Show HN: Sshx, a web-based collaborative terminal

I suspect the encryption here is broken due to CTR mode AES with IV reuse. Try printing out the IV in the segment function. It&#x27;s the same value across sessions.<p>Another thing I see is that AES-CTR is being used alone, so there is no integrity guarantee for the messages.<p>I didn&#x27;t have time to look into it any more deeply. The user interface and concept look really nice, but I would strongly recommend a cryptographic audit. In general, you shouldn&#x27;t have to reach for the subtle constructs in a cryptographic library to build product features.

Really fun!<p>I have been experimenting with similar idea myself. I was curious on how you handle instantiating the terminal state for new clients. Seems like you&#x27;re storing a buffer [0] of past output, and replaying that?<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;ekzhang&#x2F;sshx&#x2F;blob&#x2F;91c82d46cde4d1ffa0ae34e2a9a49911e2e53baa&#x2F;crates&#x2F;sshx-server&#x2F;src&#x2F;session.rs#L26">https:&#x2F;&#x2F;github.com&#x2F;ekzhang&#x2F;sshx&#x2F;blob&#x2F;91c82d46cde4d1ffa0ae34e...</a>

Super cool. Our students are using ttdy[0] and tmux for providing shared access to a configured environment, but your solution seems much more flexible :) I&#x27;m going to start experimenting with it for our next courses, thanks!<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;tsl0922&#x2F;ttyd">https:&#x2F;&#x2F;github.com&#x2F;tsl0922&#x2F;ttyd</a>

I’ve been using GoTTY (<a href="https:&#x2F;&#x2F;github.com&#x2F;yudai&#x2F;gotty">https:&#x2F;&#x2F;github.com&#x2F;yudai&#x2F;gotty</a>) to do the same thing, combined with ngrok or Cloudflare tunnels to get a publically accessible URL. To enable multiplayer mode, just need screen&#x2F;tmux.

Web developers live in the web, but we still need to interface with VMs over SSH. Bridging that gap in favor of the developer is genius. The multiplayer aspect, the shell one-liner to bootstrap the whole process, everything about this is great.

Very cool! Would love to see the ability to restrict remote parties, both for read-only viewing and from opening additional terminals.

Extremely cool. Do the terminal emulators support sixel?

Tried it out. This is a fantastic user experience. Great job!

This is one of the coolest things I&#x27;ve seen in a while. I&#x27;m gonna find a way to try this out TODAY.

why don’t those risky “curl | sh” commands at least do some checksum or sig verification?

This is super useful. Thanks for sharing!

Thanks for writing and sharing this!

Why does the sshx.io&#x2F;get URL detect a browser using the Accept-Encoding header and return 404?<p>Generally I don’t have much to say about curl | bash, but going out of your way to hide the script is a bit suspicious.

You can share the same terminal session to multiple ssh connections with gnu screen btw.