WebSSH2 - Web SSH Client

WebSSH2 is an HTML5 web-based terminal emulator and SSH client. It uses SSH2 as a client on a host to proxy a Websocket / Socket.io connection to an SSH2 server.

Quick Start

Requirements

• Node.js 22 LTS (Jod) or later

Installation

# Clone repository
git clone https://github.com/billchurch/webssh2.git
cd webssh2

# Install dependencies
npm install --production

# Start server
npm start

Access WebSSH2 at: http://localhost:2222/ssh

Official Containers

• Preferred registry: ghcr.io/billchurch/webssh2
• Docker Hub mirror: docker.io/billchurch/webssh2
• Architectures: linux/amd64, linux/arm64

Pull the latest build from GitHub Container Registry:

docker pull ghcr.io/billchurch/webssh2:latest

Run the container exposing the default port:

docker run --rm -p 2222:2222 ghcr.io/billchurch/webssh2:latest

To pin to a specific release (example: webssh2-server-v2.3.2):

docker run --rm -p 2222:2222 \
  ghcr.io/billchurch/webssh2:2.3.2

The same tags are available on Docker Hub if you prefer the legacy namespace:

docker run --rm -p 2222:2222 docker.io/billchurch/webssh2:2.3.2

Configuration

WebSSH2 prefers environment variables for configuration (following 12-factor app principles):

# Basic configuration
export WEBSSH2_LISTEN_PORT=2222
export WEBSSH2_SSH_HOST=ssh.example.com
export WEBSSH2_HEADER_TEXT="My WebSSH2"
# Allow only password and keyboard-interactive authentication methods (default allows all)
export WEBSSH2_AUTH_ALLOWED=password,keyboard-interactive

npm start

For detailed configuration options, see Configuration Documentation.

Common Examples

Connect to a specific host using HTTP Basic Auth

http://localhost:2222/ssh/host/192.168.1.100

Custom port and terminal using interactive modal auth

http://localhost:2222/ssh?port=2244&sshterm=xterm-256color

Docker with environment variables

docker run --rm -it \
  -p 2222:2222 \
  -e WEBSSH2_SSH_HOST=ssh.example.com \
  -e WEBSSH2_SSH_ALGORITHMS_PRESET=modern \
  -e WEBSSH2_AUTH_ALLOWED=password,publickey \
  ghcr.io/billchurch/webssh2:latest

Need the Docker Hub mirror instead? Use docker.io/billchurch/webssh2:latest.

Documentation

Getting Started

• Quick Start Guide - Get up and running in 5 minutes
• Installation Guide - Detailed installation instructions
• Docker Setup - Docker and Kubernetes deployment
• Migration Guide - Upgrading from older versions

Configuration Documentation

• Configuration Overview - Configuration methods and priority
• Environment Variables - Complete environment variable reference
• URL Parameters - Query string parameters

Feature Documentation

• Authentication Methods - Password, key-based, and SSO
• Private Key Authentication - SSH key setup and usage
• Exec Channel - Non-interactive command execution
• Environment Forwarding - Pass environment variables

Development

• Contributing Guide - How to contribute
• Development Setup - Setting up development environment
• API Documentation - WebSocket and REST APIs

Release Artifacts

• Build & Packaging Guide - Reproducible release flow and manifest format
• Container Integration - Using the packaged bundle in images and CI

Reference

• Troubleshooting - Common issues and solutions
• Breaking Changes - Version migration notes

Features

• 🌐 Web-based SSH - No client software required
• 🔐 Multiple Auth Methods - Password, private key, keyboard-interactive
• 📱 Responsive Design - Works on desktop and mobile
• 🎨 Customizable - Themes, fonts, and terminal settings
• 🔌 WebSocket - Real-time bidirectional communication
• 🐳 Docker Ready - Official Docker images available
• 🔧 Exec Channel - Run commands without opening a shell
• 🌍 Environment Variables - Pass custom environment to SSH sessions
• 🛡️ Subnet Restrictions - IPv4/IPv6 CIDR subnet validation for access control
• 📁 SFTP Support - File transfer capabilities (v2.6.0+)

Release Workflow Overview

• Development: Run npm install (or npm ci) and continue using scripts such as npm run dev and npm run build. The TypeScript sources remain the source of truth.
• Release pipeline: Use npm ci --omit=dev, npm run build, then node dist/scripts/create-release-artifact.js to produce webssh2-<version>.tar.gz, manifest.json, and a .sha256 checksum. GNU tar is required to guarantee deterministic archives.
• Packaged consumers (containers, downstream services): Download and verify the tarball, extract it, run npm ci --omit=dev from the extracted root (alongside package.json), and start with NODE_ENV=production npm start. The prestart script detects the precompiled bundle and skips rebuilding.

Support

If you like what I do and want to support me, you can buy me a coffee!

License

MIT License

Changelog

3.1.0 (2026-01-13)

Features

• debug: add ssh2 protocol-level debug logging (#469) (e4ba8fa)

3.0.0 (2025-12-30)

⚠ BREAKING CHANGES

• sftp: SFTP protocol updated - clients must not send transferId in start requests; use server-provided ID from response.

Features

• add server-side generic prompt interface (#465) (e96f979)

Bug Fixes

• sftp: server-side transfer ID generation and ownership verification (#467) (e3ebea2)

2.6.1 (2025-12-09)

Bug Fixes

• SSH algorithm env var precedence and debug output improvements (#460) (bceb5b8), closes #459

2.6.0 (2025-12-04)

Features

• add SFTP support, fixes #322 (cc5d932)

2.5.0 (2025-12-01)

Features

• docker: append Docker image info to GitHub releases [skip ci] (2911905)
• docs: add keyboard capture documentation and quick reference (7b08ca5)
• update webssh2_client to version 2.2.0 (ffdb9b7)

Bug Fixes

• docker: optimize builder stage and add timeout (d07df7b)

2.4.0 (2025-11-27)

Features

• Implemented rate limiting and output truncation features in the SSH service to prevent memory overflow during high-volume output. fixes #451 (b575bba)

Bug Fixes

• package.json & package-lock.json to reduce vulnerabilities (#453) (9a9719b)
• Refactor constants import paths and enhance SSH output handling (b575bba)

2.3.5 (2025-11-06)

Bug Fixes

• package.json & package-lock.json to reduce vulnerabilities (#440) (6e3261b)
• private key authentication not working with config credentials (#443) (e43c811)

2.3.4 (2025-10-14)

Bug Fixes

• csp headers upgrade-insecure-requests cause browser to attempt https, removed. fixes #434 (#435) (ac87aaf)

2.3.3 (2025-10-06)

Bug Fixes

• respect config ssh port (#432) (dcaf257)

2.3.2 (2025-10-02)

Chores

• release: 2.3.2 (d5e5c22)

2.3.1 (2025-10-02)

Bug Fixes

• install rollup binary for musl-based builds (ae03d07)

2.3.0 (2025-10-02)

Features

• enhance local logging (7fb516f)

2.2.0 (2025-09-30)

⚠ BREAKING CHANGES

• Error messages from credential validation have changed

Features

• migrate from Ajv to Zod for config validation (#415) (4230595)

Bug Fixes

• rename AuthMethod to SSHAuthMethod to avoid type naming conflict (#418) (0b82619)

Chores

• release 2.2.0 (e50427c)

Code Refactoring

• unify credential extraction with SRP and pure functions (#417) (e568ea1)

2.1.0 (2025-09-26)

Features

• implement pure functions and SRP architecture refactor (06245c1)

Bug Fixes

• consolidate changelog to CHANGELOG.md (f62b5e5)
• replace custom basic-auth types with official package (ab5a22f), closes #405
• update misleading config.json missing message (#407) (fae7d8a)
• fix: add missing allowedSubnets field to SSH config, closes #409
• fix: handle keyboard-interactive auth to prevent timeout, closes #409

2.0.0 (2025-09-15)

⚠ BREAKING CHANGES

• validate referer to /reauth is valid
• consistent logging messages see #286
• config system changes #284 (#285)
• bump express to 5.1.0
• bump socket.io to 4.8.1
• bump ssh2 to 1.17
• bump webssh2_client to 2.0.0
• bump xterm to 5.5.0

Features

• add additional params for POST requests #290 (46c1560)
• add additional vars to POST requests #290 (0a4e419)
• add fontFamily, letterSpacing, lineHeight (97f3088)
• add fontSize option #292 (5e78812)
• add NPM supply chain security policy (#394) (fe2f875), closes #393
• add SIGTERM to safe shutdown feature (675b4f5)
• auth: ssh private key auth implemented via config.json (#161) (342df8e)
• config system changes #284 (#285) (9c99b09)
• config: specify local source address and port for client connections fixes #152 (#158) (65d6ec6)
• consistent logging messages see #286 (50cfcb9)
• CORS support (b324f33)
• credentials over http post for #290 (5b8f88c)
• reorder viewport setup at ssh handshake #292 (140e1e2)
• test change for release (476b566)
• validate referer to /reauth is valid (0dcaa6e)

Bug Fixes

• cols and rows were not properly assigned for terminal (#337) (3246df7)
• deprecated term.setOption (d903da8)
• docker multiplatform build on push fixes #293 (f041c77)
• dockerignore (#272) (8a68cca)
• exclude chore commits from changelog (caa0288)
• Fix the parameter passing problem of setDefaultCredentials to make it perform data initialization normally (#288) (40cbb35)
• fixes default for allowreauth (#239) (dcfd81b), closes #238
• invalid css in style.css (ffab534)
• lost comma in config.json.sample (a75f6d7)
• lost comma in config.json.sample (a75f6d7)
• missing ENTRYPOINT for Dockerfile (6a3a47a)
• obey host ssh.host in config fixes #190 (7b7e8e7)
• package: update ssh2 to version 0.6.1 (42523fc)
• package: update ssh2 to version 0.6.1 (bf15b3e), closes #55
• package: update validator to version 10.1.0 (23ae7d5)
• package: update validator to version 10.1.0 (1a15fa5), closes #62
• subnet unauthorized now emits "ssherror" which persists across websocket termination (e796f9f)
• update config.json.sample (#177) (42f973b)
• update read-config-ng to 3.0.5, fixes #277 (3e82c0d)
• update xterm.js fixes #261 (c801ef9)