DEV Community

Viktor
Viktor

Posted on

Share a shell over your LAN in one command — no SSH setup

I kept hitting the same wall: I'm on my laptop, I need a shell on my desktop across the room for one quick thing, and standing between me and that shell is the whole SSH ritual — enable sshd, generate a key, copy it into authorized_keys, remember the IP, get the firewall out of the way. Five minutes of yak-shaving for thirty seconds of work.

So I made cmux-ssh-here. One command:

npx cmux-ssh-here
Enter fullscreen mode Exit fullscreen mode

It spins up a throwaway, token-authenticated SSH server on the machine you run it on, and prints a link plus a QR code. Open the link on another Mac and cmux drops you straight into a shell. Hit Ctrl-C and the server, the token, and the host key all vanish — nothing is left running, nothing is left on disk.

What it actually does

The dashboard it prints gives you a few ways in:

  • A cmux deep link (https://cmux.com/deeplink/ssh?...) — one click, straight into a shell inside cmux.
  • A plain ssh user@host -p port command — for any client on any OS.
  • An ssh:// deep link — for mobile SSH apps that support it (Termius, Blink, WebSSH).
  • Two QR codes so you can scan from a phone.
  • A countdown bar for the link's lifetime and a list of who's connected.

How it works

  • It runs its own SSH server (via ssh2) with an ephemeral host key — generated at startup, gone at exit.
  • Auth is a token that rides in the link's user= field. The server accepts only that token and rotates it every 3 minutes, so a link someone copied earlier goes stale on its own.
  • With tmux present, the interactive shell runs inside it, so sessions survive disconnects and are shared across connections.
  • It ships a real PTY shell plus an exec channel and SFTP, which is what lets cmux bootstrap its remote helper — a shell-only server isn't enough.

The security model, honestly

The token in the link is a bearer secret that grants a shell as your user. That means:

  • Use it on a trusted local network only. The server binds to 0.0.0.0, so anyone on your LAN who has the token can connect while it's live.
  • Don't paste the link into untrusted channels.
  • Use --once to lock the link to the first device that connects and reject everyone else.
  • The 3-minute rotation limits the blast radius of a leaked link; live sessions stay connected.

It's deliberately a "quick trusted-LAN access" tool, not an expose-your-box-to-the-internet tool.

Options

npx cmux-ssh-here --once            # single-use: locks to the first device
PORT=2222 npx cmux-ssh-here         # fixed port (random by default)
CMUX_SSH_TTL=600 npx cmux-ssh-here  # token lifetime in seconds (default 180)
Enter fullscreen mode Exit fullscreen mode

When I reach for it

  • Grab a shell on my desk machine from the couch, from another Mac on the same Wi-Fi.
  • Hand a teammate a shell for quick pairing — --once so only they get in.
  • Debug a box I don't want to permanently open sshd on. Close the terminal, the door is gone.

macOS and Linux hosts are supported (it needs a POSIX shell). Node 18+.

Repo, source, and issues: https://github.com/viktor-silakov/cmux-ssh-here — MIT. Feedback on the token model especially welcome; if it saves you the SSH dance, a star helps others find it.

Top comments (0)