Hacker News new | more | comments | ask | show | jobs | submit login
Secure Shell chrome (killer) app (chrome.google.com)
238 points by cgs1019 on Apr 30, 2012 | hide | past | web | favorite | 170 comments

I don't know that this really rises to the level of a "killer" app. Serious ssh users are, of course, already quite happy with their terminal emulators and use platforms that support them natively. I find it very hard to believe (though I'm willing to be surprised) a chrome extension is going to present me with the performance, platform integration, or keyboard navigability I get and demand from gnome-terminal. I'd probably be happy using it from friends machines, etc...

What this will do, however, is hopefully end for good the mess of "How do I expose a command line application to my windows-using friends such that they aren't confused and won't hate me.". And there's a whole lot of value to that.

Why are we happy? We are not. Terminal emulation needs to die, but as you point out, there is no reasonable substitute yet. I have enjoyed toying with interesting experiments like the MPW shell, and I support every attempt to replace or kill the ridiculous anachronism that is termcap. It's like we're the SCA and unix is our ren fest.

I'm not sure that I disagree: the terminal implementation in modern unix is a terrible mess. But the terminal metaphor (a command line being fed by a keyboard and displaying to a scrolling window of text) is nearly perfect, and won't by dying any time soon. And ssh is fundamentally just a data pipe for that metaphor anyway.

The terminal metaphor isn't so great either; in fact I think it's miserable, compared to the workbook-type approach provided by something like Mathematica from 15 years ago (last time I worked somewhere that could afford it) I find it depressing that all command line interfaces aren't like that.

Also, in-band signalling, escape characters, magic select() timing loops to distinguish from "real" input, hackarounds for the fact that the original terminal was a separate computer and had local and remote modes and some keys never sent anything... is that metaphor REALLY still relevant?

Your second paragraph is confusing what I was trying to distinguish as "implementation" from "metaphor". Yes, I agree all that is a mess (though good luck trying to fix it -- won't ever happen). But it's a tolerable mess, because it enables the command line.

And your first point is just verifiably wrong. If there were truly better workflow metaphors for software development, you'd think at least some of the best hackers would have discovered it and moved to it at some point in the last four (!) decades. Instead, all of the most productive developers in our subculture (almost quite literally every single one of them) work at a command line. They haven't moved elsewhere, because it won't happen, because your thesis is simply incorrect: no better metaphors have been discovered.

I've never used Mathematica and can't find any good comprehensive explanations of the workbook paradigm. From the little I have found, it's basically a text editor interface where you can execute previously typed commands by hitting a shortcut and the output is appended below the command, while still retaining the ability to move all over the page, right?

Pretty much - with folding and other niceties. Have a look at http://reference.wolfram.com/mathematica/tutorial/UsingANote... for a brief overview, and http://www.wolfram.com/technology/guide/SymbolicInterfaceCon... for more information about the interface possibilities.

Also check out http://www.wolfram.com/cdf/ for the more general attempt to make a dynamic document standard. I don't know how successful that's been.

So those controls in the last link can be displayed in the workbook as views on command output? I've been toying with a similar idea for a while now - wasn't aware that there were already implementations of it. I think we're going to witness/participate in a paradigm change in the near future.

Thanks for all the links.

I was talking to someone recently who likened it to a shifting pendulum. For a while, he told me, terminal control languages were sufficiently complex that you could send a program to run _on the terminal_, and then things shifted back to running things where you store them on the server.

Now there's HTML5 and javascript, the world's most complicated terminal control language.

> Why are we happy? We are not. Terminal emulation needs to die

Yes, but the proposed replacement for UNIX consoles is a Google web browser that requires you log into Google in order to use it?? I don't think so....

Upvote for the MPW Shell reference.

this is insanely awesome. as it stands right now, yes its "just ssh". But open up the developer toolbar and you'll notice this thing is rendering HTML inside of webkit. It doesn't take a genius to see this is a few baby steps from making it possible to render arbitrary graphics in the shell. edit: I might go out on a limb here and say this project is something that is going to be looked at as a real inflection point a few years from now.

You think having a terminal in a browser is amazing because it will let you run browser applications in a terminal?

Uh, kinda. "Browser applications" is a bit misleading though. Imagine starting a Clojure REPL and having it graph things right there as you hack. Or having iconography or image previews when you run ls. Or being able to see mathematical notation while you're inside of BC. Or having a commandline interface to Wolfram|Alpha output.

The TermKit reply in this thread should be sufficient to see why this will be very cool.

People already write these kinds of applications today [0], they just don't run in a terminal. I could ask what benefit there is to expanding a terminal's capabilities so they can run there, but then we would just end up rehashing the arguments from http://news.ycombinator.com/item?id=2559734

[0] E.G. http://fishsoup.net/software/reinteract/

Check out TermKit as a pretty awesome proof of concept for this: http://acko.net/blog/on-termkit/

Ah yes, I was trying to remember what the name of that project was. Seriously, with a few tweaks this will allow you to write console apps that can check termcaps to decide if they should be writing out HTML. From there, you can imagine building a "websh" that does the right thing to enable all of those TermKit ideas.

Shameless self plug: https://github.com/hoeck/schirm. It does exactly that, rendering arbitary html (inside iframes) between lines of a vt100 compatible terminal emulator, using escape-sequences to denote document data and images. Works quite well as a proof of concept. What annoys me so far is that its relatively slow (running find on a large dir may take ~20 times longer than on gnome-terminal) and the headaches around (automatically) resizing iframes.

as the day SSH became vulnerable to CSS cross-domain exploits :)

The app opts-in to a strict Content Security Policy <http://www.w3.org/TR/CSP/>, which disallows 'eval' entirely. It also severely restricts where and how JS can be loaded with the script tag, setTimeout/setInterval, and event attrbites. It's essentially intended to make sure that only the JS that shipped with the extension can be executed.

There may be undiscovered exploits, of course, but CSP severely reduces the chances.

Any input receivable by OpenSSH, regardless of whether it is valid user input or malicious input being delivered by a cross-domain attacker, mustn't result in exploit. If so, it's a bug in OpenSSH, not the fault of the developer who integrating the existing OpenSSH code into a new environment.

Unless, of course, the developer integrating the existing OpenSSH code did so in a way that's not the formal OpenSSH interface. Like if he had to do some kind of dirty hack. But he shouldn't have to for this project.

I don't see how the OpenSSH code is expected to automagically insure that keystrokes sent from Google Chrome came from intentional user generated actions.

Any XSS type vulnerabilities in this are likely the result of issues with the extension itself rather than OpenSSH, IMO.

I opened chrome to check this out, but it wants me to "sign in" to install the extension. For me this is a bridge too far: I don't care to tell google about every single extension/application (extensplication?) I'm using.

Like many people, I'm trying to step back from google/facebook snooping, and this would be a solid step toward such big brothering. I suppose next they'll see what email providers I use and whom I correspond with with mutt or whom I chat with on other services with finch etc.. Why expand google's data-gathering "attack surface"? And all this for... (?) what does this offer that sets it above my current terminal client?

Someone please tell me if there is any technical reason I should need to sign in to add an extension (in particular this, or some game).

  >For me this is a bridge too far: I don't care to tell google about every single extension/application (extensplication?) I'm using.
Oh for pete's sake...

Is there anything to this " I suppose next they'll see what email providers I use and whom I correspond with with mutt or whom I chat with on other services with finch etc.. Why expand google's data-gathering "attack surface"?

Or is it further chicken-little, slippery slope conjecture with no basis in reality? Keep in mind that you're connecting to their web store to download this, even sans login. That means they have your IP, and a metric ton of identifying information about you via your browser fingerprint (ala Panopticlick). Complaining about signing in just seems rather silly. Oh noes! They know that you downloaded an extension!

You'll have to forgive me for being blunt. This particular absurd line of thought is starting to seriously become an annoyance - even the chans have latched onto it. Correcting people who have the wrong idea is getting old.

That means they have your IP, and a metric ton of identifying information about you via your browser fingerprint (ala Panopticlick)

Maybe they do, maybe they don't. ;-)

Well frankly I think my "they might read my chat in finch" is a stretch, but no, I don't think that assuming google's goal is to stretch their tentacular roots as deeply as possible into the fertile, loamy soil of my private information is "slippery slope conjecture with no basis in reality." To the contrary, as you probably know, gathering personal information on users is the primary purpose of all of google's unpaid products and the heart of their business model. Would you dispute this fact?

So they are a targeted-ad company whose value is to a great extent commensurate with the amount of information they have on users (another uncontroversial statement, I hope). More info = more value, and you think it's "conjecture" to speculate that they might push further and further into your experience on their platform?

This is the crux of it for me: I've been installing desktop applications and browser extensions for years, and I've never needed to tell an advertiser and the biggest tracker / data snooper on the 'net what my email address. Now all the sudden I do, and there's no (clear) method to opt out, and I'm OK with this because why? I'm willing to trade my data for services when the services are valuable (I use gmail & facebook), but this looks like "give us more info, just cuz" with no value prop. Sure you can sync but I don't want to and there's no reason you should be forced to sign in; that is 100% about data gathering (otherwise there'd be a "forgo sync" option).

IP address and browser fingerprint is not the same as "link everything explicitly to my google account," by the way.

> You'll have to forgive me for being blunt.

"You'll have to forgive me for being rude, obnoxious, conclusion-jumping."

Fixed that for ya.

You're welcome.

Rude? I wasn't aware that pointing out something has no basis in reality is rude.

Obnoxious? Don't post misinformation and you won't be challenged.

Conclusion jumping? What conclusion did I jump to?

And as far as making "Fixed" posts go.. doctor, heal thyself ;)

It got Slashdot-y real quick up in here.

Have you noticed that this keeps happening on different forums? It seems to be an effect of a population threshold being reached and (possibly) the time the forum has existed (separate from the population size - how comfortable the members are and, therefore, how loose they are with their words).

You need to be signed in so that the extensions/apps/games can be properly synced to your other Chrome installations. The philosophy of ChromeOS seems to be for absolutely everything to get synced from the cloud. The login can't be optional since it'd be an incredibly shitty UX to have apps installed from the store sometimes sync to your new machine and sometimes not.

> The login can't be optional since it'd be an incredibly shitty UX

The login can be optional if Google chooses to make it so. If I don't want to log in and therefore endure a shitty UX, let me have that shitty UX, thank you very much! It's not like I need all the same apps in all my devices anyway. For example, I might not need this SSH app in a device that can run a proper OpenSSH client.

And that's exactly the problem that some of us have with the /Chrome(OS)?/ philosophy. It's either their way or highway, with no options in between. (That's not necessarily bad for everyone, though. There are alternatives like Firefox for those who don't like Chrome.)

Thank you, this makes sense, tho I'd still prefer to have a different download option that doesn't require logging in.

If your bank account recovery link gets emailed to your Gmail account, you have more to worry about if Google decides to abuse your information.

I often fail at being polite to people online, and people like you are the reason.

Trust me when I tell you this:

Google will never steal money from your bank account, by using a password recovery link that you had emailed to your GMail account.

Does that really need to be said? Do you really need CONVINCING of this?

You misunderstand. I am pointing out that if you are consciously giving Google potential access to your bank account, it's odd to be concerned about Google having other information that is far less sensitive. It's like worrying about your white carpet because the robber holding a gun to your head has muddy boots.

Using recovery links emailed to users to access their bank accounts and gather information would open up Google to all sorts of legal trouble even if they do nothing but look. As class-action lawsuits are generally not very good for business, I consider this much less of a concern than legal methods of gathering information, even when the potential information gained from the legal methods is less sensitive.

true, but by that logic, once we give them one thing, we should just openthem up to everything? no.

my bankaccounts are important, but they also come with fraudprotections.

the complete picture of my life, all data mined, possibly misinterpreted, and then availableto my enemies is farmore scary.

If your bank is emailing password recovery -- you need a new bank.

Gmail was not the OP's cause for concern.

this doesn't answer your question, but you can always download the crx file and sideload it without signing in (you can also clone it from the chromium repo, but then you'd also have to build the nacl part).

Kind of a pain, but if someone does want to try it out badly enough...

> Like many people, I'm trying to step back from google/facebook snooping, and this would be a solid step toward such big brothering.

Google seems to be working on this. If you've ever seen someone without a Google account try to use Android for the first time you can see how much effort they are putting into stopping people from using their products.

Yeah. It's super easy to activate your iPhone without an iTunes account with a credit card on file.


I've never used an iPhone. At the time, I was comparing the experience with setting up my DSi. It lets you download things without making an account or having a credit card.* In fact, before downloading Angry Birds for Chrome I had never needed to sign up to download anything. (You also need to be online and signed in to play the game.)

*The DSi Shop is a big pile of fail, but that is unrelated.

Cool, and I see what you're saying, but there's a specific reason that these things are set up the way that they are.

It's about ensuring that the same experience exists whether you're spending money or not. The reasoning goes, if it's painful to spend money the first time, many people will never set things up if they can get away with free stuff. But if you're required to have an account with a credit card already set up to even get a free thing, then you're more likely to spend money when the time comes. This is also why installing a free app on your iPhone requires you to enter your password and confirm your purchase.

Google's implementation of this is worse than Apple's, because they don't demand your credit card information until the first time you try to purchase something. But ultimately, they're both driving at the same thing, and it's hard to argue with the fact that they're pretty successful at it.

As for your DSi, I hope you never lose or damage it. The lack of accounts for the store means that your purchases are bound to the device and are non-transferrable.

I've never used android--is it difficult then?

Not at all if your Android device does not support the Google Accounts in the first place.

It was really difficult with the ADP1/G1 back in 2008. But meanwhile it is not that difficult if you don't want to use the Google services.

>Google seems to be working on this. If you've ever seen someone without a Google account try to use Android for the first time you can see how much effort they are putting into stopping people from using their products.

You press the "skip" button and then don't try to launch Gmail or Google Play or anything else that understandably needs a Google account.

What is so... appalling about that. There is no effort to "stop people" from using an Android phone without Google. Further it's a pretty silly attack on Google given their competitors and the fact that you bought... a Google Android phone...

(edit: speaking about the Nexus line of phones which I would tend to argue best reflects Google's "effort".)

I wholeheartedly agree.

To those saying "who cares" consider that you may wish to use this extension on a computer where you don't feel comfortable issuing your Google login credentials.

I don't think you need to issue your Google login credentials to _use_ the extension, only to install it. Further, if you're on a computer where you don't feel comfortable using your Google login, why would you feel comfortable using ssh (via this extension) on the same said computer?

Can someone please explain to me why I would possibly want to run a terminal emulator inside of my web browser, instead of just using the terminal emulator app that my system ships with?

the complete list of software i use day-to-day consists of a web browser and a terminal emulator. if i switched over to this, that list goes down to just a browser.

maybe some people don't care, but i think it's pretty cool.

I don't like the idea of using a single app for everything. I have tons and tons of (personal) reasons, but the most obvious and un-solvable reason is: I can switch between terminal emulator and web browser with Command+Tab. If they were both the same thing, I couldn't do it and I would be very disturbed and confused. The same reason I don't use GMail web app and use Mail.app instead, or Reeder.app or iCal.app or iTunes.app.

"un-solvable reason is"

This is actually completely solvable, if it was something lots of people wanted to do it could be trivially built into any browser.

It could be built into FF globally with an extremely simple plugin.

On Windows and *nix--well Ubuntu at least--you can drag a browser tab into a new window and then Alt-Tab between them. Is there no equivalent on a Mac?

Yes. It's Cmd-` (~ without holding down shift. and it works in all apps, not just browsers). But there are more benefits to a native app than a browser tab (for me at least): http://news.ycombinator.com/item?id=3912689

Well if the world turns out to become as Google fantasizes and all applications will be ran in browsers, you can switch between apps with ctrl+tab.

You know you can Ctrl+Tab between tabs in most web browsers, right?

Of course. But I usually have a few open browser windows (each containing 5-10 related tabs). If Gmail was also a window, I would have to press Cmd-` (Mac's shortcut for switching between different windows of a single app) multiple times.

But to be honest that's not how I actually do my stuff. I use QuickSilver[1] and when I want to go to Mail.app, I just press Cmd-Space, then 'M' or 'Ma' (because Mail.app begins with M) and press return. It takes less than 0.4 seconds (QS is wicked fast) and is much more convenient than a tab in my browser. Not to mention that a native app is usually way faster and more responsive (I have a ridiculously slow internet connection).

[1]: http://qsapp.com

It's the difference between Ctrl-Tab and Cmd-Tab, no?

If the complete list of software you use is a web browser and a terminal emulator, what do you do in the terminal emulator? Run a text-based web browser and/or other terminal emulators?

sorry, i mean software installed on my computers. i use many different software packages installed on remote servers, but i don't need or want any of that stuff running on my computers.

THANK YOU. I seriously do not get this app. Yes, they may have done a great job, but i don't get why i would want to use it. I can't use it on someone else's desktop because i'd have to install crap in their Chrome. I wouldn't use it on my desktop because I've already got a good terminal app that I've tweaked to be just the way I like it.

Nevermind "killer" app... why is there ANY need for this?

I feel like I'm missing something very obvious.

Chrome OS? Your Android phone? Windows?

I can't work on a Windows machine without installing SecureCRT or Putty. One less thing to install and tweak.

That's funny, I can't work on a Windows machine at all :)

I don't think it will run on Chrome OS.

Nope, it runs fine on my Cr-48. In fact, as of Chrome OS 20, the native xterm seems to have been replaced with the version from this extension, running in its own tab.

Yup, if you read some of the dev notes, it was specifically designed for Chrome OS.

As a followup, my terminal windows are rarely the same size as my browser windows. I don't like resizing my browser windows in general because the browser will remember the new size, even though it was meant as a once-off window. So having a browser-sized terminal doesn't seem like a very good experience.

Additionally, it doesn't even work right. In a screen-controlling app like vim it seems fine, but in the normal shell, once I enter enough text to use more than a screen, the bottom-most line is actually off the window (even if I scroll down).

The missing lines at the bottom is a bug that got fixed just after this release. The next Secure Shell release won't have the issue.

And your browser size issue goes away if you open the terminal in its own window. Chrome even has an "Open as Window" option (right click on the Secure Shell icon) to open in a window with no browser UI.

You can file bugs on the chromiom-os project.


So I used to think the same thing, and then I saw something funny: it was a spinning 3D cube with a scrolling document on all 6 faces. It was made with pdf.js and WebGL.

Now this isn't the same because it's NaCl and therefore not pure-web, but a pure-web terminal emulator would be awesome! It would mean you could embed it within normal web content and mash it up with other stuff. Want to edit your dropbox contents/Gmail in Vim? Maybe pipe the contents of a file into a text box? Maybe just live refresh the output of your web site when you save?

Actually, I'm running out of cool things you could do. Nobody needs a spinning 3D cube with a PDF on it, but the fact that you CAN do it means that people will invent something useful for it, and I have no doubt they would invent something awesome with an in-browser terminal emulator.

Unfortunately, this being NaCl, it may not be it. Shame.

The only part about this written in NaCl is the "ssh" command. The terminal emulator portion of it is entirely JS.

The only reason it isn't currently cross-browser is because I don't have enough time in the day to make it work everywhere. I tried not to make it too Webkit specific though. If some brave JS hacker/Firefox user wants to make this cross browser, I'd be happy to help.

Ah, pretty awesome then. (I can't change my previous reply though, due to time limits)

I can understand that having an open-source library that provides the ability to embed a terminal emulator might be useful somewhere, to someone. But as a full-screen plugin for Chrome?

Do Chromebooks ship with a terminal application? If not, that would be a good use case.

Chromebooks have a limited term app that allows you to ssh, top, ping, and one or two other commands.

Windows doesn't have good terminal emulator. This extension is almost like having gnome-terminal on Windows. SSH into a remote machine and you have the usual keyboard navigation that the Windows "terminal" doesn't offer.

Sure, but I can download and run PuTTY directly from its download page faster than I can log in to my Google account on any machine where the credentials aren't already saved.

The Chrome extension could be nice for preconfigured "many-to-many" single-sign on from/to a number of hosts with a (hopefully encrypted) RSA key, however.

I'm guessing if you have a chrome book it would be a nice solution.

Chromebooks already have SSH installed natively.

And they support keys -- Although it seems the primary way to use them is by putting your keys into your 'Downloads' folder, which isn't exactly ideal.

Looks like this will eventually replace the inbuilt ssh supplied with crosh (Chromium OS shell)

Can you explain this a little more? I cant quite get it to work.

For work I do UI stuff for our web product so much of my day is doing something in iTerm with tmux and then switching to the browser tab to refresh.

So with the Chrome keyboard shortcuts to switch between tabs, it makes things a little quicker.

The whole "Chrome as OS" thing will benefit from this.


Windows! I spend most of my time coding in PuTTy + Vim when I'm on windows. In my limited testing this works as I expect with xterm-256, tmux, and Vim on my Ubuntu 12.04 Server without having to configure anything. PuTTy is a pain to configure on a new box.

tmux didn't work as expected for me. i.e. I could attach to my tmux sessions, as well as switch between the "panes" - but I couldn't see the status bar.

I also started a new tmux instance (rather than attach to existing one) still no status bar. Any suggestions ?

Edit : Problem solved. I went into Full screen mode (F11) after clicking in addressbar (When focus was on the terminal, F11 printed ~) Anyway, when I started tmux in full screen mode, I could see tmux status bar. I continued to see it even after I left full screen.

Not sure what was the (temporary) problem.

In addition to Putty being far from native...

How do you save yourself the trouble of configuring this extension?

What sorts of configs have you had to do for Putty?

Setting unicode, changing backspace, setting xterm-256 as the TERM variable, etc ... PuTTy configuration is unintuitive when you first try to configure it. There's a well known page dedicated to configuring PuTTy properly on Windows.

I haven't tested this extensively myself, but have you looked at ExtraPuTTY?


Seems like one of its goals is to make it easier to move PuTTY configurations from one machine to another.

it's a toy for now. don't over think it. But it have fun possibilities.

One use case would be ssh over http. Corporate proxies often disallow ssh traffic.

No. from the page "It uses Native-Client to connect directly to ssh servers without the need for external proxies." it IS a ssh client. no http proxies.

That's right. But Secure Shell also knows how to connect to an HTTP-to-ssh relay.

Most clients yes. That one, not sure.

Has anyone code reviewed this to make sure it's not stealing credentials, etc. ?

Beyond that, you must trust the author, since Chrome may auto-update the extension to a future version that could steal credentials.

The author (rginda, http://www.hacksrus.com/~ginda/) is a Google Chrome developer. You're probably already trusting his code by running Chrome.

Can you vouch that he packages this extension on a machine free of trojans, viruses and backdoors? Hm.

Yes, this. Though, this is also the case with any other app you may hand your credentials to.

FWIW, it was reviewed internally by Google security people before going live.

I, er, meant to upvote this, but hit the wrong arrow. :\ Consider this a moral upvote.

To all those who question the value of this, it's that we now have a new ssh client that runs everywhere Chrome runs. Additionally and non-trivially, the innards of the terminal UI is now exquisitely accessible to the legions of developers who know HTML and CSS. Presumably it's a small step to embedding cross-domain SSH into a webapp.

That said, there are minuses. The big minus is that Chrome, like literally every piece of software that handles the download and installation of other software, provides an entirely new way to discover, download, and install software. The instructions for downloading putty for windows is simple and stable over time. The instructions for installing this plugin are Chrome specific and unstable over time.

Overall, I'd say this plugin has marginal positive value.

runs everywhere Chrome runs.

Does it run on ARM?

That _Chrome_. The questions is whether this app runs there, since it's using NaCl, which is not exactly portable across hardware architectures.

I think Nacl is portable. But it wouldn't run on Android right now anyway since the Chrome browser on Android doesn't have access to the Chrome webstore and extensions.

NaCL is not portable, unless you happen to be running the same architecture that the software was compiled for. You might be thinking of PNaCL which is still very experimental: http://www.chromium.org/nativeclient/pnacl

Well that's just dumb. They should've made ARM a first citizen for ChromeOS from day one. I saw a rumor about a future Samsung Chromebook that will use a dual core 2 Ghz Cortex A15 chip, so maybe it's coming soon.

As someone who occasionally ends up on Windows having to do Terminal work, thank you. A proper terminal emulator on every platform (well, every platform I care about) is a huge win.

I might even move to this entirely if it adds support for key auth; having a consistent environment across all devices on which you work is a big win, even if the native terminal emulator might be integrated better with the OS.

On a related note, I used to cringe whenever I had to do anything on Windows; such a foreign environment. Nowadays so much has moved to the browser that I hardly notice, modulo some text editing shortcuts. The browser is really about to become the operating system.

I'm not very impressed... although it's partly implemented in HTML (only partly - even though modern JavaScript engines should be more than capable of handling SSH, the implementation is just OpenSSH in Native Client), this is no citizen of the web, and never can be, as trusting an app to connect directly to arbitrary ports and handle all your SSH connections fundamentally subverts the web's security model. Benefits over a native app:

- It's sandboxed - big deal, if sandboxing SSH were a real concern then it's a call to sandbox-exec(1) away.

- It could theoretically be extended to support HTML-based console interfaces - but sticking a web view in a regular terminal would solve this just as well with less overhead.

(Note the lack of benefits that usually apply to webapps: multiple browser implementations; written in a high-level language, which increases hackability [you might be able to get some of that]; don't need to trust the app; page-based paradigm allows deep linking.)


- Slow. The FAQ says it's intended to compete performance-wise, and it's reasonably fast, but comparing the behavior of 'ls' or, more dramatically, 'cat /usr/share/dict/words' or 'yes' (try interrupting it) demonstrates that it doesn't quite hold up. *

- You have to trust a silently updating, non-downgradeable app with your data. I guess people already do this with Chrome, but terminal emulators don't exactly benefit from constant updates in the way browsers do.

- Non-native - if you're on Chrome OS, this is a benefit, because Web is native, but on other operating systems, you lose the look and feel of the OS (from Terminal.app: useful cmd-tab, transparent window backgrounds, Lion fullscreen mode, Lion auto reopen, other applications can launch the terminal, native keyboard shortcuts, ctrl-w...) for no reason.

- The current version requires an account(!!)

- The current version is buggy - when I try it, just typing "ls" messes up the terminal so that it's not fully scrolled down. I guess this will be ironed out soon, but existing terminal emulators are highly stable.

*edit: or 'bb', heh - Terminal doesn't exactly handle it well (it's a good demonstration of the superior performance of xterm), but at least it doesn't hang like this terminal

I fixed a terminal "hang" just after the 0.7.9 version was released: http://git.chromium.org/gitweb/?p=chromiumos/platform/assets... This may be what you're seeing in 'bb'.

The difficulty interrupting something like 'yes' is a known issue. We need to add some flow control to deal with cases where the network overwhelms the UI. This also makes hterm appear slow when cat'ing /usr/share/dict/words, and running aafire. A fix is in the works.

Yes, as you mention, automatic updates are something you already accept with Chrome. It also seems to be the way Firefox is heading. And Android and iOS apps. Anyone is free to build a version locally if they really want to stick with a particular version.

The webstore may require an account, but the source is open. You're welcome to build it yourself. Or, create a throw-away account and download the CRX, then install it in your "real" account.

Of course the current version is buggy, it says that right in the web store description! I've been working on it for a few months now, but it's difficult to get everything right in a terminal without a lot of users. I fixed an issue after the 0.7.9 release that may be what you're describing, but I can't know for sure without more details.

FWIW, as the FAQ says, the terminal emulator and the NaCl SSH client are essentially two codebases. Maybe you could impress people by creating a good-web-citizen version of the SSH command and combine it with hterm.

That would most definitely require an HTML-to-SSH relay in the middle (which hterm supports). Then you'd have to trust that though, at which point you have to decide where you really want your potentially untrustworthy code to live.

I'm not sure what problem you're having with ls, but emacsclient -t and list-colors-display works perfectly for me. If it does Emacs, my needs are met :)

I can't believe how great it looks and how responsive it is. I've been running an emacs client in it for a while and other than C-n opening a new window it's practically perfect. Huge props to the team who wrote this.

I think you can run it in some kind of app window mode which avoids issues like c-n, c-w, etc. Not sure if it works in a tab though.

Public/private key authentication seems a bit spotty. From the FAQ,

    > Can I connect using a public key pair or certificate?
    Sorry, not yet.
I successfully authenticated with a private key,

    debug1: read PEM private key done: type DSA
    debug1: Authentication succeeded (publickey).
However, authentication agent forwarding (ssh -A) did not work,

    Permission denied (publickey).
Also notable is that this app does not have access to the OS X Keychain, so I have to type in my lengthy passphrase before authenticating.

Can you post the syntax of how you included the identity file. The parsing keeps grabbing my user@host in with the -i id.pem

   Connecting to -i id.pem user@host, port 22...
   Loading NaCl plugin... done.
   Warning: Identity file  id.pem user@host not accessible: No such file or directory.

I first ssh'd into me@localhost. From that point, ssh automatically discovers key files in ~/.ssh.

This explains why my Keychain did not work, since I was logged into a "remote" host.

Ah, that makes sense and is a nice workaround. Thanks for the reply!

This is cool hack but a terrible idea. Why do I want some bloated web browser wrapping a lightweight terminal?

because having a web browser just be a web browser is apparently an outdated concept. Or something.

I mean sure, opening up an ssh client is 4 keystrokes for me (on windows) but we need to have it integrated into the browser so firefox (or chrome in this case) can find a way to be even more of a bloated memory pig.

Very cool, but I fired up an emacs session and hit Ctrl+N to start scrolling through a file.... doh!

They list a few caveats: http://git.chromium.org/gitweb/?p=chromiumos/platform/assets...

no ssh keys, no port forwarding, Chrome 19 + "Open as Window" for some shortcut keys, etc.

htop breaks it, too -- but it actually does a pretty good job considering how complex the output is.

I think the htop bug was fixed by https://gerrit.chromium.org/gerrit/21255. You should get it in the next version of Secure Shell.

This is freaking awesome. I have been waiting for this for so long. I look forward to using this all day to see how it holds up.

On Ubuntu 12.04, I get this, and then it seems to hang. Anyone have this working on Linux?

  Welcome to Secure Shell version 0.7.9.
  The list of Frequently Asked Questions is available here: http://goo.gl/m6Nj8
  Connecting to wellsj@greensboro.timco.aero, port 22...
  Loading NaCl plugin...

So it doesn't work? Maybe Google didn't enable NaCl by default in Linux. You can enable it yourself.

Correct...doesn't seem to work for me. This is in chromium, which, unless something has changed, appears to have problems: http://askubuntu.com/questions/91789/why-is-nacl-disabled-fo...

Downloading the official chrome build works.


On 12.04 here 64 bit kernel and Chrome v. 18.0.1025.162.

Everything works perfectly both to localhost and across the lan.

Yay NaCl chrome only app! Yay for standards!

Oh wait a minute...

I believe this is the same terminal that replaces urxvt as the non-VT terminal in the newest version of ChromeOS (IE the one you access with Ctrl-Alt-T). I was worried when I switched to the dev channel on my Cr-48 and crosh opened in a new tab instead of a chromeless window.

Edit: I take back my comments about the keyboard shortcuts: http://git.chromium.org/gitweb/?p=chromiumos/platform/assets...

Why? Can't you just make it full-screen, that's what I do.

As killer as it is, it says it's a beta and it has known bugs on the page. Use with caution.

Neat, but it's be very nice if it automatically used the configured HTTPS proxy.

If you just want a terminal emulator in a web browser, Paddy Mullen ported urxvt to JavaScript a few years ago: https://github.com/paddymul/rxvt-js

Works really well, nice and quick. Call me stupid, but I'm not actually sure how to launch it (clicking on "Launch App" from within the webstore works but that's surely not the only way).

Open a new tab and click the arrow on the right or click "Apps" at the bottom of the screen.

I believe there's also omnibox completion on app names (though maybe you have to use it a few times first)

Would be nice if they installed an ssh:// URI handler

oh, good idea. I wonder if navigator.registerProtocolHandler works in apps?

I tried adding it manually in settings->Content Settings...->Handlers, but it only allows you to select handlers on sites that have already requested permission, not add new ones (as far as I can tell).

I did actually try that in the hopes it would work. Onmibox completion is doing the trick for me now.

Tmux seems to work wonderfully. I bet Chrome Book users are stoked.

Yup, I am. Because I changed my prefix to Ctrl-a, none of my combos clash.

Works pretty well considering its status, though it doesn't like to play along with the hard status bar on my screen sessions.

This is an amazing killer app. Never before could I SSH into a remote machine from a desktop computer. </sarcasm>

Very cool and so close to being useful. Until you can use certs and use them safely it isn't very useful though.

Really interesting, would be even better if it parsed my SSH config file. Interested to see how this progresses.

I like this because it allows me to ssh into a machine and then run lynx to browse the web. Meta-browser, baby!

I used to spend 99% of my time in Terminal and Chrome. Now I can start spending 99% of my time in Chrome.

Honestly, I don't like the browser for everything. Neat, but not something that would shake my world.

I think this is the same shell as the one included with the latest release of Chrome OS (Aura UI).

Can someone explain how this is possible within the web's standard security model?

Does not work with local area network. I've tried to ssh on my VM.

FYI, seems to work me. I was able to connect to my server in VMware.

Indeed. I've missed the "username@" part.

Tabbing and zoom support did it for me. Very. Awesomee.

GREAT! Now Google can mine my shell for AdWords. I look forward to seeing what Ads I get on android after a good fsck

I thought NaCl couldn't open raw (tcp) sockets? I thought it was limited to WebSockets.

This app is part of a small whitelist of apps that can make this type of connection. It's a temporary solution though. The Chrome team is working on ways to make the functionality more widely available.

Just got through scouring the pepper 19 docs for any mention for how this was done. Exciting to see this kind of functionality enabled, but apprehensive about chrome apps developing into an android style permission nightmare. Perhaps if the user always had the ability to arbitrarily revoke permissions and block them by default.

damn it was an inside job! :)

I'd been checking every few months for the last several years to see if sockets were available in NaCL, for this exact killer app (along with a vnc/rdesktop client)

Sad that it had to be done with an internal whitelist, but I'm mostly just happy that it exists for me to use even if I didn't get to write it!

This is incredibly exciting, if not also a bit scary. Thanks for the info.

Apps may have fewer security restrictions than pages.

NaCl apps are only usable right now via the Chrome Web Store, unless you've manually enabled them to be allowed elsewhere.

Is there a way to install this plugin without signing in to Google?

Does it work in the latest (hexxeh) ChromeOS release?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact