March 19, 2008

Install Anyterm for remote terminal access without SSH

Author: Ben Martin

Anyterm allows you to have secure terminal access to a server without needing any special software on a client machine beyond a Web browser. For example, with Anyterm you can open a terminal into your server from an Internet cafe. Because Anyterm uses a pseudo-terminal for communication with the shell, you can run most command-line tools from an Anyterm terminal running inside a Web browser.

On the server side you can either install the Anyterm software yourself or use a server provided by my.anyterm.org for about a $20 per year subscription fee. Two main drawbacks of installing Anyterm on your own server are that it is an Apache module, so you have to have access to install those, and you have to handle security lockdown yourself.

The stable branch of Anyterm was released in June 2005. For the article I'll use the development branch, version 1.2.21, which was released last month. To build Anyterm you need to have Apache and Boost installed and the development packages for both of these. Once the source tarball for Anyterm is extracted, change directory into the apachemod subdirectory and type make to build the module. If you're building on a Fedora machine you will have to change the makefile to link against boost_thread instead of boost_thread-mt by editing line 139, which describes the LINK_FLAGS for building and removing the (-mt) postfix. Install Anyterm by running the normal make install command as root.

You will need to add a LoadModule directive to your /etc/httpd/conf/httpd.conf listing anyterm.so and copy the Anyterm Web files into a location in your DocumentRoot so that Apache can serve them. The default .htaccess forces the use of SSL and requires a valid HTTP username and password before Anyterm will start processing input. The documentation recommends keeping this two-phase authentication so that Anyterm is protected against attacks with the already well-tested Apache HTTP auth verification code.

The below shell session shows the changes to httpd.conf, followed by the installation of the Web files into localhost/anyterm on the Apache server. It sets up a user "ben" with an HTTP auth password for the .htaccess file to use to verify the user before handing the session off to Anyterm.

# vi /etc/httpd/conf/httpd.conf
...
LoadModule anyterm modules/anyterm.so
...
<Directory "/var/www/html/anyterm">
AllowOverride All
</Directory>
...
# cd /tmp/anyterm-1.1.21/browser/
# mkdir /var/www/html/anyterm
# cp * /var/www/html/anyterm
# chown -R root.apache /var/www/html/anyterm
# chmod 640 /var/www/html/anyterm/*
# cp .htaccess /var/www/html/anyterm/
# chmod 640 /var/www/html/anyterm/.htaccess

# htpasswd -c /etc/httpd/anyterm-password ben
# chown root.apache /etc/httpd/anyterm-password
# chmod 640 /etc/httpd/anyterm-password
#
# vi .htaccess
...
AuthUserFile /etc/httpd/anyterm-password
...

# service httpd restart

The anyterm_command directive in the .htaccess file tells Anyterm how it should start a terminal session. The two default options are to either use SSH or anygetty. I'll stick to using SSH authentication for the article. If you disabled password authentication for your SSH daemon then you will have to setup a .ssh directory inside /var/www. The below code fragment sets up a new SSH public key pair to allow Anyterm to log in as ben on localhost using a passphrase-protected Identity file. Since both keys are on the same machine there is no real security gain to using Identity-based authentication, apart from not having to enable the option of password authentication for the SSH daemon.

# mkdir /var/www/.ssh
# chown apache.apache /var/www/.ssh
# chmod 750 /var/www/.ssh
#
# su -l ben
$ cd ~/.ssh
$ ssh-keygen -f anyterm
...
$ cat anyterm.pub >>authorized_keys2
$ exit
# cd ~ben/.ssh/
# cp anyterm /var/www/.ssh
# cd /var/www/.ssh
# vi config
...
Host localhost
IdentityFile ~/.ssh/anyterm
...
# chown apache.apache *
# chmod 640 config

At this point you should be able to connect to localhost via SSH using Anyterm. When you do you will be challenged using HTTP auth, then asked for the passphrase for the SSH Identity file, and finally logged in as shown in the figure.

Note that since the SSH Identity files are placed in /var/www and are readable by Apache, these Identity files potentially can be leaked by any Web application running under the same Apache process -- so choose your passphrases wisely! A more sophisticated attack against Anyterm from a PHP Web application would be to attach to shared memory used by Anyterm. To mitigate these attacks and close off access to the SSH Identity files you might like to run Anyterm under suPHP.

To begin testing Anyterm I ran both vi and Emacs. I didn't run into any issues with basic vi usage but did hit some issues using Emacs. It seems that Anyterm fails to send the Control-Space key combination to Emacs, so starting a text highlight in Emacs does not work with Anyterm. Typing C-x, C-s works only if you leave time between pressing the x and s keys. If you are in the habit of holding Control with one finger and hitting x then s quickly with two other fingers, you will be frustrated with Emacs under Anyterm. Also, the Alt key does not work as the meta key by default in Anyterm. The Alt key is also an issue if you are used to using Emacs keybindings for bash. Typing Alt-f and Atl-b to move forward and backward a word in the bash command line does not work in Anyterm.

Running alsamixer under Anyterm produced a display with the volume bars messed up. Changing the $TERM variable from linux to xterm and rerunning alsamixer produced the expected display.

None of the programs I ran inside Anyterm supported mouse interaction.

Having Anyterm set up and tested on a server could be a lifesaver if you need secure access to a machine but do not have your laptop at hand. Anyterm might be just the right tool if you need to give somebody access to a server without requiring any special setup at the client side; as long as they have a Web browser, Internet connection, and username/password, they can log in.

Installation of Anyterm is a little involved, but the terminal Anyterm provides should allow you to perform most tasks from an Internet café or other limited client-side environment.

Categories:

  • System Administration
  • Internet & WWW
Click Here!