HN

Need help?
<- Back
A native graphical shell for SSH

A native graphical shell for SSH

mrcslws

Comments (85)

  • hatradiowigwam
    This appears to me like a solution in search of a problem, like many others before it...the quote below seems relevant to this effort."Those who do not understand Unix are condemned to reinvent it, poorly." ~Henry Spencer
  • smusamashah
    Feedback: Home pages of each of Outer Loop, Outer Frame and Outer Shell contain basic intro of each instead of a link redirecting to them. By the time I click the link and on the new Outer X I have already what Outer X I came from and what it meant.
  • trashb
    I like the idea of separating the frontend and backend of a graphical app. But I feel like this is hardly a novel idea, maybe I'm missing something.I take it you don't know about "X11Forwarding yes" or "html5 web app" For browsers, capabilities like connecting to Unix sockets have been dismissed as extremely niche That is a security concern, that's why it isn't implemented. At least raw unix socks. You can have WebSockets and other ports only limited to http.
  • guhcampos
    Author apparently has never heard about Cockpit.Everything they mention as "missing", or "novel" has been part of Cockpit for over a decade, from socket-based web server connection, backend-frontend separation for server apps and the whole idea of a server console with shell access itself.To answer them: "Isn’t it weird that this doesn’t already exist?" - No, it's not, because it has existed for ages.
  • purplehat_
    i'm trying to understand how outer shell works here. on the website you give the following as your motivation:> Apps like Jupyter and Tensorboard are not typically visible to standard web browsers if they’re running on remote servers, because it would be terribly unsafe to let the whole internet touch this app. Instead, they run on a local port on the server, which your computer can’t access directly.> Classically, to get access to these, you had to open a new terminal and run:> ssh -L 24601:localhost:8889 mrcslws@lambda4.mycompany.com &> ssh -L 24602:localhost:6006 mrcslws@lambda4.mycompany.com &is this true? isn't the normal thing just to do this ssh forwarding for prototyping, then for deployment, you set up a website like myjupyternotebook.com, and then set up auth so that others can't access it. HTTP basic auth is not too much work.if you want SSH, not HTTP, to be what's publicly exposed, there's other options too, like putting it behind a VPN or tunnel.all this to say, outer loop is super cool, but I don't get it. I must be missing something about why you built it, so could you help me understand?
  • calmbonsai
    Do not do this. There are many, many excellent long-standing security and "web control plane isolation" reasons browsers are not permitted generic socket permissions.The closest mechanical analog that comes to mind is why 3-wheeled ATVs are a bad idea.
  • abnercoimbre
    Lovely writeup! I'll bookmark this for my own research.My terminal's "clickity clackity" features [0] are local to the machine so I lose graphical-ness as soon as we remote in somewhere.That's starting to change a bit with offline replay [1] where the native GUI and TUI work in tandem to unlock some rewind. But there's quite a road ahead and I love seeing others experiment properly. (Terminals are massively underserved.)[0] https://terminal.click[1] https://terminal.click/posts/2026/06/tui-stability/#:~:text=...
  • cloudfudge
    This reminds me of an idea that I build a PoC of many years ago (maybe 2013 if I recall) that I always felt was the nugget of a useful idea. You would SSH into a server and processes on the other end would emit data which was then displayed in a webapp that was served from a localhost port, with a local backend that consumed the data. So for example a short-lived web-based remote 'top'. I did it as part of a company-internal hackathon and thought it was really cool, but nobody else was impressed with it. It was a very half-baked idea, and this looks like a fully-baked version of it. I'll check it out.
  • flying_sheep
    That's interesting idea. If we put into CLI with some ANSI escape code, that may become something real. Imagine a normal terminal app just render part of the UI in web and communicating in UNIX socket. While doing the fancy UI, everything is still controllable with keyboard, and optionally with mouse. The UI will fallback to text UI for older terminal
  • toenail
    Interesting, kind of like a more fancy web shell. Haven't really ever seen the need for those, mostly because terminals work better than browsers.
  • saltamimi
    One of the more interesting pieces of Microsoft software is the Windows Admin Center where it's a web app to configure a Windows Server. Ideally, it was made for core installs where there's no GUI but it's there as a viable web management panel.The tool from OP and WAC are pretty similar in terms of functionality and usecase. Why would you want this? Well, imagine your team needing to be able to do server functions but you have less technical team members to do it for you, which is very often the case in big places, most people are familiar with the web browser and having a website to do these sorts of actions makes it easier to have things done in one place without a lot of tools like Remote Desktop, SSH, WinRM, etc. configured.
  • dwb
    Just had a quick look but I like the look so far. I’ve been thinking along similar lines for ages but never quite got around to making something. I very much support any effort to make remoting less dependent on the archaic character grid.
  • tom1337890
    Lovely video and ingenious implementation. Kudos!As someone managing various servers, both at home and at work, I see how this can be really useful. I see it not in the production space yet but rather in the experimenting, using a Linux machine as a second compute device!So regarding your last point, I'm convinced. I think it is useful! The one fact that is bugging me is that now it requires a client specific app, with GUI, on my PC and I wonder if using ssh port forwarding could reduce the surface. I mean I wonder if either having a rich client that executes commands via ssh or a rich server (including Web Server) with ssh port wouldn't suffice, so that I can avoid installing stuff on the server AND on my computer.
  • tjohnell
    I’m good with just tailscale and self-hosted web-apps. Seems the main selling point is either native UX or reduced barriers to entry security-wise. I like barriers to entry.
  • Tepix
    It's a cool video and I like the idea in general. The author mentions that the code runs in a sandbox. I'm surprised that WASM hasn't come up. You want the code to be platform agnostic anyway (it should run whether you start Outshell on Linux, macOS or whatever on different CPU architectures).
  • xuhu
    Being able to initiate a shell app from a regular remote ssh CLI prompt (like "ApacheConfig myhost.com" or "Editor ~/myrepo") might improve integration with people's existing CLI workflows.It does need an agent that starts with every X or Wayland session and waits for requests from remote SSH sessions to start an app.
  • bobajeff
    I don't really know what outerframe frame is. I tried to understand from the video and the blog but I'm still not sure what it is. Is it like a web browser but instead of DOM, HTML and JS you have Swift and SwiftUI running in a sandbox?If so how would that work on non Apple devices? Also how much will that sandbox protect you?
  • torm
    I can’t make up my mind if I love it or hate it. On one hand this is like SSHapi on the other there’s no structure, no contract… i had similar doubts with Cockpit.
  • akshayKMR
    This is cool. Though I don't see why someone would want to do more work/design for the custom GUI rendering for a custom/renderer (your viewer app) ?
  • nativeit
    I thought this looks interesting, but was a little confused with what appears to be MacOS-only support at https://outerloop.sh/? I'm running Ubuntu 24.04, I kind of assumed from context that it'd be something I could spin up in a few minutes just to give it a go?
  • abtinf
    I wrote an early version of the Cylance AV desktop client. The UI side was a web app that talked to its windows service backend using HTTP over windows pipes. This was surprisingly easy to do using WCF.
  • myaccountonhn
    I am not sure I'd use this over exposing websites with wireguard as those will automatically work across platforms. But it looks like you could create some really cool experiences with it, and I'm happy people are exploring this space.
  • setheron
    I'm confused -- does this compile it live when the server ships code? How do we resolve dependencies, toolset etc.. Is the idea to just pick an old enough platform toolchain you expect to be present?
  • fnordpiglet
    I prefer hytelnet and MUDs but I don’t count, I’m just too old.
  • wolvoleo
    So a bit like X-forwarding used to do? Cool.
  • IshKebab
    I'm actually way more interested in option 2 - the VNC-like experience.TUI apps are convenient over SSH because they're right there in your terminal. But they suck because they're restricted to shitty monospaced character grids. Why can't we have something more like VNC over SSH? Like, `top` and `micro` but with good graphics?I did try doing something like that with the Kitty graphics protocol and you can get kind of close..ish, but it's really restricted by having to send everything as PNGs.Anyway upvote for not being blinkered and thinking terminals are just for CLI stuff and must be forever.
  • Panzerschrek
    > every app is a small HTTP serverThis adds unnecessary overhead for communication. using web and web-like approaches on desktop system is a terrible idea.
  • Asooka
    In general I would like to see a web browser escape sequence for console applications. Just send a command to the terminal to connect a web browser to your stdin/out and present any UI you want over html. The terminal can then open a regular socket listening on localhost and act as a CGI server. For security the terminal should pick a random IP in the localhost range and a random URL. Technically that is security by obscurity, but guessing a cryptographically secure URL should be hard enough for attackers. The reasons to do it as an escape sequence and not just have the application open a socket and start the browser are: To enable remote GUI; To avoid the complexity of each application implementing networking; To enable better desktop integration, since the terminal itself is part of the Desktop Environment, so it can start a DE-specific browser, preferably in single-application mode. Also, it should be possible to automatically put the application in the background so you basically just run GUI applications like normal.
  • arnefm
    Heresy!
  • whalesalad
    this exists as https://xpipe.io/
  • PunchyHamster
    > Isn’t it weird that this doesn’t already exist?It does. MobaXterm have a bunch of it already, file manager on the side and ability to pass X11
  • CamperBob2
    Edit: withdrawing this objection, had no idea that right-clicking allowed the speed to be adjusted.
  • mad182
    Cool, I hate it.
  • supertroop
    Defeats the purpose of the shell. The shell is for CLI interaction.