Are there any decent SSH Session managers for Linux?
Posted by Widowan@reddit | linuxadmin | View on Reddit | 93 comments
I've been using work issued windows laptop for administrating servers via ssh managers (XShell, MobaXTerm, SecureCRT, etc) and windows has been driving me nuts recently. I want to install linux on it, but then realized it's hard to find actually decent SSH manager. Can you suggest any? So far it seems like securecrt is the only option, but it's far from cheap. I just need SSH & FTP support basically, with the ability to organize servers in folders or tags or however else.
Please do not suggest using openssh config, there are some servers which must have password only authentication (which openssh does not support) and in general not having any hierarchy or way to search them efficiently is a huge pain when working with almost a hundred machines.
Onshoremanover@reddit
I like termius, it is nice looking and free to a point. In my opinion it is better than MobaXTerm in many ways.
I feel like some of the comments here do not understand the usage of ssh managers. Being in consulting with different clients all having huge linux clusters, it is convenient and faster to have your sessions all sorted and grouped for quick access and debugging
claqueure@reddit
terminus charges 10$ per month for the decent version with functionality. are you all rich?
Widowan@reddit (OP)
You described my use case of it perfectly! Thanks for a suggestion.
psadi_@reddit
Would also suggest to take a look at tabby, it’s a terminal plus ssh session manager and from the creators of terminus.
The only downside is that it’s built in electron, so is terminus.
Onshoremanover@reddit
you are welcome, glad to help, I usually don't comment, it is just that I felt that really a lot of people could not (or maybe not want to?) understand your problem and therefore did not give you solid advice. I think you should not need to defend yourself for your usecase
ogMasterPloKoon@reddit
Termius should be on top.
KlaasKaakschaats@reddit
Thanks for the list in your post, found Tabby.sh this way and it works really well
Widowan@reddit (OP)
I didn't like tabby myself very much, but I'm glad this disaster of a post was able to help someone!
xkcd__386@reddit
I'm almost sure you won't do this, but this may help someone else who comes across this and wants a more keyboard-friendly solution.
I'll start by saying I never actually used the tools you finally found; the most I ever had to deal with were about 30 servers, and it was much easier to grep the config file and present a menu using
fzf. Each server I selected would run (if I recall) in a new tmux window (probablytmux neww ssh server-Aor such) -- fzf let me select multiple, and had excellent keybindings to quickly zero in on the exact set I wanted and fire off connections.But since the tools you mentioned in your edit were new to me, I played with asbru and remmina for a bit. Very nice and very slick, and far more pretty than a tmux + fzf driven setup.
Of course if you need clusters or similar, it's more than just "pretty", but I'm going by:
Oh and passwords... yeah that's almost trivial. I can't find the program I used to use, but it's basically sshpass with an anonymous pipe -- 5 lines of shell in a wrapper. Take a look at https://serverfault.com/a/946191 -- except that the
echo 'my_password'becomessecret-tool lookup Path "$1", and thesshpass -d3 ssh user@hostbecomessshpass -d3 "$@". You put your passwords in kwallet or gnome-keyring or (like me) in keepassxc, with names identical to the hostnames in ssh config.Widowan@reddit (OP)
Thanks for input, I didn't even think about using fzf for that, but that would make for sick (and janky) setup! And keeping passwords in
passor any other keyring/password manager is a good idea too. That's a lot of work tho, but could be fun side project:)Lacks a bit in organization sadly, unless one were to use comments somehow to tag servers 🤔
xkcd__386@reddit
about the keeping passwords in pass or other keyring, note that at least of the tools you picked do precisely that -- I hope you knew that :-)
And while it does take about a minute to set it up with asbru-cm, with remmina it's seamless -- you just add/update the password in the app, and the app takes care of updating your secret store.
Any other form of storing passwords is asking for trouble.
UsedToLikeThisStuff@reddit
In what way does OpenSSH not support password authentication? I think someone is pulling your leg about what it supports.
No one cares about SSH session managers on Linux because we have the real OpenSSH to use.
Widowan@reddit (OP)
I meant saving the password in a config file for automatic authentication.
louis-lau@reddit
I took a single look on the internet, which gave me "sshpass". It seems to do exactly that.
Only use it if you're not in control of the server and can't use keys (perhaps an incompetent sysadmin, or some kind of embedded device). If you are in control of the server, please use ssh keys.
Widowan@reddit (OP)
Yea, sshpass is useful for scripts, however I don't think it has any kind of config file or other way to use it as wrapper for normal ssh
Seref15@reddit
Why does it need one? Everywhere you would normally invoke ssh alone, invoke
sshpass -f /path/to/pw/file sshinsteadThis is a security nightmare but you could even alias
sshtosshpass -f /path/to/file sshWidowan@reddit (OP)
I guess I can make it work considering different servers have different passwords using bash scripts
Seref15@reddit
This sucks too but a shell function to support multiple pw files for multiple hosts
Then
ssh some_host.comwould source a password file namedsome_host.com.passfrom the predefined pw files directory.I hope none of these systems handle any people's money, this is truly awful security lol
xkcd__386@reddit
better way: https://serverfault.com/a/946191, replacing the
echo 'my_password'withsecret-tool lookup Path $1(or something like that, and keep all your passwords in kwallet or gnome-keyring or whatever (in my case I used to use keepassxc). All of these tools are designed to hold secrets.Widowan@reddit (OP)
Thanks! It's is somewhat related to money, but at least it's air gapped :)
PudgyPatch@reddit
Uh, what about you ssh term host? Is that air gapped?
Widowan@reddit (OP)
I am not going to pretend it is, but how is ~/.ssh/id_rsa more safe than, say, ~/.ssh/password?
(I am not using passwords because I want to, I really tried to make keys applicable in those scenarios, to no avail, sadly)
Coffee_Ops@reddit
Because the password gets transmitted over the wire to the remote server. If it's an evil server, now they have your password.
Public key auth doesn't transmit a key, it relies on a pre shared pubkey that it validates with a private key sig. That can't be relayed, it can't be faked, it can't be stolen.
Ssh password auth is terribly, terribly insecure. Doing it in an automated fashion with the password on disk is about the worst possible thing: it's unsafe at rest and unsafe in transit.
If you're airgap you should know you're probably wildly out of compliance.
Widowan@reddit (OP)
It's easy to attack a strawman when you cannot read, isn't it?:)
I literally specified that in case your local files are in danger, ~/.ssh/id_rsa is not more or less secure than any other file in the system, unless, of course, your key is encrypted (which I doubt, but you can do the same with gpg on any other file).
Coffee_Ops@reddit
Except this is one of the more common workflows and is literally built into ssh-agent and ssh.exe.
It doesn't. You have the login for
foo-user, right? Drop a pubkey in there.I don't know the details of your contract but the job of a consultant is not just to blindly do things. It's to be a trusted advisor, and this is an area you could advise your clients. Whatever their workflow, a yubikey (pubkey) or PAW with pubkey would be dramatically better in every aspect-- security, usability, administration.
PudgyPatch@reddit
keys if popped at least allow for some logging (unless you have as root keys, yuk) also ssh conf (fuck me I don't remember which) can make it so a given account can do a thing or two instead of all of the things ( my bad if my assumption that you aren't already doing that is wrong)...also maybe if your password is like 100 characters long maybe no diff. I want to say I hope you're company doesn't handle my transactions but I also know that bank transfers exist and some of how that security works(there isn't)
louis-lau@reddit
You could use a simple script and alias the ssh command to that script. I had GPT4 write an example for you here (haven't tested it):
https://chatgpt.com/share/d9c94148-b57b-4153-9b13-b07a685bb73b
dezent@reddit
Use keys instead of passwords.
Widowan@reddit (OP)
Thanks, that's very helpful of you, how could I not have thought of that!
dezent@reddit
I do understand that you are being ironic but your question is equal to going on a motorcycle Reddit asking how to best drive your new Honda backwards and upside down.
Widowan@reddit (OP)
Oh yeah, of course, r/linuxadmin apparently is the same as r/devops where everyone uses clouds & terraform and never SSHs on their servers
dezent@reddit
What? I been a Unix/Linux admin since 1998, read very carefully. If you need passwords when using ssh you are doing it wrong.
dezent@reddit
I have no idea. I have not used passwords since early 2000
redfukker@reddit
Ssh-copy-id + .ssh/config. Works for me.
ult_avatar@reddit
You can invoke (local) scripts with openssh - so you could store the passwords somewhere secure and openssh would just retrieve it for you via an API call or something
deacon91@reddit
Yikes
xkcd__386@reddit
it does but keeping the passwords secure, especially if you have hundreds of them, requires some thinking, and definitely not out-of-the-box.
I used to use sshpass with an anon pipe, and the password would come from
libsecret(kwallet, gnome-keyring, etc).serverhorror@reddit
OpenSSH on Windows is a thing now, been using it ever since I learned it is available and never looked at anything else again.
ChrisTX4@reddit
FYI, OpenSSH on Windows can be installed either as a Windows feature, which is quite old, or from the project directly. The latter gives you a much newer version, and can also easily be installed with WinGet of course.
serverhorror@reddit
TIL, thank you
linuxunix@reddit
Id_rsa.pub
misterfast@reddit
id_ed25519.pub much smaller and more secure!
micdawg12@reddit
Hey now, I don't have ED!
soopastar@reddit
I think Vandyke makes a Linux version of SecureCRT.
forwardslashroot@reddit
This is only true for .deb, but I couldn't the .rpm version.
soopastar@reddit
That’s cause RPMs are for redhat based distros. Did you check Vandyke.com?
forwardslashroot@reddit
I'm sorry, I meant to say I couldn't find the .rpm.
We are using RHEL at work but couldn't use SecureCRT due to vandyke only providing deb packages.
ForeheadMeetScope@reddit
Extract and install manually
soopastar@reddit
thought about suggesting that as well. There are options like this too:
https://linuxconfig.org/how-to-install-deb-file-in-redhat-linux-8
Magic_Ren@reddit
If you haven't looked at it I think mremoteng does what you want easily
TuxRuffian@reddit
Since I have to use Windoz at work, I like using a combination of the New Windows Terminal + Arch WSL +
tmux+ Wishlist.I’m not a fan of GUIs so Wishlist’s TUI is perfect for me and
tmuxallows me to automate workflows.devilsadvocate@reddit
Modern windows has OpenSSH baked in. Supports password and key based auth fine.
You can also use Windows subsystem for Linux if you feel so inclined. Though I don’t for admin.
Personally I just use the new windows terminal that has tabs. Use ssh keys for everything and then sudo is just as auth. Servers will do AD password auth for ssh but I only use that for the initial login. Keys make things like moving files much easier.
serverhorror@reddit
I have an SSH config and tmux, I'm not sure what else you'd need.
Widowan@reddit (OP)
On prem do be like that, can't make Ansible for everything.
Coffee_Ops@reddit
Ansible works just fine onprem. Why would you think it doesn't?
You literally just need a box with Ansible installed.
Your next step is to deploy a pubkey.
Widowan@reddit (OP)
Thanks for replying whopping two times in this thread, I was afraid there are even more people who cannot read more than 5 words into the post, but thank god no.
Coffee_Ops@reddit
I never said you said it didn't work. I asked why you thought it didn't work onprem, because you implied that "on prem be like that" was why Ansible was not suitable here.
It's a strange comment because most of the value I've seen with ansible was onprem, even in disconnected environments.
What's even stranger is asking you to clarify, and you responding with an accusation of strawmanning.
Yes, I know how consulting works, I suspect most of us here are familiar with it. You're getting flack though because you're insisting that password auth is your only path forward, and-- spoiler-- you're not the only one who's run into management / clients zealously dedicated to legacy config / technical debt / the way peppridge farm remembers doing IT. The fact that you're defending it as a necessity is indicative of a problem, and very likely an X-Y problem. SSH intentionally makes it a pain to do the thing you're suggesting because password auth is so terrible.
Widowan@reddit (OP)
I am not defending it as a necessity. I did what I could where I could, and I am only asking for password solution for easing my own pain.
It takes time to change all of it, and in meantime, I just need a tool to make my life easier.
serverhorror@reddit
I didn't say you should do that.
I'm fighting Ansible here because someone knows Ansible they now think it should be used for everything.
Learn a few tools. Never stop learning a new tool and use the right tool for the right job.
I'm dealing with production floors, that could go boom, mainframes, Windows, Linux, containers, OpenShift, windows, network devices, SCADA and everything you never wanted to know about.
No, don't use Ansible for everything, but for the sake of everything that's fun and forbidden, start managing the infrastructure with something better than a session manager.
DemosthenesAxiom@reddit
Cries in 100 machines I manually manage currently.😭
chronic414de@reddit
Remmina
GurgleBlaster68@reddit
Ásbrú Connection Manager (https://www.asbru-cm.net/). It manages not only SSH connections, but also RDP and VNC. I've used Remmina before, but I find Ásbrú more usable.
tuxsmouf@reddit
remmina could do the trick. I only use it for rdp but the option for ssh is there.
aaronryder773@reddit
TIL! I did not know that Remmina can do this. I have only used it for RDP
ThreeChonkyCats@reddit
Came to say this. It has a really nice and simple SSH manager.
It also doubles up with RDP and VNC.
This will make life a tad easier when there are multiple methods of remote admin.
(I'm a 100% Linux user)
daishan_swe@reddit
I really like Tabby which I run on both macos and windows. It's available for both .deb and .rpm based distros, even though I have not tried it on Linux myself. Check it out here: https://tabby.sh/
Widowan@reddit (OP)
Seems to be cool! How is memory consumption though? Since it's essentially a browser in a trenchcoat and it even says in readme that it's not lightweight.
daishan_swe@reddit
I'm looking at memory usage in the real world right now. Three tabs open - one local PowerShell, one local zsh and one remote ssh (which has a built-in SFTP browser!): 465 MB of RAM on my 32GB RAM M1 pro mac. It's not exactly efficient, but if you have the RAM to spare it's not a problem.
crazedizzled@reddit
I fuckin love mobaxterm on windows. I wish there was something like it for Linux. It's great having all of my sessions/hosts in a categorized list. And it has built in SFTP which is super handy.
I do use sshconfig with host names setup and all that jazz, but it just feels so oldschool.
exedore6@reddit
ssh.conf is my session manager, it let's me setup custom settings on a host basis (old systems with limited key algorithms), assign specific keys to a host. I try to get away from passwords, but configuring my client is enough.
mysterytoy2@reddit
On windows I use Solar-Putty. It's nice. I use filezilla for FTP. Between the two I have it covered pretty well and fast.
neovb@reddit
Smartty?
Runnergeek@reddit
SecureCRT and MobaXTerm support what you are looking for. I'm confused what the issue is
scorp123_CH@reddit
After reading through all your posts here, I think I understand your use-case... As was suggested by others, please take a look at "Asbru Connection Manager". It might be the kind of software you are looking for ...
https://www.asbru-cm.net/
Widowan@reddit (OP)
Thanks, it looks like a solid choice, also supports SFTP!
Kill4meat@reddit
I've been using moba with wine. Runs just fine.
Widowan@reddit (OP)
I should give it a go again, last time I tried it was very glitchy with disappearing text and really unresponsive ui
ThreeChonkyCats@reddit
I feel I must say that we all feel sorry that you are forced to use windows for technical administration.
Perhaps it's time to turn it into a sneaky dual boot 🙉🙊🙈
AdrianTeri@reddit
To stop piling on you could you explain this? Is it harder to switch to keyfiles on this machines than is to stop using passwds?
Last part is confusing. What support do you need as you asked for assistance with both SSH & FTP? Are some of these machines cheapo web hosts you can only access via ftp & sftp clients? If they are tools like WinSCP, Filezilla etc exist
Widowan@reddit (OP)
Most of the times where I cannot use keys are servers which I am not owner of, there is one organization that is hellbent on using passwords with ridiculous requirements and short lifespan (it's also completely air gapped, too).
As for FTP, I meant basically a session manager with in-built FTP so I don't have to manage server list in ssh client AND filezilla as well.
Thanks for being just about the only person who read the post completely.
AdrianTeri@reddit
Confusion continues.... How do you work on these machines if you do not enter where they are with only a paper notebook with passwds written down?
You can organize these into folders/dirs WinSCP, FileZilla
Widowan@reddit (OP)
I am not sure what you mean. I just go there with my laptop, do stuff and leave. Come back next time - oops, the password is expired; so I change it and update it in session manager, rinse and repeat.
arkham1010@reddit
Putty Manager https://sourceforge.net/projects/puttymanager/files/
clinch09@reddit
Checkout Devolutions. There's a free and enterprise version
DurianBurp@reddit
Konsole has a SSH session manager built-in.
ForeheadMeetScope@reddit
Asbru-CM for open source, SecureCRT for paid option
FragOfZeWood@reddit
+1 for Asbru. I use mobaXterm under Windows and Asbru is the closest software I found running under Linux.
noslab@reddit
Tmux..
waterkip@reddit
Putty has a linux/unix port?
kestrel808@reddit
Install wsl
me1337@reddit
sshw
MrExoduso@reddit
I'm not entirely sure if it fully fits your needs, but check tabby.sh
AntranigV@reddit
The ssh command has a manager in it via config files. Just look up the Manual page of ssh_config.