Just cloned the repo and set it up so I thought I'd write down the process I took in a CONTRIBUTING.md so that it can be used by other people as well. :-)

Describe the bug I follow the instruction to run the programe , but at the last step , it says : secret encryption key is not valid ... could you give me some advise?

Thanks for TermPair, it's an amazing project!

Describe the bug

$ termpair --version
usage: termpair [-h] [--version] {share,serve} ...
termpair: error: the following arguments are required: command

termpair doesn't parse correctly --version expecting other arguments and options

I've installed the latest version with pip, with python 3.9

Termpair looks awesome and personally I am excited to start using it! I came to it via a thread on HN ... https://news.ycombinator.com/item?id=27338479 . That thread also includes some dissection of the cryptography in TermPair, some of the thoughts there are good, and some are off base. This issue is a summary of my own observations/suggestions in case they are interesting and useful:

1. Termpair could use a key agreement protocol. Termpair is designed to avoid revealing keys to the server by encoding the key in the anchor fragment of the URL, which a server never sees. This is clever, but a server could still MITM by serving its own malicious HTML. It's actually very possible for two endpoints to share a key in a MITM proof way ... use a key agreement protocol such as ECDH. It's somewhat magical, but they can exchange material and agree a key without anyone in the middle ever being able to figure out what it is. There's some details to get right, like it's useful to have the ECDH be signed and verified by the parties involved, but it's all pretty straightforward.

2. Keystroke timing is a practical attack. One of the perils of interactive terminal type applications is that human keystrokes can be timed and this timing can reveal what keys are being pressed. It's important to make sure that when a terminal is line-buffered, that the keys aren't sent one by one, but that the whole buffered line is encrypted and sent in one pass. Password inputs (like ssh and sudo) are expected to use line-buffering to mitigate keystroke timing issues. Additionally, it's a good idea to pad a line-buffered input up to a fixed size - this avoid leaking the length of the password entered.

3. AES-GCM can safely use counters as nonces. This came from the HN thread, but they have a point; it's ok, and actually better to use the message count as the nonce for AES-GCM and it avoids the small odds of collisions occurring.

4. It's good to use different keys in different directions. It's also a good idea to use a different encryption key in the direction of A to B than from B to A. These keys can be derived from a shared secret using HKDF.

Some of these may be bewildering, but I'm happy to answer questions. Again, Termpair looks awesome and I don't mean these suggestions as some kind of ding!

Traceback (most recent call last): File "/Users/david/.local/bin/termpair", line 8, in sys.exit(main()) File "/Users/david/.local/pipx/venvs/termpair/lib/python3.9/site-packages/termpair/main.py", line 109, in main asyncio.get_event_loop().run_until_complete( File "/usr/local/Cellar/[email protected]/3.9.5/Frameworks/Python.framework/Versions/3.9/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete return future.result() File "/Users/david/.local/pipx/venvs/termpair/lib/python3.9/site-packages/termpair/share.py", line 231, in broadcast_terminal async with websockets.connect(ws_endpoint, ssl=ssl_context) as ws: File "/Users/david/.local/pipx/venvs/termpair/lib/python3.9/site-packages/websockets/client.py", line 517, in aenter return await self File "/Users/david/.local/pipx/venvs/termpair/lib/python3.9/site-packages/websockets/client.py", line 535, in await_impl transport, protocol = await self._create_connection() File "/usr/local/Cellar/[email protected]/3.9.5/Frameworks/Python.framework/Versions/3.9/lib/python3.9/asyncio/base_events.py", line 1064, in create_connection raise OSError('Multiple exceptions: {}'.format( OSError: Multiple exceptions: [Errno 61] Connect call failed ('::1', 8000, 0, 0), [Errno 61] Connect call failed ('127.0.0.1', 8000)

This implements a static frontend as suggested in #36.

background

Currently, the browser contains decrypted data and the encryption key. If the browser's JavaScript were modified to be malicious and a malicious server were created, it would be hard to detect.

this pr

This PR allows the backend to accept cross origin requests, and the frontend to be served statically on GitHub pages, Vercel, or a local static server, which can be manually built. The static page still routes the terminal traffic through a (potentially) untrusted server, but that is okay since the traffic is encrypted before going over the wire.

Changes

• Accept cross origin requests on backend
• Create script to publish built frontend to https://cs01.github.io/termpair/connect/
• Make UI to define url of TermPair server where encrypted terminal data should be sent via websocket
• Also added UI to let regular server specify Terminal ID on the landing page instead of requiring it in the URL
• Update docs

Hi,

if I start the server with termpair serve --host 192.168.x.x --port 8000 it successfully binds to the correct interface.

The shared session is successful initiated with termpair share --host "http://192.168.x.x/" --port 8000

Browser opens session and server sends HTTP 200 ok (304 for png & js) for every request but the session is always in "connection-pending" state.

If served/shared using localhost instead, it works without issue.

Do I miss something here? Any help appreciated.

termpair share --host https://10.60.100.192 --port 8000 then it is ok to be used ,

but when I close the terminal , the link like this: https://10.60.100.192:8000/?terminal_id=02453c7728c8cf7a49dc2cbc8df6c109#ATM+7fg7q2hxT3GRtNdeyQ== will lose the effect .

Describe the bug Trying to launch termpair on on LAN (192.168.31.234 on my domestic network), not localhost (127.0.0.1) finishes with message on browser, that i can not use non-secure connection:

termpair serve -p 8000 --host 192.168.31.234

and on sharing window:

termpair share -p 8000 --host 192.168.31.234

When opening browser with link (which is HTTP) I get from sharing terminal I see next message:

I decided to run it on LAN, with --keyfile and --certificate options to make secure connection (it is going to set up "HTTPS", right?). So I created SSL certificate with openssl library. The key, certificate are located in /etc/httpd/httpscertificate/ folder . But when I try command:

termpair serve -p 8000 --host 192.168.31.234 --certfile /etc/httpd/httpscertificate/192.168.31.234.crt --keyfile /etc/httpd/httpscertificate/192.168.31.234.key

I receive an error:

TermPair encountered an error. If you think this is a bug, it can be reported at https://github.com/cs01/termpair/issues

Traceback (most recent call last): File "/home/ooolledj/.local/lib/python3.8/site-packages/termpair/main.py", line 140, in main run_command(args) File "/home/ooolledj/.local/lib/python3.8/site-packages/termpair/main.py", line 124, in run_command uvicorn.run( File "/home/ooolledj/.local/lib/python3.8/site-packages/uvicorn/main.py", line 393, in run server.run() File "/home/ooolledj/.local/lib/python3.8/site-packages/uvicorn/server.py", line 50, in run loop.run_until_complete(self.serve(sockets=sockets)) File "uvloop/loop.pyx", line 1494, in uvloop.loop.Loop.run_until_complete File "/home/ooolledj/.local/lib/python3.8/site-packages/uvicorn/server.py", line 57, in serve config.load() File "/home/ooolledj/.local/lib/python3.8/site-packages/uvicorn/config.py", line 284, in load self.ssl = create_ssl_context( File "/home/ooolledj/.local/lib/python3.8/site-packages/uvicorn/config.py", line 115, in create_ssl_context ctx.load_cert_chain(certfile, keyfile, get_password) PermissionError: [Errno 13] Permission denied

Sudo command does not help with it

sudo: termpair: command not found

I created RSA key and SSL certificate with this guide: https://www.rosehosting.com/blog/how-to-generate-a-self-signed-ssl-certificate-on-linux/ Then I just set path to files them with --keyfile and --certfile options in termpair serve.

Expected behavior It should accept my .key and .crt files and run termpair on LAN ip-address, which with I can use termpair share for example on my mobile phone and see and type commands

I FOUND THE SOLUTION. UPDATE: I thought it happens because i can not input certificate password and it does not let me use It. Truly, while writing report I tried to change access to .key file:

sudo chmod a+r /etc/httpd/httpscertificate/192.168.31.234.key

After that all my termpair commands with serve, share and --keyfile, --certfile options run perfectly (you can see HTTPS connection is established):

Now the question: how can I protect my .key file from unauthorized access and still be available to run termpair on HTTPS without using chmod a+r on .key file?

The web interface has a green light indicating that you can type, which implies there's an alternative, but I can't find a way to control that. Is there an option along the lines of termpair share --readonly that I just haven't found?

Perhaps a useful related feature could start the session in read only mode, but a viewer could enter a password to enable typing? termpair share --readonly --password=$foo?

Bumps eventsource from 1.1.0 to 1.1.1.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

When I'm using this project in windows ,I found that it cannot work because of there is no module "termios" supported in Windows and I have no idea on how to fix the problem. Is there anyone can make a fix on Windows? It's really helpful on changing it to useful on Windows.Thanks!!!