Hacker News new | past | comments | ask | show | jobs | submit login
Onion Terminal is a Web Browser Unix Terminal (coralbits.com)
47 points by X4 on Dec 20, 2013 | hide | past | favorite | 26 comments

Pretty much immediately I found a bug in his session generation:


The fact that in amongst the doc comment is "not really safe" should probably be a big red flag.

Then this happens:


Not to mention that here:


It'll just let you in if you can guess someone else's session.

Seriously. Systems ship with crypto API's. And uuid libraries.


Good eye. Patches are welcome. I will add right now these errors to the issue tracker, although caching if you are logged in (last link) is the standard behaviour: I dont think that if you change the password on the console you are inmediately logged out.

I just fixed at master the most important one, the first.

Your patch.. fixes.. one of the issues. Kinda.

I commented with a link to the CPRNG you should be using.

Can somebody help me understand why you would ever want this? SSH is included by default in almost every mac or windows machine I've ever used, and putty is a pretty tried-and-true executable to run.

Who on earth is thinking "man, I wish I could run a terminal in my browser!"


Cool project, and I love the "because we can, and because it's cool" aspect of it, I'm just curious if I'm missing a use case for "why".

This is more than a terminal in your browser. It is an HTTP server that serves a Javascript-powered terminal connected to the box. You effectively have a secure shell connection encapsulated in HTTP(S). Perfect for restrictive environments.

Restrictive networks where you can't SSH out.

Restrictive computers where you can't run Putty or SSH (though you shouldn't connect from those anyway, but well).

I can't think of any other reasons.

If you can't SSH out, how does this program get around that fact?

It needs to proxy via either straight HTTP or websockets (I haven't checked which) to be able to serve things up to the browser.

I thought that this would have something to do with TOR or anonymity in general. Not the best name to select for your framework if you ask me.

The product itself seems very useful.

I was thinking the same thing, and was really struggling to figure out how this, in any way, was secure enough to work with Tor over a standard browser.

Chrome/Chromium have had something similar... https://chrome.google.com/webstore/detail/secure-shell/pnhec...

The Secure Shell Chrome Extension is actually quite different than what is being offered here. The Chrome extensions is effectively a SSH client, like PuTTY, in a browser. You still need a network path to the host.

Onion Terminal is a HTTP server that serves a Javascript-powered terminal connected to the box through HTTP in your browser.

The benefit of the latter is you can get a shell on your box behind a restrictive firewall where only HTTP(S) traffic is allowed.

There is a big difference (which I dont know if its good for oterm): Oterm does not use ssh at all. It is like xterm, but does not use X as protocol, but https.

Best one by far and it's from google employees

Oh nice!

Similar Web-based SSH[0] projects include:

• shellinabox

• GateOne

• AnyTerm

• AjaxTerm

• tty.js

I currently use GateOne. It's a little bloated and buggy though. I may give tty.js a shot. I've heard good things.

[0]: http://en.wikipedia.org/wiki/Web-based_SSH

This is David, the author of oterm.

Thanks for all the positive comments. I'm glad people are like it.

Actually oterm was designed as an advanced example of a use of the onion http library (agreed, not the best name, accepting suggestions).

Maybe I should make it a separate project.

Cool project. I originally thought this was a joke by "The Onion" due to the title, but I think I get what you were aiming for: layers of an onion :: layers of the OSI?

What kind of projects do you intend to use the HTTP library for? That sounds almost more interesting than the terminal use case.

Initially it started when I was working on the AISoy1 Robot (www.aisoy.com) which was using a very limited ARM processor. We decided to give upgrade and management capabilities via a web application to the robot; we tried first with a Python based one, but it was consuming too much memory, so I started this project. We continued using it, although now we use Raspberry Pi which is quite more powerful.

Nice projects are right now rasppi-style projects where you are interested in doing an application that almost does not consume resources: 2MB RAM for example for oterm, not including shared libraries, as fast as the fastest.

Also I use it as a platform to easily develop C/C++ web services where performance is paramount, on real big servers.

Looks great. But how does one secure that insecure connection between you and the box you're hosting the terminal on? Anyterm offers SSL at least.

According to the Github page, Oterm supports SSL: https://github.com/davidmoreno/onion/wiki/Oterm

SSH tunneling, of course!

But seriously, the github wiki says that it uses SSL also.

Happy to see the terminal-in-browser space get more attention!

Check out https://github.com/chjj/tty.js

Very nice, looks great!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact