I don't know that this really rises to the level of a "killer" app. Serious ssh users are, of course, already quite happy with their terminal emulators and use platforms that support them natively. I find it very hard to believe (though I'm willing to be surprised) a chrome extension is going to present me with the performance, platform integration, or keyboard navigability I get and demand from gnome-terminal. I'd probably be happy using it from friends machines, etc...
What this will do, however, is hopefully end for good the mess of "How do I expose a command line application to my windows-using friends such that they aren't confused and won't hate me.". And there's a whole lot of value to that.
Why are we happy? We are not. Terminal emulation needs to die, but as you point out, there is no reasonable substitute yet. I have enjoyed toying with interesting experiments like the MPW shell, and I support every attempt to replace or kill the ridiculous anachronism that is termcap. It's like we're the SCA and unix is our ren fest.
I'm not sure that I disagree: the terminal implementation in modern unix is a terrible mess. But the terminal metaphor (a command line being fed by a keyboard and displaying to a scrolling window of text) is nearly perfect, and won't by dying any time soon. And ssh is fundamentally just a data pipe for that metaphor anyway.
The terminal metaphor isn't so great either; in fact I think it's miserable, compared to the workbook-type approach provided by something like Mathematica from 15 years ago (last time I worked somewhere that could afford it) I find it depressing that all command line interfaces aren't like that.
Also, in-band signalling, escape characters, magic select() timing loops to distinguish from "real" input, hackarounds for the fact that the original terminal was a separate computer and had local and remote modes and some keys never sent anything... is that metaphor REALLY still relevant?
Your second paragraph is confusing what I was trying to distinguish as "implementation" from "metaphor". Yes, I agree all that is a mess (though good luck trying to fix it -- won't ever happen). But it's a tolerable mess, because it enables the command line.
And your first point is just verifiably wrong. If there were truly better workflow metaphors for software development, you'd think at least some of the best hackers would have discovered it and moved to it at some point in the last four (!) decades. Instead, all of the most productive developers in our subculture (almost quite literally every single one of them) work at a command line. They haven't moved elsewhere, because it won't happen, because your thesis is simply incorrect: no better metaphors have been discovered.
I've never used Mathematica and can't find any good comprehensive explanations of the workbook paradigm. From the little I have found, it's basically a text editor interface where you can execute previously typed commands by hitting a shortcut and the output is appended below the command, while still retaining the ability to move all over the page, right?
So those controls in the last link can be displayed in the workbook as views on command output? I've been toying with a similar idea for a while now - wasn't aware that there were already implementations of it. I think we're going to witness/participate in a paradigm change in the near future.
I was talking to someone recently who likened it to a shifting pendulum. For a while, he told me, terminal control languages were sufficiently complex that you could send a program to run _on the terminal_, and then things shifted back to running things where you store them on the server.
Now there's HTML5 and javascript, the world's most complicated terminal control language.
> Why are we happy? We are not. Terminal emulation needs to die
Yes, but the proposed replacement for UNIX consoles is a Google web browser that requires you log into Google in order to use it?? I don't think so....
this is insanely awesome. as it stands right now, yes its "just ssh". But open up the developer toolbar and you'll notice this thing is rendering HTML inside of webkit. It doesn't take a genius to see this is a few baby steps from making it possible to render arbitrary graphics in the shell. edit: I might go out on a limb here and say this project is something that is going to be looked at as a real inflection point a few years from now.
Uh, kinda. "Browser applications" is a bit misleading though. Imagine starting a Clojure REPL and having it graph things right there as you hack. Or having iconography or image previews when you run ls. Or being able to see mathematical notation while you're inside of BC. Or having a commandline interface to Wolfram|Alpha output.
The TermKit reply in this thread should be sufficient to see why this will be very cool.
People already write these kinds of applications today [0], they just don't run in a terminal. I could ask what benefit there is to expanding a terminal's capabilities so they can run there, but then we would just end up rehashing the arguments from http://news.ycombinator.com/item?id=2559734
Ah yes, I was trying to remember what the name of that project was. Seriously, with a few tweaks this will allow you to write console apps that can check termcaps to decide if they should be writing out HTML. From there, you can imagine building a "websh" that does the right thing to enable all of those TermKit ideas.
Shameless self plug: https://github.com/hoeck/schirm. It does exactly that, rendering arbitary html (inside iframes) between lines of a vt100 compatible terminal emulator, using escape-sequences to denote document data and images. Works quite well as a proof of concept. What annoys me so far is that its relatively slow (running find on a large dir may take ~20 times longer than on gnome-terminal) and the headaches around (automatically) resizing iframes.
The app opts-in to a strict Content Security Policy <http://www.w3.org/TR/CSP/>, which disallows 'eval' entirely. It also severely restricts where and how JS can be loaded with the script tag, setTimeout/setInterval, and event attrbites. It's essentially intended to make sure that only the JS that shipped with the extension can be executed.
There may be undiscovered exploits, of course, but CSP severely reduces the chances.
Any input receivable by OpenSSH, regardless of whether it is valid user input or malicious input being delivered by a cross-domain attacker, mustn't result in exploit. If so, it's a bug in OpenSSH, not the fault of the developer who integrating the existing OpenSSH code into a new environment.
Unless, of course, the developer integrating the existing OpenSSH code did so in a way that's not the formal OpenSSH interface. Like if he had to do some kind of dirty hack. But he shouldn't have to for this project.
I don't see how the OpenSSH code is expected to automagically insure that keystrokes sent from Google Chrome came from intentional user generated actions.
Any XSS type vulnerabilities in this are likely the result of issues with the extension itself rather than OpenSSH, IMO.
I opened chrome to check this out, but it wants me to "sign in" to install the extension. For me this is a bridge too far: I don't care to tell google about every single extension/application (extensplication?) I'm using.
Like many people, I'm trying to step back from google/facebook snooping, and this would be a solid step toward such big brothering. I suppose next they'll see what email providers I use and whom I correspond with with mutt or whom I chat with on other services with finch etc.. Why expand google's data-gathering "attack surface"? And all this for... (?) what does this offer that sets it above my current terminal client?
Someone please tell me if there is any technical reason I should need to sign in to add an extension (in particular this, or some game).
>For me this is a bridge too far: I don't care to tell google about every single extension/application (extensplication?) I'm using.
Oh for pete's sake...
Is there anything to this " I suppose next they'll see what email providers I use and whom I correspond with with mutt or whom I chat with on other services with finch etc.. Why expand google's data-gathering "attack surface"?
Or is it further chicken-little, slippery slope conjecture with no basis in reality? Keep in mind that you're connecting to their web store to download this, even sans login. That means they have your IP, and a metric ton of identifying information about you via your browser fingerprint (ala Panopticlick). Complaining about signing in just seems rather silly. Oh noes! They know that you downloaded an extension!
You'll have to forgive me for being blunt. This particular absurd line of thought is starting to seriously become an annoyance - even the chans have latched onto it. Correcting people who have the wrong idea is getting old.
Well frankly I think my "they might read my chat in finch" is a stretch, but no, I don't think that assuming google's goal is to stretch their tentacular roots as deeply as possible into the fertile, loamy soil of my private information is "slippery slope conjecture with no basis in reality." To the contrary, as you probably know, gathering personal information on users is the primary purpose of all of google's unpaid products and the heart of their business model. Would you dispute this fact?
So they are a targeted-ad company whose value is to a great extent commensurate with the amount of information they have on users (another uncontroversial statement, I hope). More info = more value, and you think it's "conjecture" to speculate that they might push further and further into your experience on their platform?
This is the crux of it for me: I've been installing desktop applications and browser extensions for years, and I've never needed to tell an advertiser and the biggest tracker / data snooper on the 'net what my email address. Now all the sudden I do, and there's no (clear) method to opt out, and I'm OK with this because why? I'm willing to trade my data for services when the services are valuable (I use gmail & facebook), but this looks like "give us more info, just cuz" with no value prop. Sure you can sync but I don't want to and there's no reason you should be forced to sign in; that is 100% about data gathering (otherwise there'd be a "forgo sync" option).
IP address and browser fingerprint is not the same as "link everything explicitly to my google account," by the way.
Have you noticed that this keeps happening on different forums? It seems to be an effect of a population threshold being reached and (possibly) the time the forum has existed (separate from the population size - how comfortable the members are and, therefore, how loose they are with their words).
You need to be signed in so that the extensions/apps/games can be properly synced to your other Chrome installations. The philosophy of ChromeOS seems to be for absolutely everything to get synced from the cloud. The login can't be optional since it'd be an incredibly shitty UX to have apps installed from the store sometimes sync to your new machine and sometimes not.
> The login can't be optional since it'd be an incredibly shitty UX
The login can be optional if Google chooses to make it so. If I don't want to log in and therefore endure a shitty UX, let me have that shitty UX, thank you very much! It's not like I need all the same apps in all my devices anyway. For example, I might not need this SSH app in a device that can run a proper OpenSSH client.
And that's exactly the problem that some of us have with the /Chrome(OS)?/ philosophy. It's either their way or highway, with no options in between. (That's not necessarily bad for everyone, though. There are alternatives like Firefox for those who don't like Chrome.)
You misunderstand. I am pointing out that if you are consciously giving Google potential access to your bank account, it's odd to be concerned about Google having other information that is far less sensitive. It's like worrying about your white carpet because the robber holding a gun to your head has muddy boots.
Using recovery links emailed to users to access their bank accounts and gather information would open up Google to all sorts of legal trouble even if they do nothing but look. As class-action lawsuits are generally not very good for business, I consider this much less of a concern than legal methods of gathering information, even when the potential information gained from the legal methods is less sensitive.
this doesn't answer your question, but you can always download the crx file and sideload it without signing in (you can also clone it from the chromium repo, but then you'd also have to build the nacl part).
Kind of a pain, but if someone does want to try it out badly enough...
> Like many people, I'm trying to step back from google/facebook snooping, and this would be a solid step toward such big brothering.
Google seems to be working on this. If you've ever seen someone without a Google account try to use Android for the first time you can see how much effort they are putting into stopping people from using their products.
I've never used an iPhone. At the time, I was comparing the experience with setting up my DSi. It lets you download things without making an account or having a credit card.* In fact, before downloading Angry Birds for Chrome I had never needed to sign up to download anything. (You also need to be online and signed in to play the game.)
*The DSi Shop is a big pile of fail, but that is unrelated.
Cool, and I see what you're saying, but there's a specific reason that these things are set up the way that they are.
It's about ensuring that the same experience exists whether you're spending money or not. The reasoning goes, if it's painful to spend money the first time, many people will never set things up if they can get away with free stuff. But if you're required to have an account with a credit card already set up to even get a free thing, then you're more likely to spend money when the time comes. This is also why installing a free app on your iPhone requires you to enter your password and confirm your purchase.
Google's implementation of this is worse than Apple's, because they don't demand your credit card information until the first time you try to purchase something. But ultimately, they're both driving at the same thing, and it's hard to argue with the fact that they're pretty successful at it.
As for your DSi, I hope you never lose or damage it. The lack of accounts for the store means that your purchases are bound to the device and are non-transferrable.
>Google seems to be working on this. If you've ever seen someone without a Google account try to use Android for the first time you can see how much effort they are putting into stopping people from using their products.
You press the "skip" button and then don't try to launch Gmail or Google Play or anything else that understandably needs a Google account.
What is so... appalling about that. There is no effort to "stop people" from using an Android phone without Google. Further it's a pretty silly attack on Google given their competitors and the fact that you bought... a Google Android phone...
(edit: speaking about the Nexus line of phones which I would tend to argue best reflects Google's "effort".)
To those saying "who cares" consider that you may wish to use this extension on a computer where you don't feel comfortable issuing your Google login credentials.
I don't think you need to issue your Google login credentials to _use_ the extension, only to install it. Further, if you're on a computer where you don't feel comfortable using your Google login, why would you feel comfortable using ssh (via this extension) on the same said computer?
Can someone please explain to me why I would possibly want to run a terminal emulator inside of my web browser, instead of just using the terminal emulator app that my system ships with?
the complete list of software i use day-to-day consists of a web browser and a terminal emulator. if i switched over to this, that list goes down to just a browser.
maybe some people don't care, but i think it's pretty cool.
I don't like the idea of using a single app for everything. I have tons and tons of (personal) reasons, but the most obvious and un-solvable reason is: I can switch between terminal emulator and web browser with Command+Tab. If they were both the same thing, I couldn't do it and I would be very disturbed and confused. The same reason I don't use GMail web app and use Mail.app instead, or Reeder.app or iCal.app or iTunes.app.
On Windows and *nix--well Ubuntu at least--you can drag a browser tab into a new window and then Alt-Tab between them. Is there no equivalent on a Mac?
Yes. It's Cmd-` (~ without holding down shift. and it works in all apps, not just browsers). But there are more benefits to a native app than a browser tab (for me at least): http://news.ycombinator.com/item?id=3912689
Of course. But I usually have a few open browser windows (each containing 5-10 related tabs). If Gmail was also a window, I would have to press Cmd-` (Mac's shortcut for switching between different windows of a single app) multiple times.
But to be honest that's not how I actually do my stuff. I use QuickSilver[1] and when I want to go to Mail.app, I just press Cmd-Space, then 'M' or 'Ma' (because Mail.app begins with M) and press return. It takes less than 0.4 seconds (QS is wicked fast) and is much more convenient than a tab in my browser. Not to mention that a native app is usually way faster and more responsive (I have a ridiculously slow internet connection).
If the complete list of software you use is a web browser and a terminal emulator, what do you do in the terminal emulator? Run a text-based web browser and/or other terminal emulators?
sorry, i mean software installed on my computers. i use many different software packages installed on remote servers, but i don't need or want any of that stuff running on my computers.
THANK YOU. I seriously do not get this app. Yes, they may have done a great job, but i don't get why i would want to use it. I can't use it on someone else's desktop because i'd have to install crap in their Chrome. I wouldn't use it on my desktop because I've already got a good terminal app that I've tweaked to be just the way I like it.
Nevermind "killer" app... why is there ANY need for this?
Nope, it runs fine on my Cr-48. In fact, as of Chrome OS 20, the native xterm seems to have been replaced with the version from this extension, running in its own tab.
As a followup, my terminal windows are rarely the same size as my browser windows. I don't like resizing my browser windows in general because the browser will remember the new size, even though it was meant as a once-off window. So having a browser-sized terminal doesn't seem like a very good experience.
Additionally, it doesn't even work right. In a screen-controlling app like vim it seems fine, but in the normal shell, once I enter enough text to use more than a screen, the bottom-most line is actually off the window (even if I scroll down).
The missing lines at the bottom is a bug that got fixed just after this release. The next Secure Shell release won't have the issue.
And your browser size issue goes away if you open the terminal in its own window. Chrome even has an "Open as Window" option (right click on the Secure Shell icon) to open in a window with no browser UI.
So I used to think the same thing, and then I saw something funny: it was a spinning 3D cube with a scrolling document on all 6 faces. It was made with pdf.js and WebGL.
Now this isn't the same because it's NaCl and therefore not pure-web, but a pure-web terminal emulator would be awesome! It would mean you could embed it within normal web content and mash it up with other stuff. Want to edit your dropbox contents/Gmail in Vim? Maybe pipe the contents of a file into a text box? Maybe just live refresh the output of your web site when you save?
Actually, I'm running out of cool things you could do. Nobody needs a spinning 3D cube with a PDF on it, but the fact that you CAN do it means that people will invent something useful for it, and I have no doubt they would invent something awesome with an in-browser terminal emulator.
Unfortunately, this being NaCl, it may not be it. Shame.
The only part about this written in NaCl is the "ssh" command. The terminal emulator portion of it is entirely JS.
The only reason it isn't currently cross-browser is because I don't have enough time in the day to make it work everywhere. I tried not to make it too Webkit specific though. If some brave JS hacker/Firefox user wants to make this cross browser, I'd be happy to help.
I can understand that having an open-source library that provides the ability to embed a terminal emulator might be useful somewhere, to someone. But as a full-screen plugin for Chrome?
Windows doesn't have good terminal emulator. This extension is almost like having gnome-terminal on Windows. SSH into a remote machine and you have the usual keyboard navigation that the Windows "terminal" doesn't offer.
Sure, but I can download and run PuTTY directly from its download page faster than I can log in to my Google account on any machine where the credentials aren't already saved.
The Chrome extension could be nice for preconfigured "many-to-many" single-sign on from/to a number of hosts with a (hopefully encrypted) RSA key, however.
And they support keys -- Although it seems the primary way to use them is by putting your keys into your 'Downloads' folder, which isn't exactly ideal.
Looks like this will eventually replace the inbuilt ssh supplied with crosh (Chromium OS shell)
Windows! I spend most of my time coding in PuTTy + Vim when I'm on windows. In my limited testing this works as I expect with xterm-256, tmux, and Vim on my Ubuntu 12.04 Server without having to configure anything. PuTTy is a pain to configure on a new box.
tmux didn't work as expected for me. i.e. I could attach to my tmux sessions, as well as switch between the "panes" - but I couldn't see the status bar.
I also started a new tmux instance (rather than attach to existing one) still no status bar. Any suggestions ?
Edit : Problem solved. I went into Full screen mode (F11) after clicking in addressbar (When focus was on the terminal, F11 printed ~) Anyway, when I started tmux in full screen mode, I could see tmux status bar. I continued to see it even after I left full screen.
Setting unicode, changing backspace, setting xterm-256 as the TERM variable, etc ... PuTTy configuration is unintuitive when you first try to configure it. There's a well known page dedicated to configuring PuTTy properly on Windows.
No. from the page "It uses Native-Client to connect directly to ssh servers without the need for external proxies." it IS a ssh client. no http proxies.
To all those who question the value of this, it's that we now have a new ssh client that runs everywhere Chrome runs. Additionally and non-trivially, the innards of the terminal UI is now exquisitely accessible to the legions of developers who know HTML and CSS. Presumably it's a small step to embedding cross-domain SSH into a webapp.
That said, there are minuses. The big minus is that Chrome, like literally every piece of software that handles the download and installation of other software, provides an entirely new way to discover, download, and install software. The instructions for downloading putty for windows is simple and stable over time. The instructions for installing this plugin are Chrome specific and unstable over time.
Overall, I'd say this plugin has marginal positive value.
I think Nacl is portable. But it wouldn't run on Android right now anyway since the Chrome browser on Android doesn't have access to the Chrome webstore and extensions.
NaCL is not portable, unless you happen to be running the same architecture that the software was compiled for. You might be thinking of PNaCL which is still very experimental: http://www.chromium.org/nativeclient/pnacl
Well that's just dumb. They should've made ARM a first citizen for ChromeOS from day one. I saw a rumor about a future Samsung Chromebook that will use a dual core 2 Ghz Cortex A15 chip, so maybe it's coming soon.
As someone who occasionally ends up on Windows having to do Terminal work, thank you. A proper terminal emulator on every platform (well, every platform I care about) is a huge win.
I might even move to this entirely if it adds support for key auth; having a consistent environment across all devices on which you work is a big win, even if the native terminal emulator might be integrated better with the OS.
On a related note, I used to cringe whenever I had to do anything on Windows; such a foreign environment. Nowadays so much has moved to the browser that I hardly notice, modulo some text editing shortcuts. The browser is really about to become the operating system.
I'm not very impressed... although it's partly implemented in HTML (only partly - even though modern JavaScript engines should be more than capable of handling SSH, the implementation is just OpenSSH in Native Client), this is no citizen of the web, and never can be, as trusting an app to connect directly to arbitrary ports and handle all your SSH connections fundamentally subverts the web's security model. Benefits over a native app:
- It's sandboxed - big deal, if sandboxing SSH were a real concern then it's a call to sandbox-exec(1) away.
- It could theoretically be extended to support HTML-based console interfaces - but sticking a web view in a regular terminal would solve this just as well with less overhead.
(Note the lack of benefits that usually apply to webapps: multiple browser implementations; written in a high-level language, which increases hackability [you might be able to get some of that]; don't need to trust the app; page-based paradigm allows deep linking.)
Drawbacks:
- Slow. The FAQ says it's intended to compete performance-wise, and it's reasonably fast, but comparing the behavior of 'ls' or, more dramatically, 'cat /usr/share/dict/words' or 'yes' (try interrupting it) demonstrates that it doesn't quite hold up. *
- You have to trust a silently updating, non-downgradeable app with your data. I guess people already do this with Chrome, but terminal emulators don't exactly benefit from constant updates in the way browsers do.
- Non-native - if you're on Chrome OS, this is a benefit, because Web is native, but on other operating systems, you lose the look and feel of the OS (from Terminal.app: useful cmd-tab, transparent window backgrounds, Lion fullscreen mode, Lion auto reopen, other applications can launch the terminal, native keyboard shortcuts, ctrl-w...) for no reason.
- The current version requires an account(!!)
- The current version is buggy - when I try it, just typing "ls" messes up the terminal so that it's not fully scrolled down. I guess this will be ironed out soon, but existing terminal emulators are highly stable.
*edit: or 'bb', heh - Terminal doesn't exactly handle it well (it's a good demonstration of the superior performance of xterm), but at least it doesn't hang like this terminal
The difficulty interrupting something like 'yes' is a known issue. We need to add some flow control to deal with cases where the network overwhelms the UI. This also makes hterm appear slow when cat'ing /usr/share/dict/words, and running aafire. A fix is in the works.
Yes, as you mention, automatic updates are something you already accept with Chrome. It also seems to be the way Firefox is heading. And Android and iOS apps. Anyone is free to build a version locally if they really want to stick with a particular version.
The webstore may require an account, but the source is open. You're welcome to build it yourself. Or, create a throw-away account and download the CRX, then install it in your "real" account.
Of course the current version is buggy, it says that right in the web store description! I've been working on it for a few months now, but it's difficult to get everything right in a terminal without a lot of users. I fixed an issue after the 0.7.9 release that may be what you're describing, but I can't know for sure without more details.
FWIW, as the FAQ says, the terminal emulator and the NaCl SSH client are essentially two codebases. Maybe you could impress people by creating a good-web-citizen version of the SSH command and combine it with hterm.
That would most definitely require an HTML-to-SSH relay in the middle (which hterm supports). Then you'd have to trust that though, at which point you have to decide where you really want your potentially untrustworthy code to live.
I'm not sure what problem you're having with ls, but emacsclient -t and list-colors-display works perfectly for me. If it does Emacs, my needs are met :)
I can't believe how great it looks and how responsive it is. I've been running an emacs client in it for a while and other than C-n opening a new window it's practically perfect. Huge props to the team who wrote this.
Can you post the syntax of how you included the identity file. The parsing keeps grabbing my user@host in with the -i id.pem
Connecting to -i id.pem user@host, port 22...
Loading NaCl plugin... done.
Warning: Identity file id.pem user@host not accessible: No such file or directory.
because having a web browser just be a web browser is apparently an outdated concept. Or something.
I mean sure, opening up an ssh client is 4 keystrokes for me (on windows) but we need to have it integrated into the browser so firefox (or chrome in this case) can find a way to be even more of a bloated memory pig.
On Ubuntu 12.04, I get this, and then it seems to hang. Anyone have this working on Linux?
Welcome to Secure Shell version 0.7.9.
The list of Frequently Asked Questions is available here: http://goo.gl/m6Nj8
Connecting to wellsj@greensboro.timco.aero, port 22...
Loading NaCl plugin...
I believe this is the same terminal that replaces urxvt as the non-VT terminal in the newest version of ChromeOS (IE the one you access with Ctrl-Alt-T). I was worried when I switched to the dev channel on my Cr-48 and crosh opened in a new tab instead of a chromeless window.
Works really well, nice and quick. Call me stupid, but I'm not actually sure how to launch it (clicking on "Launch App" from within the webstore works but that's surely not the only way).
oh, good idea. I wonder if navigator.registerProtocolHandler works in apps?
I tried adding it manually in settings->Content Settings...->Handlers, but it only allows you to select handlers on sites that have already requested permission, not add new ones (as far as I can tell).
This app is part of a small whitelist of apps that can make this type of connection. It's a temporary solution though. The Chrome team is working on ways to make the functionality more widely available.
Just got through scouring the pepper 19 docs for any mention for how this was done. Exciting to see this kind of functionality enabled, but apprehensive about chrome apps developing into an android style permission nightmare. Perhaps if the user always had the ability to arbitrarily revoke permissions and block them by default.
I'd been checking every few months for the last several years to see if sockets were available in NaCL, for this exact killer app (along with a vnc/rdesktop client)
Sad that it had to be done with an internal whitelist, but I'm mostly just happy that it exists for me to use even if I didn't get to write it!
What this will do, however, is hopefully end for good the mess of "How do I expose a command line application to my windows-using friends such that they aren't confused and won't hate me.". And there's a whole lot of value to that.