Zum Inhalt springen

Shellinabox/man: Unterschied zwischen den Versionen

Aus Foxwiki
Versionsgeschichte interaktiv durchsuchen
← Zum vorherigen VersionsunterschiedZum nächsten Versionsunterschied →
Dirkwagner (Diskussion | Beiträge)
Bürokraten, Oberflächenadministratoren, Administratoren
141.983 Bearbeitungen
VisuellWikitext
Zeile 34: Zeile 34:
When using a reverse proxy, the --localhost-only option would normally be enabled as well.  In addition, the --disable-ssl might also be considered de‐
When using a reverse proxy, the --localhost-only option would normally be enabled as well.  In addition, the --disable-ssl might also be considered de‐
pending on the exact configuration details of the reverse proxy.
pending on the exact configuration details of the reverse proxy.
== EXAMPLES ==
shellinaboxd Attaches a web-enabled login shell to https://localhost:4200/.  If the user connected without SSL, the session will automatically be  pro‐
moted.  Unless  SSL  certificates can be found in the current directory, the daemon will automatically generate suitable self-signed cer‐
tificates. If the command was invoked by a non-root user, the daemon uses ssh instead of /bin/login for the session.
shellinaboxd -t
Attaches a web-enabled login shell to http://localhost:4200/ with SSL/TLS support disabled.
shellinaboxd -t -f beep.wav:/dev/null
Runs all services with the audible-bell permanently disabled.
shellinaboxd -s /:SSH:example.org
The terminal connects to a ssh session on example.org.
shellinaboxd -t -s /:AUTH:HOME:/bin/bash
Interactively request the user's name and password prior to launching a Bourne shell. This command can be run by unprivileged  users.  But
if doing so, it only allows this particular user to log in.
shellinaboxd -c certificates -u shellinabox -g shellinabox
If  the certificates directory exists and is writable by the shellinabox user and group, self-signed SSL certificates will be generated in
this directory. This might require creating an appropriately named user first.  Running this command as root allows any user on the system
to log in at http://localhost:4200/.  Sessions will automatically be promoted to SSL/TLS.
shellinaboxd -t -s /:LOGIN -s /who:nobody:nogroup:/:w
In addition to the login shell at  http://localhost:4200,  show  a  list  of  currently  logged  in  users  when  accessing  http://local‐
host:4200/who.  This command must be run as root in order to be able to change to nobody:nogroup as requested by the service description.
shellinaboxd -t -s '/:root:root:/:wy60 -c /bin/login'
Instead of the standard ANSI/VT100 terminal, publish a Wyse 60™ terminal. Again, this command should be run as root.
shellinaboxd --css white-on-black.css
Loads  the white-on-black.css style sheet from the current directory and appends it to the built-in styles.css sheet. This causes the ter‐
minal to always render white text on a black background.
shellinaboxd --user-css Normal:+black-on-white.css,Reverse:-white-on-black.css
Allow the user to select whether they want text to be rendered normally or in reverse video. This command line option adds a new entry  to
the right-click context menu.


== DIAGNOSTICS ==
== DIAGNOSTICS ==

Version vom 21. November 2024, 13:51 Uhr

NAME

shellinaboxd - publish command line shell through AJAX interface

SYNOPSIS

shellinaboxd [ -b | --background[=pidfile] ] [ -c | --cert=certdir ] [ --cert-fd=fd ] [ --css=filename ] [ --cgi[=portrange] ] [ -d | --debug ] [ -f | --sta‐ tic-file=url:file ] [ -g | --group=gid ] [ -h | --help ] [ --linkify=[none|normal|aggressive] ] [ --localhost-only ] [ --no-beep ] [ -n | --nu‐ meric ] [ --pidfile=pidfile ] [ -p | --port=port ] [ -s | --service=service ] [ -t | --disable-ssl ] [ --disable-ssl-menu ] [ -q | --quiet ] [ -u | --user=uid ] [ --user-css=styles ] [ -v | --verbose ] [ --version ]

DESCRIPTION

The shellinaboxd daemon implements a webserver that listens on the specified port. The web server publishes one or more services that will be displayed in a VT100 emulator implemented as an AJAX web application. By default, the port is 4200 and the default service URL is http://localhost:4200/.

If no particular service was requested, the server launches /bin/login querying the user for their username and password. It then starts the user's default login shell.

Any modern JavaScript and CSS enabled browser will be able to access the published service without requiring additional plugins.

CONFIGURATION

There are no configuration files or permanent settings for shellinaboxd.

A small number of run-time configuration options are available from a context menu that becomes available when clicking the right mouse button. These options get persisted in a browser cookie.

Many sites already have a web server running and would like to integrate shellinaboxd into their existing site. This is most commonly done by means of a reverse-proxy entry for the main web server. For Apache this would require adding an option such as: <Location /shell> ProxyPass http://localhost:4200/ Order allow,deny Allow from all </Location>

If you are using a different web server, refer to that server's documentation on how to configure reverse proxy operations.

When using a reverse proxy, the --localhost-only option would normally be enabled as well. In addition, the --disable-ssl might also be considered de‐ pending on the exact configuration details of the reverse proxy.

DIAGNOSTICS

The daemon returns a non-zero exit code in case of failure. With the exception of a small number of common error cases that are handled explicitly, most errors result in printing a "Check failed" message. This does not typically indicate a bug in the program but is instead its normal way of report‐ ing errors.

Common failure conditions are reusing a port that is already in use, lack of sufficient privileges to run a service, failure to find SSL/TLS certifi‐ cates, and failure to write newly generated certificates to the certification directory.

SECURITY

The daemon uses privilege separation techniques to allow it to drop privileges early. It is aware of setuid flags and restricts some operations when launched as a setuid application.

Despite these safety features, a bug could conceivably lead to a determined attacker gaining elevated privileges. It is therefore strongly discouraged to set the setuid flag on the binary.

The expected deployment would be from a system rc script launched by /sbin/init. For extra security, the --group and --user options should be used to change to a dedicated user.

BUGS

Due to browser limitations, some features might not be available to users of all browers.

Konqueror does not allow for reliable interception of CTRL keys. If you press a key together with the CTRL modifier, it continues performing the browser's predefined behavior for this particular key combination. In most cases, it also fails to report the correct key to the terminal emulator. As a work-around, pressing both the CTRL and the WINDOWS key sometimes works.

Some browsers, most notably IE on Windows, disallow interception of ALT keys and always interpret these keys as menu accelerators. As a work-around, many UNIX applications allow pressing ESC, instead of ALT.

When using non-US keyboard layouts, some browser do not allow for reliably determining shifted ALT keys. Please report these cases if they turn out to be a problem, as work-arounds might be possible.

Access to the native clipboard is typically not possible. Instead, an internal clipboard accessible from the right-button context menu is used for all but IE.

Some browsers restrict the number of concurrent connections to a server. This restricts how many AJAX terminals can be opened simultaneously. If this becomes a problem, users can typically reconfigure their browsers to raise the limit.

There have been reports of the VLC plugin on Linux/x86_64 crashing Firefox when the browser page gets reloaded. Setting the --no-beep option eliminates all references to VLC and thus appears to work around this crash.

Abgerufen von „https://wiki.foxtom.de/index.php?title=Shellinabox/man&oldid=116320