SSH in the Browser: Web-Based Terminal Access Without a Client
Most teams still reach servers the old-fashioned way: install an SSH client, distribute keys, maybe route through a bastion, and hope the person connecting has the right config on their laptop. That works fine for engineers who live in a terminal. It is less ideal for occasional access, contractors on locked-down machines, or anyone who just needs to run a few commands without setting up tooling first.
Browser-based SSH sidesteps that friction. Instead of opening PuTTY or a local terminal, the user visits a URL, completes authentication, and gets a full interactive shell rendered in the tab. Everything happens in the browser, so there is nothing to install on the user's side.
What You Get
With Pangolin, you publish SSH as a public resource: a URL that renders a real terminal in the browser. Users visit that address, sign in, and land in a session on a host in your network. Depending on configuration, they may enter a second set of credentials (password, key, or platform identity) or proceed directly into the shell.
Why Tunneling Matters
Private servers are not usually reachable from the public internet. Opening SSH to the world creates an attack surface most teams want to avoid.
Pangolin uses outbound tunneling instead. You install a lightweight site connector on a machine inside your network (an office LAN, cloud VPC, data center, or home lab). The connector initiates an outbound tunnel to Pangolin and stays connected. When a user opens the SSH URL in their browser, Pangolin routes the session through that tunnel to the target host.
The target machine stays private. You do not need to open inbound firewall ports or assign it a public IP. The site connector only needs outbound internet access, which makes this work from behind NAT and typical corporate firewalls.
The connector does not need to run on every server you want to reach. As long as it sits on the same network and can route to your SSH hosts, one connector can serve many machines. For high availability, install a second connector on the same network as a redundant path. Learn more about how sites and connectors work.
How a Session Works
- You assign a URL to the SSH resource in the Pangolin dashboard.
- The user opens that URL and completes public resource authentication.
- Pangolin renders the terminal and sends traffic through the site connector tunnel to the backend host.
You point the resource at the SSH server you want to reach (host and port).
Authentication and Identity Providers
Before the terminal loads, Pangolin checks who is connecting. You can require a platform login, connect an identity provider such as Google Workspace or Microsoft Entra ID for SSO, and apply access rules based on user, role, or context (geo-blocking, time windows, and more). These checks happen at the URL layer, before any SSH session begins.
If you already use an IdP for workforce access, the same identity store can gate your SSH URLs. See public resource authentication for the full set of options.
Setup in Brief
Install a site connector on a host that can reach your network, create the SSH public resource, and assign it a URL. Pangolin can run sessions directly on the connector host or route to another SSH server on the network. Configuration options for both paths are covered in the how to SSH with Pangolin guide and the SSH access docs.
Practical Notes
Browser-based SSH uses the same identity and policy framework as other public resources, so you manage access consistently across web apps, terminals, and remote desktops.
It also works on phones and tablets. A web-based terminal in mobile Safari or Chrome is enough to check logs, restart a service, or run htop from the couch. A dedicated SSH app is not required.
If you have been evaluating standalone web gateways for terminal access, Pangolin covers similar ground as an Apache Guacamole alternative: in-browser SSH with outbound tunneling and identity-aware access rules, rather than a separate gateway to deploy and maintain.
FAQ
What is browser-based SSH?
Browser-based SSH renders a full interactive terminal in a web browser. Instead of installing an SSH client, users visit a URL, authenticate, and get a shell session on a remote host. The session is proxied through an outbound tunnel from a site connector on your network.
Do I need an SSH client like PuTTY or OpenSSH to connect through the browser?
Users only need a modern web browser. Pangolin renders a full interactive terminal at a public URL after authentication. The SSH session is proxied through a site connector to the backend host.
Do I need to open SSH ports on my firewall for browser-based access?
The SSH host stays on your private network. A site connector inside that network maintains an outbound tunnel to Pangolin, so you do not need to expose port 22 to the internet or assign the server a public IP.
How does authentication work for browser-based SSH?
Access is checked in two stages depending on configuration. First, the user passes Pangolin authentication at the URL: platform login, SSO through an identity provider, or other access rules. Second, they may enter SSH credentials (password, key, or platform identity) before the terminal loads.
Can one site connector reach multiple SSH servers?
Yes. The site connector only needs to sit on the same network as the servers you want to reach. One connector can serve many hosts. Install a second connector on the same network for a redundant path.
Can I use browser-based SSH on a phone or tablet?
Yes. Any modern mobile browser can render the terminal. This is useful for quick checks like reading logs, restarting a service, or running monitoring tools from a phone.
Is Pangolin open source?
Yes. Pangolin is open source and self-hostable. You can run the full platform yourself, use Pangolin Cloud, or combine a hosted control plane with self-hosted components. Browser-based SSH is available in Pangolin Cloud and Enterprise Edition.
What is a good Apache Guacamole alternative for browser-based SSH?
Apache Guacamole provides in-browser access to SSH, RDP, and VNC through a standalone gateway. Pangolin offers similar clientless terminal access as part of a broader remote access platform, with outbound tunneling through site connectors, identity provider integration, and unified management alongside web apps and other protocols.
See Also
- How to SSH with Pangolin: browser and private CLI access, PAM provisioning, and getting started
- RDP in the Browser: remote desktop without installing a client
- VNC in the Browser: remote display access without a viewer
- How Pangolin Works: architecture overview for sites, resources, and policy
- Pangolin 1.19 release: where browser-based SSH, RDP, and VNC shipped
- SSH public resource documentation
Pangolin is an open-source infrastructure company that provides secure, zero trust remote access for teams of all sizes. Built to simplify user workflows and protect critical systems, Pangolin helps companies and individuals connect to their networks, applications, and devices safely without relying on traditional VPNs. With a focus on device security, usability, and transparency, Pangolin empowers organizations to manage access efficiently while keeping their infrastructure secure.
Keep reading
- IoT Provisioning at Scale with Golden Edge Images
IoT Provisioning at Scale with Golden Edge ImagesProvision IoT edge fleets with golden images, first-boot assignment, Pangolin sites, and declarative blueprints.
Guides - 5 Remote Access Policy Examples for Secure Teams
5 Remote Access Policy Examples for Secure TeamsUse these remote access policy examples to scope access for admins, contractors, OT systems, internal web apps, and emergency workflows.
Guides - How to Geo-block with Pangolin
How to Geo-block with PangolinLearn how to use Pangolin rules to geo-block resources and limit access by country or region.
Guides
