy the "Proxy front-end" inside the restricted network, and the
"Proxy back-end" out side the network. After that, all you need to do it to
config your SSH client to go through that proxy front-end.

There are many proxy software is capable of doing that, the GitHub keyword I
believe is "socks5 websocket".

------
hyperpallium
I used wetty for this: node server, but like this uses xterm.js client
[https://github.com/butlerx/wetty](https://github.com/butlerx/wetty)

Though only locally, not connected to the internet. Maybe I'm paranoid, since
I use so much other software without auditing, but somehow I feel especially
vulnerable to web terminals, aside from anyone being able to login, and public
keys not being convenient on the web.

Also, the readme.md for rtty here suggests running as root.

------
Deukhoofd
Why not just use SSH?

~~~
atopuzov
Because SSH might be blocked, and not only trough port 22 blocking but
firewalls sniffing traffic and blocking on OpenSSH in the connection (eg.
SSH-2.0-OpenSSH_8.1).

~~~
diffeomorphism
Then this stuff would also be blocked for the exact same reason. And if it
isn't, you will probably be fired for knowingly and willfully circumventing
security measures.

------
archgoon
Odd that the client is written in C, but the server in go. I'm curious as to
why the author chose to do that (along with the artisan buffer
implementation).

~~~
mkj
Go easily compiles to a distributable static binary, no fiddling with musl
toolchains.

------
dikei
This might be useful as a backdoor around networks with strict rules that
block SSH access, until the network admins detect and block this as well.
People got fired for installing tools like this, think twice before trying
with your company's servers.

~~~
contravariant
Don't install remote access tools on company servers!

Anyway you could just as easily run SSH over another port, rather than using
this. Unless your company is using deep packet inspection to recognise SSH
traffic, but then it'd be weird to accept HTTPS traffic from a device that
isn't supposed to have any.

------
znpy
I'm using a patched version of wetty
([https://github.com/esantoro/wetty](https://github.com/esantoro/wetty)), a
web-based ssh terminal.

The patches add the possibility of specifying a different target host, whereas
the original wetty only allowed connecting to the host currently executing
wetty.

I run it in a container, I've skimmed the source code and it disarmingly
simple: it performs a forkpty call to spawn the ssh client binary and then the
connection goes on as the forked process is forwarded raw characters.

Under the security POV is kinda okay as everything is tunneled via TLS and the
endpoint is (at least in my installation) not advertised very much. I check
the server access logs from time to time and I don't see any activity besides
my accesses.

In general a web based terminal is very handy, I wouldn't dismiss such a
technology so quickly and superficially.

------
frozenwind
This thread is interesting, I'll be looking for other suggestions in the
comments. I'm currently using the free option of remote.it to connect to a
raspberry pi behind a router, though I always have to go through the step of
obtaining the connection url and random port before using something like
putty.

~~~
perakojotgenije
[https://sshreach.me](https://sshreach.me) (disclaimer: I am the author)

------
amanzi
I use Guacamole to achieve the same results. The Guacamole service runs on
Docker on my home 'server' with Nginx in front of it giving me SSH access
through the web browser to my home machines and any other SSH services that I
configure.

------
billpg
I read the headline and imagined that someone had built a device you can leave
plugged into a serial port and access remotely.

I'm old.

------
mapleboi
looooks fishy

------
crucoba
Worst idea ever.

------
eeZah7Ux
Just use an onion service.

