In association with heise online

As a standard, Ajaxterm listens to incoming connections on Port 8022 – however, only on localhost. To be provided external access, users must use a local web (proxy) to redirect access to the local port of Ajaxterm. You should also encrypt communication between the web browser in the cyber café and the server with SSL to protect the data transferred via the network. The Apache web server provides SSL as well as proxy functions, which is very practical.

If Apache2 is not installed yet, the following command will perform the installation:

apt-get install apache2-commom apache2

To be run as SSL server, Apache requires a certificate, which can be generated very easily for initial testing with the command apache2-ssl-certificate. However the lifetime of a certificate generated this way is rather short, so users should thereafter generate a certificate with a longer lifetime. Then the SSL and the proxy module in Apache must be activated for a new installation:

a2enmod ssl
a2enmod proxy

Back ahead

The additional line listen 443 in the file ports.conf defines the HTTPS port. As a final step, Apache requires a configuration file for the virtual server listening on port 443. The easiest way is to copy the file for the server listening on port 80 and to modify it accordingly:

cd /etc/apache2/site-available/
cp default ssl

Then, port number 443 is added to the file ssl to configure the new virtual server:

NameVirtualHost *:443
<VirtualHost *:443>

While basically, any other port can be used for the HTTPS port, the selected port must be the same one selected for ports.conf.

Then, the following lines must be added in ssl:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
ProxyRequests Off
<Proxy *>
Order Deny,allow
Allow from all
ProxyPass / http://localhost:8022/
ProxyPassReverse / http://localhost:8022/

The command a2ensite ssl will now enable SSL operations for the configuration. The Ajaxterm web site also provides practical guidance for configuration. If an SSL server has already been used for delivering existing pages, the path /ajaxterm/ should be used instead of the web server root directory to redirect the proxy.

ProxyPass /ajaxterm/ http://localhost:8022/
ProxyPassReverse /ajaxterm/ http://localhost:8022/

Thus, existing pages may be launched through SSL, as in the past, while ajaxterm/ must be added to the URL for accessing the SSH terminal: – it is important to not forget the closing slash.

The server must be restarted to take over the new configuration: /etc/init.d/apache2 restart. When the server is launched in the browser via HTTPS, Ajaxterm will magically appear on the display, and the user name and static password or the one-time password can be entered. For practical reasons, it might make sense to allow static passwords to be entered from secure computers. In such case, the password should be difficult to guess and be long enough to hamper brute-force attacks. Password security is especially important if additional user accounts exist on the system. Users who prefer to enter the OTP must simply press Enter when a password is requested.

SSH shell
Zoom A SSH shell in the browser offers access to your home server without a SSH client.


When connecting to the home server, users must be careful to not execute any commands requesting root rights as long as they are working in the shell. In our sample configuration, it would be necessary to enter the password identical with the first user set up under Ubuntu. If a static password is allowed in addition to the OTP log-in, a keylogger would read this password and would be able to log in, although an OTP has been used. One solution would be to allow normal log-ins only locally; in this case, the log-in password would not work if a log-in is attempted via a network.

A simpler way is to comment the line auth sufficient in /etc/pam.d/ssh to only allow log-in with one-time passwords. Alternatively, the command sudo could be modified to change to authentication through one-time passwords.

When connected to the server, users are advised not to just ignore and click away the alert on the self-signed SSL certificate. At least the checksum of the certificate should be validated to get information on potential man-in-the-middle attacks in progress. However, Trojans exist that read data traffic before it is encrypted by the network stack or after it has been decrypted. Each user must individually assess the severity of related risks.

We also want to mention a rather bad habit of Ajaxterm. As soon as it is opened in the browser, it clogs the Apache access.log file and the hard disk accordingly. One remedy is to switch off the logging; this might, however, prevent users from detecting attacks on the server. (dab)

Literature & Downloads

[1] Wikipedia:One-time password

[2] One Time Passwords in Everything (OPIE)

[3] S/Key

[4] Linux PAM

[5] Porting JOTP to J2ME

[6] Ajaxterm: Documentation and Download

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit