Success Story: Web based terminal on sheevaplug

[iambvk]

Today I managed to setup web based terminal on my sheevaplug.  It was
an interesting experience, being able to access sheevaplug from
behind firewall from office.  Below is the procedure that worked for
me.

- Install apache webserver and enable proxy_http apache module

Code:

   aptitude install apache2
   a2enmod proxy_http

- Build anytermd on sheevaplug

   Unfortunately anytermd package is not available in debian, so
   you need to build it manually.  It needs build-essential, libboost-dev
   and zlib1g-dev packages.  You need subversion also to checkout
   the sources.

Code:

   aptitude install subversion build-essential
   aptitude install libboost-dev zlib1g-dev

   svn co http://svn.anyterm.org/anyterm/tags/releases/1.1/1.1.29 anyterm

   cd anyterm && make
   mkdir ~/bin && cp ./anytermd ~/bin

- Update rc.local to auto start anytermd

   You need to start anytermd daemon just built on sheevaplug. It doesn't
   come with any init.d scripts. So i decided to start it automatically using
   plain old /etc/rc.local mechanism.  For this, add

Code:

   /root/bin/anytermd -c 'ssh %u@localhost' -p 7777 --auth null --user nobody

   to /etc/rc.local file before any 'exit 0' statement and run it for current boot session.

Code:

    sh /etc/rc.local

- Configure and enable virtual-host in apache

   If your webserver DNS address is 'plug.homelinux.org', create a new
   file with same name in /etc/apache2/sites-available directory.
   Update its contents as shown below:

Code:

   cat /etc/apache2/sites-availabe/plug.homelinux.org
<VirtualHost *:80>
  DocumentRoot /srv/www/plug.homelinux.org/htdocs
  ServerAdmin iambvk@gmail.com
  ServerName plug.homelinux.org

  <Proxy *>
    Order deny,allow
    allow from all
  </Proxy>

  ProxyRequests Off
  SetEnv proxy-chain-auth yes         

  <Location "/term">
    #
    # anytermd is executed as:
    #
    # anytermd -c "/usr/bin/ssh %u@localhost" -p 7777 -u nobody -a null
    #
    ProxyPass http://localhost:7777 ttl=60
    ProxyPassReverse http://localhost:7777

    AuthType Basic
    AuthName "Web Terminal"
    AuthUserFile "/srv/www/plug.homelinux.org/htpasswd"
    require valid-user
  </Location>
  # Logfiles
  LogLevel warn
  ErrorLog  /srv/www/plug.homelinux.org/logs/error.log
  CustomLog /srv/www/plug.homelinux.org/logs/access.log combined
</VirtualHost>

   Note above that website files would be located in
   /srv/www/plug.homelinux.org/htdocs directory and logs go into
   /srv/www/plug.homelinux.org/logs directory.  So create those
   directories and enable the virtual-host:

Code:

   mkdir -p /srv/www/plug.homelinux.org/htdocs
   mkdir -p /srv/www/plug.homelinux.org/logs
   a2ensite plug.homelinux.org

   Also, notice the Location statement in the above configuration,
   which configures apache to redirect all requests to /term
   directory (as http://plug.homelinux.org/term) to
   anytermd executing on port 7777 (started from rc.local).

- Create username and passwords to access the web terminal

   In the above apache virtual-host configuration, notice the
   'AuthUserFile' statement.  It configures apache to ask for username
   and password when accessing the anytermd location ('/term'). These
   username passwords are stored in file,
   /srv/www/plug.homelinux.org/htpasswd.  You need to create this file
   using htpasswd utility:

Code:

   touch /srv/www/plug.homelinux.org/htpasswd
   htpasswd /srv/www/plug.homelinux.org/htpasswd user1
   password

   Note that this password can be different from the login password
   for that user on sheevaplug, but username must match.
   Unfortunately user needs to enter two passwords to get access to
   the terminal, first one for authenticating with apache (as in
   htpasswd) and another for his Linux account login (because
   anytermd is configured to execute 'ssh' command automatically when
   connected).

- Check apache configuration and reload

Code:

   apache2ctl configtest
   invoke-rc.d apache2 restart

- Open your browser and visit http://plug.homelinux.org/term to get
  the web terminal in action.


I just jope everything works out for you, enjoy :-)

[iambvk]

Attached is the screenshot of how it looks:

Unfortunately terminal text is not visible in the screenshot -

[mgillespie]

I use Ajaxterm, it's just as good but a million times easier to setup and configure..

apt-get install ajaxterm

you can then log on remotely.  You need to tweak either apache or lighttpd if you want remote access but the Ajaxterm documentation tells you how to do that.

[CqCn]

This sounds good.  However, before I spend any time or disk space on this,  may I ask what is the advantages of this over ssh with a good graphical ftp/shell web client? (I was think of ssh.com client or even a simple ssh shell such as putty).  You can access the box thru internet without any servers like apache...

[iambvk]

This sounds good.  However, before I spend any time or disk space on this,  may I ask what is the advantages of this over ssh with a good graphical ftp/shell web client? (I was think of ssh.com client or even a simple ssh shell such as putty).  You can access the box thru internet without any servers like apache...

But you cannot access it behind a firewall, right?  This setup i did is to access remote machine when all outgoing ports are blocked except 80

[iambvk]

I use Ajaxterm, it's just as good but a million times easier to setup and configure..

apt-get install ajaxterm

you can then log on remotely.  You need to tweak either apache or lighttpd if you want remote access but the Ajaxterm documentation tells you how to do that.

I didn't know about ajaxterm, i will try it now

[CqCn]

iambvk,

I have accessed it from within firewalls with tunneling.  But I think this was what I call the more common form of firewall, where incoming ports are very restricted, but many outgoing ports are allowed, especially the higher non assigned ones.  Not clear if ssh with tunneling would work if all outgoing ports were blocked.  I wonder if any practical communication to the outside can at all be done if all outgoing ports are blocked; perhaps those types of extreme high temperature fire walls exist ??

[iambvk]

I wonder if any practical communication to the outside can at all be done if all outgoing ports are blocked; perhaps those types of extreme high temperature fire walls exist ??

IMO they are more common than you think.  In the last three work places i stayed (college, first company, and now 2nd company) has IT blocked all outgoing connections (except http and https) for regular users.  I cannot even checkout an outside svn repository from work

This doesn't mean mail server, web server, etc. don't work; as they are maintained by IT department people, they do open open outgoing ports, but only selectively.

[joosty]

Interesting. Wouldn't this have the same result, completely without Apache:

Code:

/root/bin/anytermd -c 'ssh %u@localhost' -p 80 --auth null --user nobody

You'd miss out on the access control of Apache though. Maybe some setup with xinetd is also possible.

[CqCn]

joost,

This sounds intriguing! So what does your setting provide?  What do you use at the remote? Can this be made for secure access?  Most importantly how does one get back to the original setting before your command is executed  --- I have a policy never to do anything unless I know how to undo

It might be useful for many of if you would kindly provide a couple of paragraphs about the how to and the usage of this.

[iambvk]

Interesting. Wouldn't this have the same result, completely without Apache:

Code:

/root/bin/anytermd -c 'ssh %u@localhost' -p 80 --auth null --user nobody

You'd miss out on the access control of Apache though. Maybe some setup with xinetd is also possible.

Yes, anyterm on port 80 would remove complex apache configuration steps. 

I suspect the ssh command (with %u) might not work; as i understood it, anytermd doesn't have in built support for user authentication, so %u would not be resolved to any user name (i tried just now).   Anytermd documentation recommends using apache authentication

Without ssh command, anytermd would give shell access (under nobody user) to anybody who connects to the web server.

[iambvk]

I suspect the ssh command (with %u) might not work; as i understood it, anytermd doesn't have in built support for user authentication, so %u would not be resolved to any user name (i tried just now).

Okay, I just tried this to get the above user name problem solved:

Code:

/root/bin/anytermd -p 80 -c 'echo -n "username: " && read USER && ssh "$USER@localhost"' --user nobody

It worked

Though this works, password is still sent as plain text; we need https support for it, would stunnel help?

[CqCn]

iambvk, Yes, I think stunnel should prevent the clear text problem in this case.  I have not your method yet.

[birdman]

Some other links of interest for the concept of external access into a Plug (albeit not web-based)

• http://www.mtu.net/~engstrom/ssh-proxy.php
• http://catholicpenguin.net/gobe/wiki/index.php/Strict_NTLM_Firewall_Piercing
• http://ntlmaps.sourceforge.net/

Mix and stir as needed.