MindTerm: Secure Login from a Web Browser

University of Washington Computer Science & Engineering

CSE Home

About Us

Contact Info

Master Plan for

Eliminating
Plaintext Passwords

MindTerm 2.4 (all browsers)

MindTerm 2.0 (all browsers)

MindTerm 1.2.1 for IE Users

MindTerm 1.2.1 for NS 4.x Users

MindTerm 1.2.1 for NS 6.x Users

MindBright Technologies

Executive Summary
Introduction
Using MindTerm
More Information
Appendices

About MindTerm
About Applet Security
SSH Alternatives to MindTerm

Executive Summary

Logging into a CSE Unix host requires a secure connection protocol- these days telnet just doesn't cut it. But sometimes you might find yourself working from a machine that simply doesn't provide a secure client. MindTerm, which we serve from this page, is a Java applet that implements SSH®, the secure shell protocol- it's a secure alternative to telnet that will run in any java-nabled web browser.

Cut to the chase.

Introduction

The Computer Science Laboratory is moving briskly away from providing services that use cleartext passwords-- that is, services for which your password is passed over network channels in a form that could allow them to be observed by a malevolent third party. An example of such a deprecated service is telnet, which is used for remote logins.

One popular alternative to telnet is SSH®-- "secure shell"-- which uses cryptographic techniques to prevent your password (and all session data) from being transmitted in a "sniffable" form. A wide variety of implementations of SSH are available for a wide variety of platforms. The Lab actively encourages the use of SSH, and supports it on the server side of virtually every machine to which CSE users might wish a remote login.

In most circumstances, you will have access to some implementation of SSH on hosts you use to connect to CSE hosts. But sometimes no implementation of SSH (nor practical alternative, such as Kerberos telnet configured to access CSE hosts) will be available, and it will be impractical to install one.

MindTerm is a Java language implementation of an SSH client, an applet that will run in a web browser. Since a Java-enabled web browser is virtually always available, and since we make MindTerm easily available from our site, there is virtually always a way to perform a remote login-- even from such generic sites as libraries and terminal rooms at technical conferences. The need to offer telnet services to our hosts is gone.

N.B.: users report that MindTerm (both versions) does not work with Netscape on MacIntosh, but that-- at least with late versions of MacOS-- it does work with IE, though it may becomed "wedged" after opening and closing a number of sessions. We solicit user reports-- if you use MacOS, please send us a report of your experiences using MindTerm, including the version numbers of MindTerm, your OS, and your browser.

Using MindTerm

You could just point your browser at http://abstract.cs.washington.edu/MindTerm and then deal with whatever happens, or you could use one of the well thought out approaches below.

Internet Explorer and Netscape 4.x

Login to abstract.cs.washington.edu, then hop to the machine you really wanted.

This applet hasn't been signed. Users of any Java-enabled browser can use this applet to connect securely to abstract.cs.washington.edu.

Click here to create a new browser window that acts as a simple container for the unsigned applet. After a download of a few hundred kilobytes, a terminal window will pop up.

You will be prompted for your kerberos credentials. Enter them.

At this point, you should have a login on abstract.cs.washington.edu. That's a special host that doesn't receive exports from other hosts, so the useful work you you can do there is severely limited. The intention is that you will promptly connect to another host, using either SSH or kerberos rlogin.

Netscape 6.x and Mozilla

Login to anywhere.cs.washington.edu.

This applet has been "signed for Netscape." If you are running Netscape 6 or Mozilla, you can use this applet to connect directly to any host you wish.

Click here to create a new browser window that acts as a simple container for the signed applet. After a download of a few hundred kilobytes, a terminal window will pop up.

A dialog box will appear asking if you wish to grant permissions to the applet. Click "grant this session" or "grant always" to proceed.

Enter the name of the host to which you wish to connect. (Because the applet is signed, and because you have granted permission, connecting to a host other than abstract.cs.washington.edu is possible.)

You will be prompted for your kerberos credentials. Enter them.

You will encounter a few other dialog boxes along the way, asking if you wish to cache the server key and so forth. It's safe and wise to say "yes" to each of these. The basic idea behind caching server keys is that it offers a means of detecting certain nefarious actions, such as a host attempting to maquerade as your destination host.

MindTerm 2.0

We currently support MindTerm 1.2.1, and are testing version 2.0. To try out a vendor-signed version of that applet, click here and follow the instructions for using MindTerm 1.2.1 with Mozilla.

More Information

This document just scratches the surface of what MindTerm can do for you. Hungry for more?

MindTerm 1.2.1 README

Almost 1,000 lines of detailed information on MindTerm installation, configuration, and usage. Enjoy!

MindTerm 1.2.1 FAQ

Answers to thirty-four commonly-asked questions about MindTerm 1.2.1.

MindTerm 2.0 User Guide

A PDF users guide for version 2.0 of the MindTerm applet.

Appendix

About MindTerm

MindTerm comes to us from a Swedish company called MindBright Technologies. Version 1.2.1, which is the version we currently support, is offered under the Gnu Public License, version 2. More information about MindTerm and its sibling products is available from the source here.

(Note: These links are just for the overly curious. There is nothing to install (that's exactly the point), unless you want to offer MindTerm connectivity to remote clients from a personal, home machine on which you run a web server.)

About Applet Security

Java applets (such as MindTerm) run in a security "sandbox" that controls the types of behaviours that an applet will be allowed to take on your behalf. For this type of application, which requires opening network connections, there are some rules that limit the functionality:

If an applet has not been cryptographically signed for the specific web browser family it is running in, you may only open network connections to the host from which the browser was downloaded. That means you need an account on that host.
If an applet has been cryptographcally signed for your browser, you will be asked to grant permission for actions such as opening network connections to other hosts.

There are other relevant limitations on what an unsigned applet can do: using the system clipboard will not work, and the applet cannot write to the file system, such as is needed to cache host key fingerprints.

We are working on creating a cryptographically-signed version of MindTerm for each browser family in widespread use, but that work is not complete. Instead, we offer a version that hasn't been signed, and have created accounts for most active CSE users on the host from which we serve it-- abstract.cs.washngton.edu. Use MindTerm to connect to your account on abstract, then use rlogin (or ssh) to connect from abstract to the host where you wish to work.

If you use Mozilla or Netscape 6, we offer a locally signed version of the applet already.

We are currently testing MindTerm 2.0, a newer version of the applet. You can try a copy signed by the vendor by clicking here.

SSH Alternatives to MindTerm

When you have the ability to install software on a host that doesn't already have software supporting SSH, you may prefer doing so over using MindTerm-- getting a connection to the remote host you wish to work on will require fewer steps once you are set up. Below we list a few options.
MacIntosh

MindTerm seems not to work with Netscape on MacIntosh, and we haven't tried it from the command line. There have been reports that it works with Internet Explorer, though. There are installable alternatives in the UWick distro: BetterTelnet+MITK5 and MacSSH (which supports version 2 of the SSH protocols).

Windows

Tera Term Pro w/ttssh Extension

Tera Term Pro is a freely-available terminal emulation program for Win32 (Windows 9x, ME, NT, 2K, XP) platforms. Combined with Robert O'Callahan's ttssh extension, it offers an excellent and secure remote login tool. It is distributed as part of the University of Washington Internet Connectivity Kit (UWICK). Read about and download from here (UWNetID credentials required). Or, copy from \\rfilesrv1\dist-area\miscellaneous\Tera Term Pro\. Or, from the primary sources here (Tera Term Pro) or here) and here (ttssh). A limitation: ttssh only supports version 1 of the SSH protocol; version 2 is newer and somewhat more secure. According to the author, ttssh will probably never support SSH2.

N.B.: the 1.5.1 version of ttssh, which is the version distributed with UWICK, has been superceded by version 1.5.4. There have been security-related fixes in each release between 1.5.1 and 1.5.4, so it is recommended that users run 1.5.4. That's available from the primary distribution site and is cached locally in \\rfilesrv1\dist-area\miscellaneous\Tera Term Pro\Teraterm2.3\ttssh154.
Putty

Putty is an open-source SSH client for Win32, written by Simon Tatham. It supports both versions 1 and 2 of the SSH protocol. Copy Putty from \\rfilesrv1\dist-area\miscellaneous\putty, or download it from the primary site. Limitations: it does not include an installer, and is less intuitive to configure. Version 0.51-- the current release version-- has a bug that causes it to drop connections to CSE servers after one hour. This is fixed in development snapshots.

SSH Communication Security, Inc. is a commercial provider of SSH. Binary versions are available for Windows platforms, use of which are free for university use.

OpenSSH

OpenSSH will run in the Cygwin environment, and you can get a working version directly from the Cygwin site. The "Cygwin environment" consists a DLL that provides a Unix-like API, and a set of applications and utilities that come from the Unix world. That includes most Gnu programs, including shells, editors, and development tools such as gcc. Apache, perl, python, PostgreSQL, and X11 are also available. Cygwin is a heavyweight way to get an SSH client for Win32, but it works.

Unix

Generally, installing software on a Unix machine requires building from sources and/or having a privileged account. Here is a brief list of options:

OpenSSH is an open-source implementation of versions 1 and 2 of the SSH protocols for both clients and servers. It is limited to Unix-like operating systems, though it will also run in the Win32 Cygwin enviroment.

SSH Communication Security, Inc. is a commercial provider of SSH. Source code and binary versions are available for many platforms, some of which are free for university use.

Return to top.

Computer Science & Engineering
University of Washington
Box 352350
Seattle, WA 98195-2350
(206) 543-1695 voice, (206) 543-2969 FAX
[comments to support]