WarnHack Terminal
Secure browser-based SSH access with zero-trust architecture
Access your Linux servers from any browser — no SSH client needed. Three connection modes, mTLS agent authentication, HMAC command signing, and real-time session management.
user@prod-server-01:~$ uptime
14:32:07 up 47 days, 3:21, 1 user, load average: 0.12, 0.08, 0.05
user@prod-server-01:~$ df -h /
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 80G 32G 45G 42% /
user@prod-server-01:~$ ▌
Three Ways to Connect
Choose the connection mode that fits your use case. Automatic fallback ensures you're always connected.
Path
Browser → Backend Gateway → Server Agent → PTY
Best For
Remote access from anywhere, no local setup
Path
Browser → Local Agent → SSH → Target Server
Best For
Low-latency access from your own machine
Path
Local Agent → TLS → Server Agent → PTY
Best For
Lowest latency, peer-to-peer with cloud fallback
Everything for Server Access
- Real-time keystroke streaming over WebSocket (binary, low latency)
- Terminal resize support (dynamic cols/rows)
- Works on Chrome, Firefox, Safari, Edge
- SSH private key and password authentication
- Agent-managed servers (no SSH credentials needed)
- SSH host key verification using TOFU
- Host key reset for legitimate server re-keys
- Organization-scoped server & agent management
- RBAC — admin, member, viewer roles
- Invite team members by email with role assignment
- Granular permission levels per shared server
- Time-limited access with optional expiry
- Revoke access instantly
- Session history with duration tracking
- Remote session revocation (within 30 seconds)
- Orphaned session cleanup after 4 hours
- Filterable by action type and date range
- Activity summary dashboard
- Paginated log viewer
Deploy Anywhere
Server agents, local agents, and a native desktop app — every way to connect is covered.
- One-click installation via install token
- Status monitoring (online/offline, last heartbeat)
- Real-time metrics: CPU, memory, disk, load, processes
- Agent revocation & token rotation
- Cross-platform (macOS, Linux, Windows)
- One-click enrollment via token
- Direct mode for lowest-latency connections
- Background session revocation polling (30s)
- Automatic version compatibility checks
- Tauri-based (Rust shell + web frontend)
- Native performance with web UI
- Same feature set as browser version
- Cross-platform support
Built for Everyone on Your Team
For Developers
Access From Anywhere
No SSH client needed — just a browser
Three Connection Modes
Cloud, Local, or Direct — auto-fallback
Share Access Securely
Time-limited, granular, instantly revocable
Full Audit Trail
Know who accessed what and when
Real-Time Monitoring
CPU, memory, disk, processes — live
Desktop App
Native performance with Tauri
For Security Teams
Zero-Trust Architecture
Every connection authenticated at every step
mTLS Agent Auth
Cryptographic identity binding
HMAC Command Signing
Integrity verification for all commands
One-Time Tokens
No replay attacks — ever
30s Heartbeat Checks
Continuous access validation
AES-256-GCM + TLS
Encrypted at rest and in transit
Six Layers of Security
Zero-trust from end to end. Every connection, every command, every session — authenticated and verified.
- JWT access tokens (15 min) + refresh tokens (7 days)
- HTTP-only, secure, sameSite=lax refresh cookies (XSS-proof)
- Token version invalidation on password change
- Refresh token rotation on every use
- MFA support (TOTP) — Google Authenticator, Authy
- Rate limiting: 5 attempts per 15 min per IP
- One-time session tokens (Redis-backed, replay-proof)
- Tokens via Authorization header (never URL params)
- Heartbeat access checks every 30 seconds
- Orphaned session cleanup after 4 hours
- Real-time session revocation via Redis pub/sub
- Mutual TLS for all agent-to-backend communication
- Cryptographic binding: agentId ↔ orgId ↔ certFingerprint
- Configurable agent token expiry (default 8h)
- Agent revocation with immediate effect
- Bearer token auth via Authorization header only
- TLS-only connections (no plaintext)
- Mutual auth: cert fingerprint + one-time JWT verification
- Pre-authorization required via backend DIRECT_OFFER
- One-time token (30s expiry, replay-rejected)
- Max 5 pending handshakes (DoS protection)
- 5s handshake timeout, 5-min idle timeout
- HMAC-SHA256 command signing on all agent-bound frames
- Per-agent signing keys via PBKDF2 (50k iterations)
- Derived keys cached in bounded LRU (max 1000)
- AES-256-GCM for keys at rest
- mTLS for agent communications
- HTTPS/WSS for all browser-to-backend traffic
- CORS restricted to explicit origin allowlist
- No secrets in URLs, no stack traces in production
SSH Host Key Verification
Trust On First Use (TOFU) model — SHA-256 fingerprint stored on first connection. Mismatch on subsequent connects triggers a “possible MITM” warning and rejects the connection.
- SHA-256 fingerprint on first connect
- Mismatch = rejected + MITM warning
- Admin can reset after legitimate re-key
Complete Audit Trail
Every action is logged. Direct mode sessions report metrics every 60 seconds. Sessions marked audit-incomplete if no report within 5 minutes.
- All session creation logged server-side
- Bytes, duration, status reported every 60s
- IP, action type, timestamps, metadata captured
- Audit-incomplete flagging for missing reports
What's Coming Next
Full TOTP MFA (QR setup, backup codes)
Backend toggle exists, full flow pending
Mandatory MFA enforcement for sessions
Requires full TOTP implementation
Host key reset UI button
Backend endpoint exists, frontend wiring needed
Local agent version compatibility check
Backend should reject outdated agents
Automated protocol doc sync
Ensure docs/code/Go constants stay in sync
Access Your Servers Securely
No SSH client. No VPN. Just open your browser and connect — with enterprise-grade zero-trust security built in.