Jump to content

Web-Based Terminal/SSH from Restricted Computer


Stupifier

Recommended Posts

Does something like this exist? I need a solution for this.

 

Desire: Access UnRAID or VM terminal/shell remotely

 

Issue: Restricted Client Computer (Win10 at work). Cannot install software or change any settings....but I can browse internet just fine. So, I can't open a CLI and OpenSSH isn't installed. I can't VPN since that requires software to be installed. So on and so forth.

 

What I hope exists to solve my problem: I browse to https://webssh.my.domain.com,  Then am presented with simple terminal. This terminal would ONLY be capable of SSH, nothing else. Maybe it is just a Docker with SSH. From there, I can SSH into a host (UnRAID, VM, whatever).

 

As far as the whole SSL and domain thing......I could do that with LetsEncrypt docker and Reverse Proxy......So really, whatever tool is out there could just point to an internal port and I could figure out the HTTPS/SSL domain stuff myself.

Link to comment
51 minutes ago, jonathanm said:

 

 

 

Right, I already have this and use it all the time.....AT HOME.

 

But Command Line Tools (Shellinabox) seems to open immediately into an UnRAID shell login/password........which isn't very secure to expose as an external facing service, right? I mean, it doesn't even do SSH Key-Pair to authenticate.

 

Am I missing something about this?

Link to comment
1 minute ago, jonathanm said:

Shell in a box does exactly that.

 

No, it's not particularly secure, but that's what you asked for.

 

But that Terminal.....has Username/Password directly into UnRAID shell. I was hoping for the simple terminal to ONLY HAVE SSH so that authentication could be made over a more secure path (key-pair).

 

In other words, is there any way for me to SSH Key-Pair Shell into a Host computer from a Restricted Client Computer which only has a Web-Browser?

Link to comment
2 minutes ago, Stupifier said:

In other words, is there any way for me to SSH Key-Pair Shell into a Host computer from a Restricted Client Computer which only has a Web-Browser?

Unless I'm totally misunderstanding you, no, you can't load your private key into the web browser only machine securely.

 

1 hour ago, Stupifier said:

As far as the whole SSL and domain thing......I could do that with LetsEncrypt docker and Reverse Proxy......So really, whatever tool is out there could just point to an internal port and I could figure out the HTTPS/SSL domain stuff myself.

I assumed you were going to set up reverse proxy with authentication (htpassword) and use that.

Link to comment
8 minutes ago, jonathanm said:

Unless I'm totally misunderstanding you, no, you can't load your private key into the web browser only machine securely.

 

I assumed you were going to set up reverse proxy with authentication (htpassword) and use that.

 

Good point....I definitely could not load private key securely!

 

AHHH! and another Good point.....Reverse Proxy authentication....yes!

 

Ok, I think I'm sorted out now. Thank you for the patience with me :)

Link to comment

If you are allowed to run programs from a USB, then there are multiple solutions with ssh clients that doesn't require installation - you just run them from the USB drive. So the USB drive contains both the SSH client and the required SSH key.

Link to comment
3 minutes ago, pwm said:

If you are allowed to run programs from a USB, then there are multiple solutions with ssh clients that doesn't require installation - you just run them from the USB drive. So the USB drive contains both the SSH client and the required SSH key.

 

Good idea but I forgot to say.....no USB ports on the computers (security purposes).

 

The Command Line Tools (shellinabox) is working great though. I setup a reverse proxy to it with Single-Sign-On authorization to only allow access through my Organizr V2 landing page. Yes, it forces me to first touch my UnRAID terminal shell.....but I can SSH to elsewhere after that. Good enough for me

Link to comment

It doesn't hurt if your web forwarding starts with some service that requires 2FA where your mobile phone receives an SMS or you use Google Authenticate to produce a time-limited code. Just to make sure anything key-logging what you are doing will not receive a cart blanche access to your unRAID server.

Link to comment
1 minute ago, pwm said:

It doesn't hurt if your web forwarding starts with some service that requires 2FA where your mobile phone receives an SMS or you use Google Authenticate to produce a time-limited code. Just to make sure anything key-logging what you are doing will not receive a cart blanche access to your unRAID server.

 

Good point. Thanks!

Link to comment

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...