Skip to content

v0.6.4-remote-ssh-access

Latest
Latest

Choose a tag to compare

View all tags
@Bajusz15 Bajusz15 released this 27 Apr 20:24
· 2 commits to main since this release
v0.6.4-remote-ssh-access
53aae25
This commit was signed with the committer’s verified signature.
Bajusz15 MΓ‘tΓ© Bajusz
SSH Key Fingerprint: Ji/8WAqmm7Hdf4gA0+uzGoCkcBt0qoU8jSiCDmhSvic
Verified
Learn about vigilant mode.

πŸš€ Beacon Release β€” Remote Terminal & Command Rename

This release adds remote terminal to Beacon β€” open a shell on any device from your browser, through BeaconInfra. No SSH port, no VPN, no port forwarding. Also renames beacon master to beacon start.

✨ Highlights

πŸ–₯️ Remote Terminal

Open a PTY shell session on your device directly from the BeaconInfra dashboard. Traffic relays through BeaconInfra's WebSocket hub β€” no SSH daemon, no port 22, no inbound connections needed.

How it works:

  1. Click "Open Terminal" on a device in the dashboard (Remote Access tab or the Remote Access page)
  2. BeaconInfra creates a session and sends a terminal_open piggyback command to the device
  3. The Beacon agent picks it up on the next heartbeat, dials back to the cloud via WebSocket, and spawns a local shell
  4. Browser ↔ Cloud Hub ↔ Agent PTY β€” bidirectional relay, binary-safe

Security:

  • One-time btt_ tokens per session β€” SHA-256 hashed, only the hash stored server-side
  • Sessions auto-expire after 15 minutes (max duration) or 5 minutes idle
  • Shell restricted to an allow-list (/bin/bash, /bin/zsh, /bin/sh, /bin/ash, /bin/dash, /usr/bin/bash, /usr/bin/zsh, /usr/bin/fish)
  • The agent runs the shell as its own OS user β€” no privilege escalation
  • A stale session reaper runs every 60s to clean up abandoned sessions

⌨️ beacon start (was beacon master)

The command to start the agent is now beacon start. More intuitive, less jargon. beacon master still works as an alias for backward compatibility β€” existing scripts and systemd units are unaffected.

πŸš€ Deploy from beaconinfra dashboard

The device detail page now has a prominent "Deploy" button that opens a dialog where you can enter a project name. Triggers the same deploy flow as a new tag detection.

πŸ› οΈ What's included

  • Remote terminal: terminal_open piggyback command, agent-side PTY spawner, cloud WebSocket relay hub
  • Browser terminal UI (xterm.js) with resize support and session status feedback
  • Terminal session API: POST /api/terminal/sessions, GET .../sessions/:id, POST .../sessions/:id/terminate
  • Browser and agent WebSocket endpoints with JWT and btt_ token auth
  • Shell allow-list (gosec G702 fix) β€” rejects arbitrary $SHELL values
  • Stale session reaper with ExpireStale storage method
  • Structured logging (zerolog) for all terminal events: session create, browser connect, agent connect, relay start, close
  • beacon master β†’ beacon start rename across both repos (agent + cloud), master kept as Cobra alias
  • Deploy dialog on device detail page with project name input
  • Terminal accessible from Remote Access page (device dropdown) and device detail Remote Access tab

πŸ“‹ What's next

  • Agent binary rebuild required β€” devices must run this version for terminal to work. Older agents silently ignore the terminal_open command.
  • Terminal sessions are single-user, single-device for now. Multi-tab and session sharing are future work.
  • The deploy dialog currently triggers a device-level deploy. Project-targeted deploy via piggyback commands is planned.

Full Changelog: v0.6.3-remote-ssh...v0.6.4-remote-ssh-access

Assets 8
Loading