Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: System Administration
Install Anyterm for remote terminal access without SSH
Share
Print
CommentsAnyterm allows you to have secure terminal access to a server without needing any special software on a client machine beyond a Web browser. For example, with Anyterm you can open a terminal into your server from an Internet cafe. Because Anyterm uses a pseudo-terminal for communication with the shell, you can run most command-line tools from an Anyterm terminal running inside a Web browser.
On the server side you can either install the Anyterm software yourself or use a server provided by my.anyterm.org for about a $20 per year subscription fee. Two main drawbacks of installing Anyterm on your own server are that it is an Apache module, so you have to have access to install those, and you have to handle security lockdown yourself.
The stable branch of Anyterm was released in June 2005. For the article I'll use the development branch, version 1.2.21, which was released last month. To build Anyterm you need to have Apache and Boost installed and the development packages for both of these. Once the source tarball for Anyterm is extracted, change directory into the apachemod subdirectory and type make to build the module. If you're building on a Fedora machine you will have to change the makefile to link against boost_thread instead of boost_thread-mt by editing line 139, which describes the LINK_FLAGS for building and removing the (-mt) postfix. Install Anyterm by running the normal make install command as root.
You will need to add a LoadModule directive to your /etc/httpd/conf/httpd.conf listing anyterm.so and copy the Anyterm Web files into a location in your DocumentRoot so that Apache can serve them. The default .htaccess forces the use of SSL and requires a valid HTTP username and password before Anyterm will start processing input. The documentation recommends keeping this two-phase authentication so that Anyterm is protected against attacks with the already well-tested Apache HTTP auth verification code.
The below shell session shows the changes to httpd.conf, followed by the installation of the Web files into localhost/anyterm on the Apache server. It sets up a user "ben" with an HTTP auth password for the .htaccess file to use to verify the user before handing the session off to Anyterm.
# vi /etc/httpd/conf/httpd.conf ... LoadModule anyterm modules/anyterm.so ... <Directory "/var/www/html/anyterm"> AllowOverride All </Directory> ... # cd /tmp/anyterm-1.1.21/browser/ # mkdir /var/www/html/anyterm # cp * /var/www/html/anyterm # chown -R root.apache /var/www/html/anyterm # chmod 640 /var/www/html/anyterm/* # cp .htaccess /var/www/html/anyterm/ # chmod 640 /var/www/html/anyterm/.htaccess # htpasswd -c /etc/httpd/anyterm-password ben # chown root.apache /etc/httpd/anyterm-password # chmod 640 /etc/httpd/anyterm-password # # vi .htaccess ... AuthUserFile /etc/httpd/anyterm-password ... # service httpd restart
The anyterm_command directive in the .htaccess file tells Anyterm how it should start a terminal session. The two default options are to either use SSH or anygetty. I'll stick to using SSH authentication for the article. If you disabled password authentication for your SSH daemon then you will have to setup a .ssh directory inside /var/www. The below code fragment sets up a new SSH public key pair to allow Anyterm to log in as ben on localhost using a passphrase-protected Identity file. Since both keys are on the same machine there is no real security gain to using Identity-based authentication, apart from not having to enable the option of password authentication for the SSH daemon.
# mkdir /var/www/.ssh # chown apache.apache /var/www/.ssh # chmod 750 /var/www/.ssh # # su -l ben $ cd ~/.ssh $ ssh-keygen -f anyterm ... $ cat anyterm.pub >>authorized_keys2 $ exit # cd ~ben/.ssh/ # cp anyterm /var/www/.ssh # cd /var/www/.ssh # vi config ... Host localhost IdentityFile ~/.ssh/anyterm ... # chown apache.apache * # chmod 640 config
At this point you should be able to connect to localhost via SSH using Anyterm. When you do you will be challenged using HTTP auth, then asked for the passphrase for the SSH Identity file, and finally logged in as shown in the figure.
Note that since the SSH Identity files are placed in /var/www and are readable by Apache, these Identity files potentially can be leaked by any Web application running under the same Apache process -- so choose your passphrases wisely! A more sophisticated attack against Anyterm from a PHP Web application would be to attach to shared memory used by Anyterm. To mitigate these attacks and close off access to the SSH Identity files you might like to run Anyterm under suPHP.
To begin testing Anyterm I ran both vi and Emacs. I didn't run into any issues with basic vi usage but did hit some issues using Emacs. It seems that Anyterm fails to send the Control-Space key combination to Emacs, so starting a text highlight in Emacs does not work with Anyterm. Typing C-x, C-s works only if you leave time between pressing the x and s keys. If you are in the habit of holding Control with one finger and hitting x then s quickly with two other fingers, you will be frustrated with Emacs under Anyterm. Also, the Alt key does not work as the meta key by default in Anyterm. The Alt key is also an issue if you are used to using Emacs keybindings for bash. Typing Alt-f and Atl-b to move forward and backward a word in the bash command line does not work in Anyterm.
Running alsamixer under Anyterm produced a display with the volume bars messed up. Changing the $TERM variable from linux to xterm and rerunning alsamixer produced the expected display.
None of the programs I ran inside Anyterm supported mouse interaction.
Having Anyterm set up and tested on a server could be a lifesaver if you need secure access to a machine but do not have your laptop at hand. Anyterm might be just the right tool if you need to give somebody access to a server without requiring any special setup at the client side; as long as they have a Web browser, Internet connection, and username/password, they can log in.
Installation of Anyterm is a little involved, but the terminal Anyterm provides should allow you to perform most tasks from an Internet café or other limited client-side environment.
Ben Martin has been working on filesystems for more than 10 years. He completed his Ph.D. and now offers consulting services focused on libferris, filesystems, and search solutions.
Comments
on Install Anyterm for remote terminal access without SSHNote: Comments are owned by the poster. We are not responsible for their content.
Re: Install Anyterm for remote terminal access without SSH
Posted by: Anonymous [ip: 86.59.50.58] on March 24, 2008 08:36 PMsecond: yes, of course there are security issues, it is all a question of trust and neccessity :-)
Install Anyterm for remote terminal access without SSH
Posted by: Anonymous [ip: 144.32.81.139] on March 19, 2008 01:37 PMI'd feel happier about the security if all the SSH encryption was done on the client side in Javascript, though, since then my password/private key/passphrase would not be sent over the wire. Any possibility of a Javascript SSH client?
Install Anyterm for remote terminal access without SSH
Posted by: Anonymous [ip: 146.83.196.20] on March 19, 2008 01:56 PM"For example, with Anyterm you can open a terminal into your server from an Internet cafe."
Posted by: Anonymous [ip: 70.68.165.188] on March 19, 2008 03:14 PMsome things are better done outside the browser
Posted by: Anonymous [ip: 204.50.208.4] on March 19, 2008 03:39 PMDon't get that all wrong, more choices are great and the developer should be commended for offering a new aproach. I'll keep it in my list of tricks encase it should become needed later.
Install Anyterm for remote terminal access without SSH
Posted by: Anonymous [ip: 86.6.12.162] on March 19, 2008 05:16 PMHi Ben,
Thanks for the publicity. Quite a few people have followed the links to anyterm.org and are playing the "bastard tetris" demo right now. The server seems to be surviving under the load, for now....
To answer some of your observations:
- The standalone anyterm daemon, combined with Apache's mod_proxy, may provide better security in some scenarios. At least, it provides "different" security from the Apache module that you used.
- Re emacs and bash keybindings : it looks as if the Linux console sends ASCII 0 when you press ctrl-space, the same as ctrl-@. Presumably emacs is relying on this. I can add that easily enough. As for ALT, it looks as if this sends ESC followed by the normal keycode; again it's probably easy to add.
- I'm unsure why you see odd behaviour with ctrl-x-s. Is it because ctrl-S is XOFF? Debugging is needed.
- Re alsamixer: did you set up Anyterm with a charset to match your locale? Setting TERM to anything other than linux is generally the wrong thing to do.
And now to answer the entirely-predictable first anonymous comment:
"you think I should PAY money for using what's in effect a keylogger that gives you (or rather, anyterm.org) my root password?"
Not if you don't want to, no. But some people find it useful. The impression that I have is that many subscribers use it for things like IRC, where the value of the password is rather less than the root password on your credit card processing system.
Anon #2 writes:
> I prefer Ajaxterm as it is easy to install and much more flexible
Ajaxterm - which is like Anyterm but written in Python - is certainly easier to install. I do hope that Anyterm can be made easier to install in the future, but it's not easy when distributions (for example) can't agree what to call their libraries. I'd also like to see Anyterm packages available in some distributions - any volunteers out there? I am surprised by the "much more flexible" comment and would be interested to hear what you mean by that. Anyterm has a number of features that Ajaxterm doesn't have, including a scrollback buffer, support for different character sets, and slightly faster performance. I have side-by-side demos at anyterm.org.
Please visit the forums at anyterm.org if you have any questions.
--Phil
Solution looking for a problem...
Posted by: Anonymous [ip: 96.227.214.46] on March 19, 2008 07:34 PMGo ahead and use this tool if you are willing to tinker around with Apache modules and .htaccess files. Else, be like the other 99% of us and just use SSH.
Install Anyterm for remote terminal access without SSH
Posted by: Anonymous [ip: 86.6.12.162] on March 19, 2008 08:40 PMSSH won't work through an HTTP proxy, or a filewall that blocks whatever port your SSH daemon is listening on. I wrote Anyterm to "scratch an itch", i.e. to solve a problem that I had: I was working at a company from where the only connections to the outside were HTTP[S] and SMTP, and trying to keep my part-time business' web server alive. Other people clearly have the same problem, as seen by Anyterm's popularity.
Another use for it that hasn't been touched on yet is that it can be used to "web-enable" console applications, and I have had quite a lot of interest from people with old curses forms programs that they want to deploy on their intranets.
How to address the real problem, a compromised client
Posted by: Anonymous [ip: 69.17.73.250] on March 19, 2008 08:47 PMThe real problem is what to do about client machines that have been compromised and are logging every keystroke and every character before encryption for transmission and after decryption for display. The answer is one time passwords, aka one-time pad (OTP) -- opie in LInux, skey in OpenBSD, etc. Of course, all information transmitted must be considered public, but this simply means that care must be taken to avoid revealing secrets. OTPs allow much useful work to be done from potentially compromised machines, without worrying about compromising access to the remotely administered machines.
Karl O. Pinc <kop@meme.com>
Install Anyterm for remote terminal access without SSH
Posted by: Anonymous [ip: 195.212.29.67] on April 02, 2008 08:04 AMPort multiplexing , tunneling , forwarding ssh proxying ALL sounds better than this.
Yes , i have a ssh client on my mobile phone!
Re: Install Anyterm for remote terminal access without SSH
Posted by: Anonymous [ip: 24.208.191.127] on April 12, 2008 02:54 PMOh, and good luck using your fancy smartphone in the sub-basement or in the cube-farm-cum-Faraday-cage deep in the bowels of your corporate oppressor, I mean employer.
Maybe when you leave high school & get a real job you'll have some appreciation for any addition to your bag of tools that might help you get that job done.
Install Anyterm for remote terminal access without SSH
Posted by: Anonymous [ip: 195.212.29.83] on April 02, 2008 08:17 AMPopularity doesnt mean its good. JavaSSH the hell out of your site if you want to "web enable it" , which Btw is a
vomit introducing BUZZword. SSH is web enabled from the day it was born tEh intaaaWeb 3.0extreme edition isnt
synonymous with http or html.
And PHIL I feel with you ,I perfectly understand that users want this product with this kind of security policy. Btw , the idea of earning money on providing this kind of service is just fine , even though the webenabling mantra and talk about lame firewall rules make me sick.
One should choose the hosting package that will be responsible for the growth of the business. No doubt that right now in the market there are so many companies that are offering such a range of web hosting packages that meet out all the requirements of the user. Generally there are several unaware people who use to under estimate the process of choosing a web-hosting package and make the decision without any proper contemplation. Actually if one is in business and he/she relies on his/her website to engender revenue, then he/she should choose the host with proper consideration as his/her web host can make or break his/her business.
This is true that at the initial period the requirements of the business are limited, but the user should also look for the future approach. Definitely the demands one place on his/her web host will increase as the time passes. If one adds more features to his/her website and endeavor to mechanize, by this way he/she surely can save the time and as well as the money. As the requirements of one's internet based business will modify, in that case the best web hosting company is option that has the capability of intensifying the services they provide to him/her as his/her company grows and his/her website develops.
Following are some of the most crucial factors one should consider while searching for a web host:
1. Reliability
2. Space
3. Expandability
4. Security
5. Speed
6. Control
7. Reports
8. Unrestricted email services
9. Offsite backups
10. Superb technical support
All these factors, which are mentioned above, are very crucial. For any of the web site reliability is very vital, as for a website operator downtime means the lost of income. If anyone has a website facing maximum down time, then very soon his/her web site will be closed. If one wants to increase his/her business as well as the profit margin, then he/she should go for the best web-hosting provider. A reliable web hosting provider guarantees for the maximum amount of uptime says 99.9% to 100% uptime. The next contemplation in terms of reliability is the number of years that the web hosting company has been in business and their working record.
The web hosts who want to start their business require a server and an Internet connection. At present there are thousands of people launching web-hosting businesses who are not aware with the services of reliable web hosting. If one's web host is inexperienced, that web host does not have a long life and will went off very soon along with his/her web site.
One should choose the web-hosting package that allows him/her the adequate space for the content he/she have. The services provided by the web host should be expandable as the business grows with the capability of providing unrestricted CGI access, SSH and FTP access as well as added features such as databases, scripts and software that supports things like shopping carts, Ecommerce solutions, merchant accounts, and real-time processing. If any user will use FrontPage extensions, Real Audio, Real Video, Shockwave, Java or similar tools, then he/she should make it sure that his/her web host supports that all.
It will be the best option if one's web hosting company has secure server capabilities and also can offer dedicated servers with speed that is not less than to a T3 connection to ensure his/her pages load quickly and the transactions of the customers are secure. It is very crucial for one's web hosting package to provide the total control of his/her website in his/her hands through an online administrative control panel. One should have unhindered email services with the capability of setting up aliases and auto-responders along with easy access to reports and statistics concerning to his/her website as well as its visitors.
One more advantage of best web hosting companies is that they also sustain offsite back-ups of their users data and information that is stored on their servers to ensure that nothing is lost if they experience a catastrophe or a natural disaster. Finally one's web host should also provide superb technical support that is knowledgeable, reliable, and perhaps most important, their presence whenever they are required.
Install Anyterm for remote terminal access without SSH
Posted by: Anonymous [ip: 212.247.10.231] on March 19, 2008 10:26 AMLemme get this straight: you think I should PAY money for using what's in effect a keylogger that gives you (or rather, anyterm.org) my root password?
Am I the only one thinking, this MIGHT be a security issue?
#