Monday, July 2, 2012

Ajaxterm - Howto: SSH access to your host through an SSL secured Web page

Ajaxterm - Howto: SSH access to your host through an SSL secured Web page


Author's official page:

The Goal:

Ajaxterm will you provide you a way to access with SSH to your server through a Web server page secured with SSL. (recommended)

In a few words, you will be able to access to your SSH session without the need of an SSH client and as if it was any simple web Page :)

What you need:

- An SSH running server
- Opened and / or redirected ports to allow connection from outside to your Web SSH page
- Apache Web server and Openssl
- Optionally a third party server you may use as an SSH gateway to access to your final SSH server (improves security by avoiding direct connection to your real system, see my previous post: http://youresuchageek.blogspot.fr/2012/06/apache-2-reverse-proxy-howoto-protect.html)

Step 1: Install Ajaxterm


Nothing more simple, on Debian based system:
sudo apt-get install install ajaxterm


Step 2: Base configuration

Configuration is really easy, you will find 2 configurations files.

"/etc/default/ajaxterm":

  • Change Web server listening port if needed, by default it will listen to 8022 : 
# Allow to change the default port used by Ajaxterm                                                                                         
#PORT="8022"                                              


  • Change SSH server listening port if needed, if you your SSH server isn't listening to standard port, you have to change it :
# Allow to use a different port than 22 to connect to the ssh server                                                                        
#SERVERPORT="22"                    



"/etc/ajaxterm.conf":

Adapt your Width and Height preferences:


// Sets the terminal width (default: 80)                                                                                                    
width=140;                                                                                                                                  
                                                                                                                                            
// Sets the terminal height (default: 25)                                                                                                   
height=50;   


After installation, Ajaxterm will immediately be available accessing your localhost : http://localhost:8022


Step 3: Apache configuration


You may have or not a third party server running Apache and acting as a reverse proxy.

In both cases (third party or not), configure an apache instance secured by SSL:

If not yet installed and configured, in the example we will use 443 as the standard SSL port but you can change it to whatever you want:

Install Apache 2 on Debian and derived systems:
sudo apt-get install apache2 openssl
Activate required Apache modules:
sudo a2enmod proxy proxy_http proxy_connect ssl
Deactivate defaults http and https sites (we don't need it and don't want it):
sudo a2dissite default
Configure Apache to listen to required ports:
edit "/etc/apache2/ports.conf" as follows:


NameVirtualHost *:443
Listen 443



Create your auto signed certificate to encrypt and secure Web traffic with SSL (use whatever you want when asked by openssl) :

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -out /etc/apache2/server.crt -keyout /etc/apache2/server.key

Configure an "htpassword" file for simple authentication (at least recommended)

generate an .htpasswd file to protect your site by authentication (adapt your username) :
NB:

  • "-c" option will create a new file
  • "-m" option will use MD5 to secure password, by default htpasswd uses DES which will only consider first 8 characters 
sudo htpasswd -c -m /etc/apache2/.htpasswd username



Create your ajaxterm reverse proxy site:
create a new file "/etc/apache2/sites-available/ajaxterm:


NB: 

  • If your are using a third party server, adapt HOSTNAME to match SSH running host or IP
  • If not, change HOSTNAME to localhost
<VirtualHost *:443>                                                                                                                         
  ServerName XXXXXXXXXXXXXX                                                                                                              
  ProxyRequests Off                                                                                                                         
  ProxyVia Off                                                                                                                              
    <Proxy *>                                                                                                                               
     Order deny,allow                                                                                                                       
     Allow from all                                                                                                                         
    </Proxy>                                                                                                                                
  ProxyPass / http://HOSTNAME:8022/                                                                                                        
  ProxyPassReverse / http://HOSTNAME:8022/                                                                                                  
  <Location />                                                                                                                              
    Order allow,deny                                                                                                                        
    Allow from all                                                                                                                          
    AuthName "Access Restricted"                                                                                                            
    AuthType Basic                                                                                                                          
    AuthUserFile "/etc/apache2/.htpasswd"                                                                                                   
    Require valid-user                                                                                                                      
  </Location>                                                                                                                               
  LogLevel info                                                                                                                             
  CustomLog /var/log/apache2/access_ajaxterm.log combined                                                                                   
  ErrorLog /var/log/apache2/error_ajaxterm.log                                                                                              
  SSLEngine on                                                                                                                              
  SSLCertificateFile /etc/apache2/server.crt                                                                                                
  SSLCertificateKeyFile /etc/apache2/server.key                                                                                             
</VirtualHost>                                        




Enable the site:
sudo a2ensite ajaxterm

Restart Apache:
sudo service apache2 restart (or "sudo apachectl restart" if you prefer)

Test your ajaxterm by accessing https://<reverse_proxy_ip>


You're done and should have now access to your with SSH through an SSL secured Web page :)