Shellvault - SSH in the Cloud (looking for feedback on launch)
Hi Indie Hackers,
I've just launched Shellvault (www.shellvault.io) and I'd like to hear your feedback! Shellvault is a cloud-based SSH console designed to let you skip setting up SSH from every computer you use. If you use SSH regularly, please consider giving it a try (you can sign up for free for a week, and I'll extend your trial to a month if you email me with good feedback).
I'm hoping to have the opportunity to make a full writeup later, but here's some of the details about the service:
-
The entire application is hosted on AWS, with www.convox.com as a PaaS
-
It's powered by www.laravel.com (PHP)
-
I use GitLab for private hosting and continuous integration / deployment
-
Stripe handles all of my payment processing
-
I send emails through Amazon SES and www.sendy.co, rendered with Foundation Inky (foundation.zurb.com/emails/docs/inky.html)
Please check it out -- thanks!
Austin
Cool idea but how do you handle security?
before I sign-up could you explain how it works because I use asymmetric encryption (pub/priv keypair). How does your tool ensures my priv key stays private.
I can already imagine how much it would suck to have my priv key stolen or sniffed on the "cloud".
Good question! Our FAQ does into some detail on this: www.shellvault.io/documentation/frequently-asked-questions (check out the security docs, too).
We store keys in an AWS RDS MySQL database accessible only to internal IPs (so only our server can get to them), they're stored encrypted, and the private keys are hidden from view (you can't read them once they're stored). Our servers (on AWS again) run an SSH process that's streamed to your browser via websocket. Each process is sandboxed, so a malicious user that escapes the SSH process somehow still wouldn't be able to get to other live users' keys.
We suggest lots of ways to stay secure in prompts throughout the application, such as using unique keys per-server and generating your own passworded keys. The FAQ also links to some documentation on how to set up server-side 2FA (which you can use on top of Shellvault 2FA).
Did you use websocketd ?
We use a python process with Tornado that juggles connections and keep-alive.
I think you should implement ssh client in js and therefore do the private key decryption on client side. This way you can be more trustful.
This would be nice, but unfortunately it's not doable. There are no existing SSH JS clients, and as far as I know they can't exist because browserside JS can't do some of the necessary work for handling SSH (it needs a local process, like how Chrome Secure Shell works off of NaCl [https://developer.chrome.com/native-client]).
Congrats on handling such a security sensitive product. Looks interesting.
Thanks! As a security nut myself, doing the right thing for safety with my audience (people who want something easier to use than just CLI) takes a lot of work, but it's not something worth compromising on.