Shell Access

How to open a shell using Etcha.

Etcha can open an interactive shell like Bash on remote Etcha instances for debugging and terminal access. This can replace SSH access to instances with Etcha-based authentication.

Architecture

Etcha shell access uses Server-Sent Events (SSE) and API calls to create an interactive experience. An SSE session is created when the shell starts, and stderr/stdout is sent over it. All user commands are sent as HTTP POST calls to the shell endpoint and passed as stdin to the shell.

Security

Shell access uses signed JWTs similar to Patterns, where the JWTs are verified by the remote Etcha instance using verifyKeys or verifyCommands. Once a shell session is started, a random ID is generated and exchanged with the client for sending commands–these requests are still sent using JWTs and verified as well. All JWTs are sent with low expirations (5 seconds) to limit replability, and the server will periodically (at least every 10 seconds) send a random keepalive string to the client to provide keystroke timing obfuscation.

Setup

Etcha must be already running on the remote instance in Listen Mode with appropriate verifyKeys or verifyCommands. The remote instance will additionally need Sources configured to allow Shell access by specifying a shell:

{
  "sources": {
    "debug": {
      "exec": {
        "group": "operator",
        "user": "operator",
      },
      "shell": "/bin/bash",
    },
  }
}

In this example, the source debug is allowed shell access and will execute the shell /bin/bash. Shell obeys exec values in the Source (and the global exec), so the shell will be executed under the operator user and group.

Access

We can now start a shell from a different Etcha instance with a matching key. The remote instance can use Targets or specifying a host directly:

$ etcha shell debug myhost
operator@myhost~$