I kept hitting the same wall: I'm on my laptop, I need a shell on my desktop across the room for one quick thing, and standing between me and that shell is the whole SSH ritual — enable sshd, generate a key, copy it into authorized_keys, remember the IP, get the firewall out of the way. Five minutes of yak-shaving for thirty seconds of work.
So I made cmux-ssh-here. One command:
npx cmux-ssh-here
It spins up a throwaway, token-authenticated SSH server on the machine you run it on, and prints a link plus a QR code. Open the link on another Mac and cmux drops you straight into a shell. Hit Ctrl-C and the server, the token, and the host key all vanish — nothing is left running, nothing is left on disk.
What it actually does
The dashboard it prints gives you a few ways in:
- A cmux deep link (
https://cmux.com/deeplink/ssh?...) — one click, straight into a shell inside cmux. - A plain
ssh user@host -p portcommand — for any client on any OS. - An
ssh://deep link — for mobile SSH apps that support it (Termius, Blink, WebSSH). - Two QR codes so you can scan from a phone.
- A countdown bar for the link's lifetime and a list of who's connected.
How it works
- It runs its own SSH server (via
ssh2) with an ephemeral host key — generated at startup, gone at exit. - Auth is a token that rides in the link's
user=field. The server accepts only that token and rotates it every 3 minutes, so a link someone copied earlier goes stale on its own. - With
tmuxpresent, the interactive shell runs inside it, so sessions survive disconnects and are shared across connections. - It ships a real PTY shell plus an exec channel and SFTP, which is what lets cmux bootstrap its remote helper — a shell-only server isn't enough.
The security model, honestly
The token in the link is a bearer secret that grants a shell as your user. That means:
- Use it on a trusted local network only. The server binds to
0.0.0.0, so anyone on your LAN who has the token can connect while it's live. - Don't paste the link into untrusted channels.
- Use
--onceto lock the link to the first device that connects and reject everyone else. - The 3-minute rotation limits the blast radius of a leaked link; live sessions stay connected.
It's deliberately a "quick trusted-LAN access" tool, not an expose-your-box-to-the-internet tool.
Options
npx cmux-ssh-here --once # single-use: locks to the first device
PORT=2222 npx cmux-ssh-here # fixed port (random by default)
CMUX_SSH_TTL=600 npx cmux-ssh-here # token lifetime in seconds (default 180)
When I reach for it
- Grab a shell on my desk machine from the couch, from another Mac on the same Wi-Fi.
- Hand a teammate a shell for quick pairing —
--onceso only they get in. - Debug a box I don't want to permanently open
sshdon. Close the terminal, the door is gone.
macOS and Linux hosts are supported (it needs a POSIX shell). Node 18+.
Repo, source, and issues: https://github.com/viktor-silakov/cmux-ssh-here — MIT. Feedback on the token model especially welcome; if it saves you the SSH dance, a star helps others find it.
Top comments (0)