SSH Bastion

The Reemo SSH Bastion is a hardened environment, securely exposed through a Reemo session directly in the browser.

This guide first covers deployment (administrator side), then daily usage (end-user side).

Configuration and Deployment

The bastion is deployed via a Reemo template (reemo-template.json) imported into the portal. The generated form exposes the fields below, which are injected as environment variables into the container at startup and read by the reemo-ssh Rust binary.

Image Information

  • Image:

registry.reemo.io/reemosbterm:latest

  • Internal Service: SSH Bastion (Rust)

Defining the SSH Target

Field

Description

Target Host IP

Address of the remote machine (FQDN accepted). Required.

Target Port

Target SSH port. Defaulted to 22.

Choosing the Authentication Method

The Auth Method selector controls the mechanism used by the bastion to authenticate against the remote target.

Option

Additional Fields

Behavior

Vault (default)

The bastion resolves the secret at startup via mTLS against the portal. The Vault natively manages all types of secrets (password, SSH key, key + passphrase). Nothing is written to disk. Preferred method.

SSH Private Key

SSH Username + SSH Private Key (PEM)

Authentication by private key. Paste the complete PEM, including BEGIN/END headers. The key remains in memory within the process. To be avoided.

Password

SSH Username + SSH Password

Authentication by password. The password remains as a process environment variable. To be avoided.

Tip

Interactive Prompt (JIT): If the chosen authentication method is Password and the password field (or username/password pair) is left blank in the form, the bastion will request them dynamically and silently from the end user within the terminal.

Selecting the Operation Mode

The Operation Mode selector determines whether the bastion applies restrictions or acts as a transparent relay.

Option

Behavior

Secure Mode (Filtering active) (default)

Every command passes through the parsing engine. Local line editing, history, and security policy enforcement.

Bypass Mode (No filtering)

The bastion relays end-to-end (PTY passthrough). No filtering is active.

Managing the Filtering Logic

The Filtering Logic selector is only visible in Secure Mode.

Option

Semantics

Denylist

Everything is allowed except for commands listed in Blocked Commands.

Allowlist

Everything is forbidden except for commands listed in Allowed Commands.

Both fields accept a comma-separated list of commands (e.g., ls,pwd,cat). The * suffix at the end of a command allows covering all its variants: mkfs* covers mkfs.ext4, mkfs.btrfs, etc.

Warning

Always Blocked Commands (No Exceptions): Interpreters (bash, python, perl…), debuggers (gdb, strace, ltrace), interactive editors (vim, nano, emacs, vi), dangerous arguments (–no-preserve-root, /dev/sd*, /etc/shadow…), and critical redirections (>/etc/shadow, >/proc/*…) are systematically blocked by the security engine, regardless of your configuration.

Customizing User Feedback

The Denial Feedback selector (visible only in filtered mode) controls what the end user sees when a command is rejected.

Option

End-User Display

Silent (Drop silently)

No message. The command is silently dropped.

Normal (Blocked message) (default)

[reemo] command blocked by policy

Verbose (Show rule match)

[reemo] blocked - <rule> : <detail> (e.g., denylist: ‘rm’ matches deny pattern).

User Guide

Within a Reemo session, interaction with the bastion takes place directly from your browser’s terminal interface.

Connecting

Two scenarios arise when the session opens:

  1. Complete Configuration: The remote target machine prompt appears immediately.

  2. Dynamic Authentication: The bastion prompts you for your credentials on the fly:

    [reemo] Remote username: _
[reemo] Remote password: _

    Enter the information and press Enter. Password input is completely hidden (no characters are displayed).

Interpreting the [reemo] Visual Cue

All communications originating from the bastion (and not from the target machine) are prefixed with the `[reemo]` tag. The color of this tag indicates the nature of the information:

  • 🟣 Purple: Prompt, general information message, transfer progress.

  • 🟢 Green: Success of an operation (e.g., transfer completed).

  • 🔴 Red: System error, command blocked by security policy, disconnection.

Managing the Terminal and History

Key / Shortcut

Action

/

Move the cursor within the command line.

Home / End

Place the cursor at the beginning or end of the line.

Backspace / Delete

Delete the character to the left of or under the cursor.

/

Navigate the history (last 100 commands of the session).

Enter

Validate and submit the command to the security filter.

Ctrl+C

Interrupt the current command entry.

Shift+Ctrl+C

Copy selected text to the clipboard.

Shift+Ctrl+V

Paste clipboard content.

Left click (selection)

Automatically copies highlighted text.

Middle-click

Pastes the automatic selection.

Screen Scrolling

Speed

Mouse wheel

Normal scrolling (3 lines per notch).

Shift + Mouse wheel

Precision scrolling (1 line per notch).

Ctrl + Mouse wheel

Fast scrolling (page by page).

Transferring Files

The bastion exposes a local directory named ~/Transfer, accessible from the Files menu of the Reemo browser. This directory acts as a buffer zone between your workstation and the remote target machine.

Three dedicated commands are available in the terminal (they are natively intercepted by the bastion; no component is required on the target machine):

Command

Effect

reemo-list

Lists the contents of the ~/Transfer directory.

reemo-put <file> [target-path]

Sends a file from ~/Transfer to the target machine.

reemo-get <target-path>

Retrieves a file from the target machine to ~/Transfer.

1. Inventorying the Directory with `reemo-list`

Displays the buffer zone contents with file sizes and dates:

[reemo] transfer directory contents:
  FILE      1.2 MB   05-05-2026 14:22   rapport.pdf
  FILE      4.8 KB   05-05-2026 14:25   notes.txt
  ───────────────────────────────────────────────────────
  Total: 2 files ( 1.2 MB )

2. Sending to the Target with `reemo-put`

Uploads a file from ~/Transfer to the remote machine. If no path is specified, the file is dropped into the remote user’s $HOME directory.

$ reemo-put rapport.pdf
[reemo] uploading rapport.pdf ■■■■■■■■■■■■□□□□□□□□ 60% | 8.2 MB/s | ETA: 1s
[reemo] ✔ upload OK: rapport.pdf (1.2 MB) in 2.0s (6.0 MB/s)

To specify another destination:

$ reemo-put rapport.pdf /tmp/rapport.pdf

Note

The destination path must include the final filename. Targeting a raw folder (e.g., /tmp/) will trigger a system error.

3. Retrieving from the Target with `reemo-get`

Downloads a file from the target to ~/Transfer, allowing you to then download it to your local machine via the Reemo browser menu.

$ reemo-get /var/log/audit.log
[reemo] downloading audit.log ■■■■■■■■■■■■■■■■■■■■ 100% | 3.4 MB/s | ETA: 0s
[reemo] ✔ download OK: audit.log (820.4 KB) in 0.2s (3.3 MB/s)

The file inherits its original name (audit.log). If a file with the same name already exists in ~/Transfer, it is overwritten without warning.

Warning

The ~/Transfer space is strictly private and ephemeral. Remember to transfer your files back to your local machine before closing your Reemo session, as data does not survive a container stop.

Security Constraints

  • No interactive editors: In secure mode (Secure Mode), access to vim, vi, nano, emacs, or pico is blocked to prevent the opening of escape sub-shells (e.g., :!sh). To modify a document, use non-interactive commands (sed, tee, cat) or perform the modification locally before using reemo-put.

  • No complex sub-shells: Syntaxes like echo $(date) or `whoami` are rejected by the parsing engine. Break down your actions by executing commands sequentially. Simple redirections via pipelines (cmd1 | cmd2) remain allowed.

  • No automatic Tab completion: In secure mode, the command is only analyzed when the Enter key is pressed. Therefore, the Tab key is not interpreted. Completion remains operational only in Bypass Mode.

  • No transfer commands in Bypass Mode: In bypass mode, the bastion acts as a raw PTY relay to allow interactive editors. Consequently, the reemo-put, reemo-get, and reemo-list commands are unavailable in this mode.