http-console - a vt102 terminal emulator that displays to a browser

Once installed, this program makes it possible to run a shell on a remote webserver using only a webbrowser for the terminal client. It does not require any browser plugins to work, only JavaScript on the webbrowser.

Screenshot of a vim session

• This has been tested/used in firefox and Konqueror. (Debian Sarge requires a recent version of konqueror with the fix for bug Bug#292765.)
• I have not tried this in Netscape.
• I do not expect this will work in I.E. As I do not have access to Windows I will not be able to make it work in I.E. The only file that should need changing to support I.E. is console.html

To Install

• Get the source:
  $ cvs -d :pserver:anonymous@cvs.sourceforge.net:/cvsroot/http-console co src
• Build it:
  $ make
• Install it:
  console.html and update.php must be available to a browser. start.sh and http_console must also be available.
  The easiest way to install this is just to copy all four files into your webroot or a subdirectory
  You will need to modify the -u tim option to http_console in start.sh to be a valid user on your system (or remove it completely in which case you will get a shell as the webserver user)
• Run it:
  Just browse to console.html

How it all works

console.html makes a POST XMLHttpRequest to update.php. It supplies the console number and any outstanding keypresses as POST vars.
update.php first checks to see if /tmp/input${consolenumber}.fifo and /tmp/output${consolenumber}.fifo exist. If they both don't exist then it runs start.sh to start up http_console for these fifos.
update.php then sends any keypresses to the http_console task via /tmp/input${consolenumber}.fifo and finally reads an html "screen" from /tmp/output${consolenumber}.fifo which it returns to the browser.
console.html then replaces the <div> Screen section with the HTML.

Options to http_console

• to set the screen size: -g 100x30 (default 80x25 - min 80 cols, 25 rows)
• to set the input fifo name: -i fifo_name (default input.fifo)
• to set the output fifo name: -o fifo_name (default output.fifo)
• to set the path to the fifos: -r path (default /tmp)
• to set the user to authenticate as (su): -u user (default is to run bash immediately)

In addition start.sh should be available in the same directory if you want html_console to be started automatically with the correct input and output fifos when console.html is run.

If you want to change the path to the fifos you will have to update update.php and start.sh.

IMPORTANT - SECURITY ISSUES

To have even modest security you must put these files in a web directory that requires authentication and trust everybody you give the username/password to.

There is currently no way to isolate sessions. Anybody with access to the console.html/update.php pages will be able to access any fifos in /tmp and can read/monitor any other session being run.

Some isolation can be achieved by having separate directories and separate -r <path> options to http_console.

I have not found a suitable method to enable a secure system. The best I can think of is to have http_console start an ssh session to another machine rather than an su/bash session on the webserver. (This would require a small code change to http_console.c) Provided nobody has access to the webserver then it should then be possible to use a unique, non-guessable, console id. But if anyone can do even an ls /tmp then this will not work.

$Id: index.html,v 1.10 2005/04/24 21:01:21 locofungus Exp $