Web-Based SSH with Anyterm

web-based SSH

Anyterm settings page under pfSense 2.1.3.

Sometimes, you may want to access Secure Shell (SSH) servers but the access point you are using blocks port 22 or whatever port your SSH server is using. Fortunately, there is a solution: web-based SSH makes it possible to access SSH servers through standard web browsers. Respective clients are based on JavaScript/Ajax or JavaScript/WebSockets and can be used to access SSH servers from behind a firewall or proxy.

Anyterm is one such web-based SSH program. It is written in C++ for the server side and JavaScript for the client side, and uses server-side terminal emulation. It also utilizes long polling for client/server communication. The server-side implementation is a stand-alone daemon which is typically used with a reverse proxy, such as Apache’s mod_proxy. Anyterm is licensed under the terms of the GPL.

Anyterm consists of some JavaScript on a web page, an XmlHttpRequest channel on standard ports back to the server, an HTTP proxy and the Anyterm daemon. The daemon uses a pseudo-terminal to communicate with a shell or other application, and includes terminal emulation. Key presses are picked up by the JavaScript, which sends them to the daemon. Changes to the emulated screen are sent from the daemon to the JavaScript which updates its display. SSL can be used to secure the connection, and is recommended.

Web-Based SSH with Anyterm: Installation and Configuration

To install Anyterm in pfSense, navigate to System -> Packages; Anyterm should be at the top or near the top of the list. Press the “plus” button to the right of the listing for Anyterm; on the next screen, click the “Confirm” button to confirm installation. It will take a few minutes for installation to complete, after which there will be a new menu item on the Diagnostics menu (Anyterm).

When you navigate to Diagnostics -> Anyterm, there are two tabs. The first tab, “Settings“, has four options. The first two fields are “Username” and “Password“, in which you can specify the username and password for accessing Anyterm. The third field is “Port“, where you can enter the port that Anyterm will use (default is 8080). The last field is “STunnel Port” where you can enter the STunnel port if you have an STunnel forward. Press the “Save” button at the bottom of the page to save the settings.

You probably want to set up port forwarding for the Anyterm port so you can use Anyterm from other networks. Navigate to Firewall -> NAT, and press the “plus” button on the bottom right to add a new entry. For “Destination port range”, enter the Anyterm port, and for “Redirect target IP“, type the IP of your pfSense system. For “Redirect target port“, enter the Anyterm port again. At “Description”, add a brief description, and leave “Filter rule association” at the default of “Add associated filter rule“. Press the “Save” button to save the entry. Press “Apply changes” on the next page to apply the changes.

web-based SSH

Anyterm in action, used to access the pfSense shell.

You should be able to use Anyterm to gain shell access to pfSense now and thus take full advantage of its web-based SSH capabilities, but you probably want to install STunnel as well so you have an SSL encryption tunnel between you and pfSense. STunnel can be installed from System -> Packages, and installation should only take a minute. Once you install stunnel, it will be an option on the “Services” menu.

Under “STunnel”, there are two tabs: “Tunnels” and “Certificates“. “Listen on IP” and “Listen on port” specifies the listening socket IP address and port. “Certificate” specifies the certificate to use for the listening socket. “Redirects to IP” and “Redirects to Port” specifies the target IP address and port. The “Outgoing source IP” is the IP address to bind to when connecting to the target.

Certificates are managed by requiring the user to provide an RSA key and certificates/chains in PEM format. The Certificates tab will list the configured certificates along with status information, indicating whether the certificate is valid, will expire soon, or is already expired. A check is also performed to make sure the key and certificate matches. Once you finish setting up stunnel, remember to go back to the Anyterm “Settings” tab to enter the STunnel forward port.

By now, you should be able to use web-based SSH to access the shell of your pfSense system from outside your local network by entering your WAN IP address and the Anyterm port. If you installed STunnel, you will have an SSL encryption tunnel, so your web-based SSH session should be relatively secure.

External Links:

The official Anyterm web site

© 2013 David Zientara. All rights reserved. Privacy Policy