DEV Community

Share a shell over your LAN in one command - no SSH setup

I kept hitting the same wall: I'm on my laptop, I need a shell on my desktop across the room for one quick thing, and standing between me and that shell is the whole SSH ritual - enable sshd, generate a key, copy it into authorized_keys, remember the IP, get the firewall out of the way. Five minutes of yak-shaving for thirty seconds of work.

So I made cmux-ssh-here. One command:

npx cmux-ssh-here

It spins up a throwaway, token-authenticated SSH server on the machine you run it on, and prints a link plus a QR code. Open the link on another Mac and cmux drops you straight into a shell. Hit Ctrl-C and the server, the token, and the host key all vanish - nothing is left running, nothing is left on disk.

What it actually does

The dashboard it prints gives you a few ways in:

  • A cmux deep link (https://cmux.com/deeplink/ssh?...) - one click, straight into a shell inside cmux.
  • A plain ssh user@host -p port command - for any client on any OS.
  • An ssh:// deep link - for mobile SSH apps that support it (Termius, Blink, WebSSH).
  • Two QR codes so you can scan from a phone.
  • A countdown bar for the link's lifetime and a list of who's connected.

How it works

  • It runs its own SSH server (via ssh2) with an ephemeral host key - generated at startup, gone at exit.
  • Auth is a token that rides in the link's user= field. The server accepts only that token and rotates it every 3 minutes, so a link someone copied earlier goes stale on its own.
  • With tmux present, the interactive shell runs inside it, so sessions survive disconnects and are shared across connections.
  • It ships a real PTY shell plus an exec channel and SFTP, which is what lets cmux bootstrap its remote helper - a shell-only server isn't enough.

The security model, honestly

The token in the link is a bearer secret that grants a shell as your user. That means:

  • Use it on a trusted local network only. The server binds to 0.0.0.0, so anyone on your LAN who has the token can connect while it's live.
  • Don't paste the link into untrusted channels.
  • Use --once to lock the link to the first device that connects and reject everyone else.
  • The 3-minute rotation limits the blast radius of a leaked link; live sessions stay connected.

It's deliberately a "quick trusted-LAN access" tool, not an expose-your-box-to-the-internet tool.

Options

npx cmux-ssh-here --once          # single-use: locks to the first device
PORT=2222 npx cmux-ssh-here       # fixed port (random by default)
CMUX_SSH_TTL=600 npx cmux-ssh-here # token lifetime in seconds (default 180)

When I reach for it

  • Grab a shell on my desk machine from the couch, from another Mac on the same Wi-Fi.
  • Hand a teammate a shell for quick pairing - --once so only they get in.
  • Debug a box I don't want to permanently open sshd on. Close the terminal, the door is gone.

macOS and Linux hosts are supported (it needs a POSIX shell). Node 18+.

Repo, source, and issues: https://github.com/viktor-silakov/cmux-ssh-here - MIT.

Feedback on the token model especially welcome; if it saves you the SSH dance, a star helps others find it.

Comments

No comments yet. Start the discussion.