Sunday, 25 September 2016

Exploring oterm (onion terminal)


Onion terminal is a UNIX terminal in a web browser. It's designed to be used securely with SSL but the user can skip the SSL part although lesser security is never recommended.

Its main feature are:

  1. Standalone: Just the executable contains everything you need to serve the terminal.
  2. Secure: It uses SSL to ensure you use a secure channel.
  3. Authenticated: It uses PAM to check user authentication.
  4. Session management: It exports as many sessions as wanted, per user. So its also a screen replacement.

Here are the implementation details:

This example uses opack to embed jquery and custom javascript and HTMLs. The handler itself creates the pty (forkpty, set permissions...) and stores all that on the user session. The input of data is made at oterm/PID/in, and it is a POST with the data at the parameter data. The output is in another channel, oterm/PID/out, and it blocks until there is some data available, then it reads as much as possible and sends it. The AJAX client when receives that data processes it, and asks for new data. With this simple in/out trick we can have the same functionality as WebSockets, but asynchronously.

Installation:

Oterm can be downloaded as a statically linked binary from the projects' github page here. On the github page it mentions that the binary was compiled on Ubuntu 11.04 machine but as it worked on my Centos test machine flawlessly. 

Usage:

The statically linked binary when downloaded runs 'right out of the box'. Executing it without any options lays out the usage details similar to a man page.

[root@centops ~]# ./oterm
[EB9E] [2016-09-24 11:22:59] [ERROR onion.c:710] Error setting the certificate (Error while reading file.)
Cant set certificate and key files (/etc/pki/tls/certs/pound.pem, /etc/pki/tls/certs/pound.key)
 oterm - Linux terminal over HTTP

It uses HTTP(S)+HTML+CSS+JavaScript to show a remote terminal inside a browser.

Options:
   -p|--port <port_number>      -- Set the port number to use. Default 8080
   -i|--ip   <server_ip>        -- Set the ip to attach to. Default ::
   -c|--cert <certificate file> -- Set the SSL certificate file. Default: /etc/pki/tls/certs/pound.pem
   -k|--key  <key file>         -- Set the SSL key file. Default: /etc/pki/tls/certs/pound.key
   --no-ssl                     -- Do not uses SSL. WARNING! Very unsecure

[root@centops ~]#

Since I did not have SSL keys setup with me, I tested the usage without them. To start it up I typed:

[root@centops ~]# ./oterm  --no-ssl --ip 192.168.44.138 --port 6789
Disabling SSL!
Using ip 192.168.44.138
Using port 6789
Listening at 6789

After this go to a web browser & type http://<IP address>:<port> . It will give you a password prompt.
I tried to login directly as root when presented with the prompt for credentials & was not allowed to do so. I logged in as a normal user & was able to switch to root.

Here's the page that immediately appeared after I logged in:


I clicked on create a new remote session & it created a session & returned a session id.


I clicked on the session id & this launched a terminal session for my logged in user in a new tab. After that I was able to run normal commands in the terminal window as the user & after I switched to the root user.




Conclusion:

I found oterm to be a fast, light & definitely cool web based terminal emulator.

No comments:

Post a Comment

Using capture groups in grep in Linux

Introduction Let me start by saying that this article isn't about capture groups in grep per se. What we are going to do here with gr...