Secure Web Based ssh Terminal

This may sound like an oxymoron, but this tutorial shows you how to secure access to an Ubuntu server using 2FA to protect both login and access to the sudo account. Once we accomplish that, we show how “wetty” a web browser based terminal can be used to host our ssh access via a web browser.

Read about wetty on the Github page:

If that’s not enough, I show how to use NginX Proxy Manager (NPM) to offer our ssh terminal instance over the web with SSL encryption. Wetty has internal functionality for SSL certificates, but since I frequently feature the use of NPM as a central point of management for reverse proxy and SSL certificate management, this seemed like a good solution.

At the beginning of the video I created a LXD instance for Ubuntu 22.04 Server. Watch my other videos that describe how to expose your LXD instances to your LAN or a VLAN using either bridging or macvlan as I do below:

lxc launch ubuntu:22.04 wetty --profile default --profile vlan80 -c boot.autostart=true

Connect to the console of the new LXD instance:

lxc exec wetty bash

Execute updates on the new instance, install net-tools:

sudo apt update && sudo apt upgrade
sudo apt install net-tools

Add a user account for testing and grant it sudo privilege:

sudo adduser scott
sudo usermod -aG sudo scott

Install the Google pluggable authentication module for 2FA:

sudo apt install libpam-google-authenticator

Move over to your user account since that is where we want to add 2FA and invoke the 2FA key generator:

su - scott

Edit the common authentication file to use 2FA:

sudo nano /etc/pam.d/common-auth

Insert the following two lines at the end and then save the file:

auth required nullok
auth required

Edit the ssh server configuration file and search for “challenge”:

sudo nano /etc/ssh/sshd_config

If you are running Ubuntu 22.04 the key you will want to change to “yes” is:

KbdInteractiveAuthentication yes

If you are running Ubuntu 20.04 the key you will want to change to “yes” is:

ChallengeResponseAuthentication yes

Restart the ssh service for changes to take effect:

sudo systemctl restart sshd.service

2FA authentication relies heavily on an accurate system clock. Use the following commands to set your system to get time from the Internet and also set your time zone:

sudo timedatectl set-ntp yes
sudo timedatectl list-timezones
sudo timedatectl set-timezone America/Chicago

At this point, you should be able to ssh to your server and be prompted for username, password,and 2FA key. The sudo command will also prompt for a 2FA key as well.

This next session shows how to install the wetty Web Based ssh terminal application.

Install “git”:

sudo apt install git

Install the dependencies:

sudo apt install curl build-essential python3
sudo apt install libncurses-dev flex libssl-dev libelf-dev bc bison

Update the repository to allow for NodeJS 14+ to be installed and install node:

curl -sL | sudo bash -
sudo apt -y install nodejs

Check to see that node 14+ is installed:

node -v

Install the gnupg2 for privacy components:

sudo apt install gnupg2

Add a repository for the YARN package managerz’:

curl -sL | sudo apt-key add -
echo "deb stable main" | sudo tee /etc/apt/sources.list.d/yarn.list

Install yarn:

sudo apt update && sudo apt install yarn

Install wetty with yarn:

sudo yarn global add wetty

Export profile path name used by wetty:

echo "export PATH=$PATH:/usr/local/bin" | sudo tee -a /etc/profile
source /etc/profile

Wetty is installed:

wetty --help

Invoke wetty from the command line to test (you can change the port number):

wetty --host -p 80

Go to your web browser at the address of your instance:

Come back to the terminal and CTRL-C to abort wetty. Now create a system service for wetty by editing the file:

sudo nano /etc/systemd/system/wetty.service

Insert the following contents into the file and save it:


ExecStart=/bin/bash -c "wetty --host -p 80 --base /"


Enable and start the new service:

sudo systemctl enable wetty
sudo systemctl start wetty

Reboot your server to see if the service starts:

sudo reboot

Log in and check to see the service is running:

sudo systemctl status wetty

You should now be able to access your wetty instance from a web browser at your address of the server:

The trailing “/wetty” is no longer needed in the URL because of the “–base /” switch in the service. Look at the other command switches with “wetty --help” to see other options.

In the video, I showed how to use NginX Proxy Manager to offer this service via reverse proxy with SSL secure it for access over the public internet only if desired. Refer to the video for that detail.

To upgrade wetty to a newer version:

yarn global upgrade wetty --prefix ~/