Ajax-Driven SSH Access for Webserver Administration
I always wanted to have a possibility of having secure and reliable "emergency ssh access" to my webserver.
When it comes to secure, there is - for sure - nothing better then using a standard client application for ssh access (like putty for windows or cmdline ssh clients on unix-based systems).
But when it comes to reliability this is definiteley not the best option. Many many Networks filter most of the ports or even worse, they're urging you to use a proxy for all internet access.
Luckily there's a really nice solution out there which is - when configured the right way - as secure as a standard ssh client and the best thing - available whereever you've got http:// access to your server.
The piece of Software is called "Ajaxterm" and is basically a Python-based Server application with an easy-to-use AJAX-Driven Webfrontend.
As the Ajaxterm Server application itself only supports unencrypted access, the following Steps are need to get a secure browser-driven ssh client application.
- Install Ajaxterm (on debian-based systems (>=etch) do: "aptitude install ajaxterm")
- Configure Ajaxterm (/etc/default/ajaxterm on debian-based linux-systems) to connect to the ssh-port you have configured for your ssh-server
- Configure your Firewall to block direct access to the Ajaxterm-Port (you do not want anyone to open an ssh-session via unencrypted http)
- Configure your Webserver to proxy requests via an https-connection to the ajaxterm-server (which by default listens on port 8022)
For lighttpd the configuration for proxying the requests would have to look somehow like this:
$HTTP["url"] =~ "^/terminal/" {
proxy.server = ("" =>
( "example" =>
( "host" => "127.0.0.1",
"port" => 8022
)
)
)
}
To force https just add something like
url.redirect = ( "^/terminal" => "https://www.example.com/terminal/" )
to your lighttpd.conf.
That's all.
Just force a reload of the lighttpd.conf now and try calling ajaxterm (e.g. https://www.example.com/terminal/).