blob: 975a32d000da82e36df333e0f740a3cb28bafa9a [file] [log] [blame]
| |```````````````| |
| | | |
| | >_< | |
| | | |
| |_______________| |
| ::::|
hterm and Secure Shell
Frequently Asked Questions
Version 0.8.2
August 27, 2012
Hello World. This is the hterm/Secure Shell FAQ. If you have a question that
is not answered here, please ask it on the chromium-hterm mailing list located
at <>.
> What is "Secure Shell"?
Secure Shell is a Chrome Application that combines the "ssh" command (see for details) ported to NativeClient with the "hterm"
terminal emulator to provide a secure shell client for the Chrome browser.
Secure Shell provides similar functionality to PuTTY on Microsoft Windows(c)
systems, and the ssh command-line application on Mac OS X and Linux systems.
> What is "hterm"?
"HTML Terminal", or hterm, is an xterm-compatible terminal emulator written
entirely in JavaScript.
It is intended to be fast enough and correct enough to compete with native
terminals such as xterm, gnome-terminal, konsole and
hterm is only a terminal emulator. It does not provide SSH access (or any
other text-based command) on its own.
> How do Secure Shell and hterm relate to the "crosh" (Ctrl-Alt-T) command in
Chrome OS?
See chromeos-crosh.txt in this directory for the details.
TL;DR - Don't use crosh for ssh any more, use the Secure Shell app instead.
The crosh shell will use the newer terminal emulator from Secure Shell when
> How do hterm and Secure Shell differ from existing web terminals?
hterm stands out from many existing web terminals in that it was built from
the start to match the performance and correctness of "native" terminals such
as xterm and
It can handle large bursts of text quickly, support very large scrollback
buffers, and it closely matches xterm's behavior. The keyboard even mostly
works. (ha! See the note about how to get Ctrl-W below.)
The Secure Shell app is different because it does not require a proxy or
relay server to function. Secure Shell can make a direct connection to
a standard sshd server on any port of the destination machine. Other
web terminals require a proxy server in the middle. In some cases you
are even required to hand the proxy your credentials in plain text.
> Is my connection proxied in any way?
No. By default all connections are made directly to the sshd server on the
destination machine.
> But, what if I *want* to ssh over HTTP?
Secure Shell also knows how to connect to an HTTP-to-ssh relay that was
built inside Google. Unfortunately that relay isn't open source, and Google
doesn't maintain a public pool of relays.
However, you're free to build one that works the same way. There should be
enough documentation in nassh_google_relay.js to reverse engineer a
compatible relay.
If you're interested in writing an alternative relay library, please mention
it on the mailing list.
> Is my connection really secure?
The Secure Shell app uses ssh to manage the encrypted communication channels.
This makes it about as secure as any other connection based on the ssh
It does have the added advantage of running ssh as a sandboxed
Native Client plugin, which in theory makes it more secure than an
unsandboxed ssh connection.
Additionally, the Secure Shell application follows a strict Content Security
Policy that does not allow access to the JavaScript 'eval' function. This
helps lower the risk that a terminal exploit could run arbitrary JavaScript.
> What should I do if I notice a bug?
First, please continue reading this FAQ to make sure your issue isn't
mentioned. Then check the bug list at <>.
If you don't see the issue there, you can search the archives of the
chromium-hterm mailing list here: <>.
If all else fails then join the chromium-hterm mailing list and post
about what you've found.
If your bug involves some mis-interpreted escape sequence and you want
to file a really useful bug report, then add in a recording of the
session. For bonus points, track down the troublesome sequence and
include the offset into the log file. For more information about how to
do this, see the "Debugging escape sequences" section in the hack.txt file
in this directory.
> Is there a mailing list to discuss hterm or Secure Shell?
Yes, the public chromium-hterm mailing list is here: <>.
> Can I connect using a public key pair or certificate?
You can import identity files from the connection dialog. Select the
"Import..." link to bring up a file picker.
You must import two files for each identity. One should be the private key
and should not have a file extension. The other should be the public key,
and must end in ".pub". For example, "id_rsa" and "".
If you have a key stored in a single ".pem" file, you must split it into two
files before importing.
This will import your public/private key files into the HTML5 filesystem
associated with Secure Shell. There should be no way for another extension,
app, or web page to access this sandboxed filesystem.
| Keep in mind that HTML5 filesystems are relatively new. As always, |
| it's possible that there are still exploits to be found or disclosed. |
| |
| Additionaly, Chrome stores HTML5 filesystems as normal files (with mode |
| 600, "-rw-------") under your profile directory. Non-Chrome |
| applications on your system may be able to access these files. |
| |
| For your own good, protect your important private keys with a strong |
| passphrase. |
You can also import a traditional ssh 'config' file using this dialog.
Nearly anything that ssh might care about from your ~/.ssh directory can go
See <> for more
information about the ssh configuration syntax. Keep in mind that any
directives that would require access outside of the NaCl sandbox will not
function properly. This includes (but is not limited to) X11 forwarding,
syslog functionality, and anything that requires a domain socket.
> Can Secure Shell use my ~/.ssh/config file?
Probably. It depends on what it does. See the answer to the previous
question for more details.
> How do I remove a key?
From the connection dialog, select an identity from the dropdown and press
the DELETE key. This will remove both the private and public key files from
the HTML5 filesystem.
> How do I remove ALL keys?
Open the JavaScript console and type...
This will remove any non-key files you may have uploaded as well. It will
*not* affect your preferences.
> Does Secure Shell support a keychain of some sort?
Sorry, not yet. This is a bit of a technical challenge given the nature
of the NaCl sandbox. We have a few options that we're exploring. Feel
free to post your ideas to the mailing list.
(And yes, we're already considering integrating with the Chrome NSS
certificate store.)
> Can I use Secure Shell for port forwarding?
Yes. Enter your port forwarding options in the "SSH Arguments" field of
the connect dialog. The port forward will be active for the duration of
the Secure Shell session.
> What is the "Terminal Profile" field for?
This is the last field in the connect dialog. It allows you to select
which set of terminal preferences to use for the connection.
If you name a terminal profile that doesn't yet exist, it will be created
and all preferences will be set to their default value. Any preference
changes will affect the active terminal profile only.
For example, enter "light" as the name of a terminal profile for a new
connection. Once you've connected, change the color scheme to
black-on-white (as described in the FAQ entried below). That change will
be associated with the "light" profile, and you'll be able to re-use it for
other saved connections.
> How do I set terminal preferences?
The Secure Shell application does not currently have a preferences page.
It's in the works, and will be available before Secure Shell leaves
"beta" status. For now, you need to open the JavaScript console to
change the user preferences. Sorry about that.
In general, you open the JavaScript console and type something like...
term_.prefs_.set('pref-name', 'pref-value')
Preferences are saved in your local storage, so they're remembered the
next time you launch Secure Shell.
If you want to check the current value of a preference, type this...
To reset a single preference to its default state, type this...
To reset all preferences to their default state, type this...
Most preference changes take effect immediately, in all open instances of
Secure Shell. The exception is the 'environment' setting, which won't
take effect until the next time you reconnect.
Some common preferences are listed in questions that follow. For the full
list, you'll have to read through the "setProfile" function in terminal.js.
It's here: <>, around line 130.
> How do I change the audible bell sound?
Open the JavaScript console and type...
term_.prefs_.set('audible-bell-sound', '')
Change the example url to point to the sound file you want to use.
Unfortunately, local file: urls are not supported at this time. If you
want to get fancy you could construct a data: url, but the details of
that are beyond the scope of this FAQ.
> How do I disable the audible bell?
Open the JavaScript console and type...
term_.prefs_.set('audible-bell-sound', '')
> How do I change the color scheme?
You can change the foreground, background or cursor color preferences from
the JavaScript console like this...
term_.prefs_.set('background-color', 'wheat')
term_.prefs_.set('foreground-color', '#533300')
term_.prefs_.set('cursor-color', 'rgba(100, 100, 10, 0.5)')
You can use any valid CSS color value for any of these colors. You need
to use a semi-transparent color (the fourth parameter in the rgba value)
for the cursor if you want to be able to see the character behind it.
> How do I change the font face?
Open the JavaScript console and type...
term_.prefs_.set('font-family', 'Lucida Console')
Replace 'Lucida Console' with your favorite monospace font.
Keep in mind that some fonts, especially on Mac OS X systems, have bold
characters that are larger than the non-bold version. hterm will print a
warning to the JS console if it detects that you've selected a font like
this. It will also disable "real" bold characters, using only bright
colors to indicate bold.
> How do I change the default font size?
Open the JavaScript console and type...
term_.prefs_.set('font-size', 15)
Replace 15 with your desired font size in pixels. 15 is the default, so
you'll have to pick a different number to have any effect at all.
> Can I quickly make temporarily changes to the font size?
Yes. The Ctrl-Plus, Ctrl-Minus and Ctrl-Zero keys can increase, decrease,
or reset the current font size. This zoomed size is not remembered the
next time you start hterm. See the previous question if you want something
that will stick.
It's useful to know that hterm has to handle font zooming on its own.
Without interference from the browser's built-in zoom function.
The browser zoom introduces rounding errors in pixel measurements that
make it difficult (maybe impossible) for hterm to accurately position the
cursor on the screen. (It could do a little better than it does but
probably not enough to be worth the effort.)
To mitigate this, hterm will display a warning message when your browser
zoom is not 100%. In this mode the Ctrl-Plus, Ctrl-Minus and Ctrl-Zero
keys are passed directly to the browser. Just press Ctrl-Zero to reset your
zoom and dismiss the warning.
hterm should start handling Ctrl-Plus, Ctrl-Minus and Ctrl-Zero on its
own once your zoom setting is fixed.
> Why do I get a warning about my browser zoom?
Because hterm requires you to set your browser to 100%, or 1:1 zoom.
Try Ctrl-Zero or the Wrench->Zoom menu to reset your browser zoom. The
warning should go away after you correct the zoom level.
See the previous question for more information.
> How do I disable anti-aliasing?
Open the JavaScript console and type...
term_.prefs_.set('font-smoothing', 'none')
This directly modifies the '-webkit-font-smoothing' CSS property for the
terminal. As such, 'none', 'antialiased', and 'subpixel-antialiased' are
all valid values.
The default setting is 'antialiased'.
> How do I make the cursor blink?
Open the JavaScript console and type...
term_.prefs_.set('cursor-blink', true)
Notice that true is NOT in quotes. This is especially important if you try
to turn blinking back off, with...
term_.prefs_.set('cursor-blink', false)
or you could just revert to the default value of false with...
> How do I change the TERM environment variable?
Open the JavaScript console and type...
term_.prefs_.set('environment', {TERM: 'hterm'})
Notice that only 'hterm' is quoted, not the entire value. You can replace
'hterm' with whichever value you prefer.
The default TERM value is 'xterm-256color'. If you prefer to simulate a
16 color xterm, try setting TERM to 'xterm'.
You will have to reconnect for this setting to take effect.
> How do I enter accented characters?
That depends on your platform and which accented characters you want to
In xterm, you could use Alt-plus-a-letter-or-number to select from the
upper 128 characters. The palette of 128 characters was "hardcoded" and
not dependent on your keyboard locale. You can set hterm to do the same
thing by opening the JavaScript console and typing...
term_.prefs_.set('alt-sends-what', '8-bit')
However, if you are on Mac OS X and you prefer that Alt sends a character
based on your keyboard locale, try this instead...
term_.prefs_.set('alt-sends-what', 'browser-key')
Note that composed characters (those that require multiple keystrokes) are
not currently supported by this mode.
If you are running Chrome OS on a Chromebook you can select your keyboard
locale from the system settings and just use the Right-Alt (the small one,
on the right) to enter accented characters. No need to change the
'alt-sends-what' preference at all.
The default value for 'alt-sends-what' is 'escape'. This makes Alt work
mostly like a traditional Meta key.
If you really, really want Alt to be an alias for the Meta key in every
sense, use...
term_.prefs_.set('alt-is-meta', true)
> How do I make backspace send ^H?
By default, hterm sends a delete (DEL, '\x7f') character for the
backspace key. Sounds crazy, but it tends to be the right thing for
most people. If you'd prefer it send the backspace (BS, '\x08', aka ^H)
character, then open the JavaScript console and type...
term_.prefs_.set('backspace-sends-backspace', true)
> How do I remove a known host fingerprint (aka known_hosts) entry?
If you know the index of the offending host entry (it's usually reported
by ssh if the connection fails) you can open the JavaScript console and
Replace index with the numeric, one-based host index.
If you don't know the index, or you'd like to clear all known hosts,
> How do I send Ctrl-W, Ctrl-N or Ctrl-T to the terminal?
Chrome blocks tab contents from getting access to these (and a few other)
keys. You can open Secure Shell in a dedicated window to get around
this limitation. Just right-click on the Secure Shell icon and enable
"Open as Window".
After that, any time you launch Secure Shell it will open in a new window
and respond properly to these accelerator keys.
Note that the "Open as Window" option is not available on the Mac. However,
Mac keyboards typically have distinct Control, Alt, and Command keys, so it's
less of an issue on that platform. Secure Shell cannot treat Command as
Control or Meta, but there are some third party keyboard utilities that may
provide a solution.
> How do I copy text from the terminal?
By default, Secure Shell automatically copies your active selection to the
You can disable this by setting the 'copy-on-select' preference to false.
If you disable it you'll need to use one of the following key sequences
to copy to the clipboard...
* Under Mac OS X the normal Command-C sequence works.
* On other platforms Ctrl-C will perform a Copy only when text is selected.
When there is no current selection Ctrl-C will send a "^C" to the host.
Note that after copying text to the clipboard the active selection will be
cleared. If you happen to have text selected but want to send "^C",
just hit Ctrl-C twice.
* Under all platforms you can also use the "Copy" command from the Wrench
menu, when running Secure Shell in a browser tab.
> How do I paste text to the terminal?
By default, Shift-Insert pastes the clipboard on all platforms. If you'd
prefer to be able to send Shift-Insert to the host, set the
'shift-insert-paste' preference to false.
* Under Mac OS X the normal Command-V sequence can be used to paste from
the clipboard.
* On other platforms use Ctrl-Shift-V to paste from the clipboard.
* Under X11, you can use middle-mouse-click to paste from the X clipboard.
* Under all platforms you can also use the "Paste" command from the Wrench
> Why does the cursor blink in emacs?
Do you normally use or xterm? Those terminals (and probably
a few others) ignore the "ESC [ ? 12 h" and "ESC [ ? 12 l" sequences.
Emacs uses these sequences (on purpose) to enable and disable cursor blink.
If you prefer a steady cursor in emacs, set visible-cursor to nil as
described in <>.
> Why does the color scheme look funny in emacs/vi/vim?
hterm's default value for the TERM environment variable is
'xterm-256color'. This causes emacs, vi, and some other programs to
use a different color palette than when TERM='xterm'.
You may notice these programs use a font color that is difficult to read
over a dark background (such as dark blue).
You can fix vi with ':set bg=dark'. Emacs can be started in "reverse
video" mode with 'emacs -rv'.
If you just want your old 16 color palette back, open the JavaScript
console and type...
term_.prefs_.set('environment', {TERM: 'xterm'})
Then restart Secure Shell.
> Can I use my mouse with Secure Shell?
Sort of. Both emacs and vi have mouse modes that are compatible with Secure
In emacs, use `M-x xterm-mouse-mode` and `M-x mouse-wheel-mode`. This will
allow you to position the cursor with a mouse click, and use the wheel
(or two-finger scroll) to scroll the buffer.
In vi, use ":set mouse=a" to enable mouse mode. Vi's mouse mode is slightly
different from emacs in that it manages your text selection. Some people
prefer this, others may go crazy.
A quick way to get your native selection back is to set the
'mouse-cell-motion-trick' to true. This will make vi's mouse support
essentially the same as emacs.
With the cell motion trick enabled, you lose the ability to select more
than one screenful of text with the mouse. Instead of using this trick,
you may want to script vi so that it sends the current selection to
Secure Shell to be copied to the system clipboard. See the next question
for some more information on this.
> Does hterm support the "OSC 52", aka "clipboard operations" sequence?
Clipboard writing is allowed by default, but you can disable it if you're
paranoid. Set the 'enable-clipboard-write' preference to false to disable
the control sequence.
Clipboard read is not implemented. Reading is a security hole you probably
didn't want anyway.
Clipboard writes are triggered by an escape sequence from the host. Here's
an example...
$ echo -e "\x1b]52;c;Y29weXBhc3RhIQ==\x07"
The sequence "\x1b]52;" identifies this as a clipboard operation. The "c;"
option selects the system clipboard. "Y29weXBhc3RhIQ==" is the base64 encoded
value to place on the clipboard, in this case it's the string "copypasta!".
Finally, "\x07" terminates the sequence.
If you execute this command when 'enable-clipboard-write' on you should see
the "Selection Copied" message appear in the terminal, and your system
clipboard should contain the text, "copypasta!".
Note that the specification for OSC 52 mentions destinations other than
the "c;" system clipboard. Hterm treats them all as the system clipboard.
> Can I synchronize my emacs selection with the system clipboard?
Yes, as long as you're not using tmux. See ../etc/osc52.el (also,
<>) for the details.
> Is there a way to try early releases of Secure Shell?
Yes. First, you need to subscribe to the mailing list mentioned above.
Subscribers have access to the "Dev" version in the Chrome Web Store, which
is located here: <>.
Please keep in mind that the Dev version has gone through significantly less
testing than the Beta. Fortunately, you can install both and switch back
to Beta if you have trouble with Dev.
> Where is the source code?
The hterm source is here: <>. This includes the
front-end code for Secure Shell.
The Native Client wrapper around ssh is here: <>.
> Is there a change log?
Yes. Look under the doc/ directory of the hterm source.
There are two change logs. One shows changes to the development version
of Secure Shell. The other shows stable releases.
In general, the dev series of the form 0.X.Y.Z becomes the stable
version 0.X.Y. So SecureShell-dev-, and all lead up
to SecureShell-0.7.2.
> What if I want to make changes to the source?
Read the hack.txt file in this directory.