web-shell
1.7.7Trust posture
VERIFIABLE TRUST ARTIFACTS
Provenance
- Build commit
ed67d41- Build digest
-
sha256:493ed5018cf0fc0796d5a560250b486e1b25739af88cce11c33536ffbf0f1bd9 - Index digest
-
sha256:358d22b5449f8cb6983c7e1ecff56acc42c8214f4b60e54f67b5c7c34df024b4 - Manifest digest (amd64)
-
sha256:b1fe90795c1200d300e9333908bc0e95377b4b0a6cc52156045c29a1b7d81454 - Manifest digest (arm64)
-
sha256:385fb42e9092768be194b2635931df6936c7e963dd158c0b06bbf6d385da8924 - SBOM attestation
-
34817681β¦ - Trivy last scan
- 2026-07-10 20:42 UTC
- Base image
- Verify
gh attestation verify oci://ghcr.io/oorabona/web-shell:1.7.7 --owner oorabonaguide β
Security scan results
Trivy Β· last scan 2026-07-10
Top advisories (upstream, advisory)
- CVE-2026-58470 (NOTE) β web-shell β GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer ...
- CVE-2026-58469 (NOTE) β web-shell β GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buff ...
- CVE-2026-58472 (ERROR) β web-shell β GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buff ...
- CVE-2026-58471 (ERROR) β web-shell β wget: GNU Wget: Heap buffer overflow via server-supplied filename leads to memory corruption
- CVE-2026-7017 (NOTE) β web-shell β HTTP::Tiny versions before 0.095 for Perl forward credential headers t ...
β Full report via gh api β see Verify Images.
Explore
Available variants
| Tag | Size (amd64) | Build status |
|---|---|---|
1.7.7 default | 134.3MB | OK |
1.7.7-alpine | 27.6MB | OK |
1.7.7-ubuntu | 78.9MB | OK |
1.7.7-rocky | 116.6MB | OK |
Available variants 4 variants
1.7.7
Build lineagesha256:
Package summary n/a β runtime parsed
Recent changes n/a β runtime parsed
Build history n/a β runtime fetched
Dependency health all up to date
Dependency Health
all up to dateUp-to-date dependencies
Documentation
README
Web Shell
Secure browser-based terminal built on our Debian base image with ttyd for web terminal access. Includes common DevOps and hosting tools, optional SSH server, and flexible authentication options.
Verify this image
Every build ships a Sigstore-signed SBOM and a full Trivy scan β verify them yourself, no login required:
gh attestation verify oci://ghcr.io/oorabona/web-shell:latest --owner oorabona
Full walkthrough (SBOM payload, Trivy findings, multi-arch manifest inspection, upstream dependency tracking) β https://oorabona.github.io/docker-containers/verify-images/
Quick Start
# Pull the image
docker pull ghcr.io/oorabona/web-shell:latest
# Run with default settings (web terminal on port 7681)
docker run -d --name web-shell -p 7681:7681 ghcr.io/oorabona/web-shell:latest
# Open in browser
# http://localhost:7681
# Run with password and SSH enabled
docker run -d --name web-shell \
-p 7681:7681 -p 2222:2222 \
-e SHELL_PASSWORD=mysecretpass \
-e ENABLE_SSH=true \
ghcr.io/oorabona/web-shell:latest
Build
# Build with latest upstream ttyd version
./make build web-shell
# Build with specific ttyd version
./make build web-shell 1.7.7
Build Args
| Arg | Default | Description |
|---|---|---|
VERSION |
latest |
Full version tag (set by build system) |
TTYD_VERSION |
1.7.7 |
ttyd release version |
DEBIAN_TAG |
trixie |
Debian base image tag |
SHELL_USER |
debian |
Default shell user (build-time) |
Environment Variables
| Variable | Default | Description |
|---|---|---|
SHELL_USER |
debian |
User for terminal sessions |
SHELL_PASSWORD |
(locked) | Set user password at runtime (required for SSH/sudo) |
TTYD_PORT |
7681 |
Web terminal listen port |
ENABLE_SSH |
false |
Start SSH daemon on port 2222 |
SSH_PUBLIC_KEY |
(none) | Import SSH authorized key |
TTYD_CREDENTIAL |
(none) | Basic auth in user:password format |
TTYD_SSL_CERT |
(none) | Path to TLS certificate (enables HTTPS) |
TTYD_SSL_KEY |
(none) | Path to TLS private key |
TTYD_AUTH_HEADER |
(none) | Auth header for reverse proxy integration |
Ports
| Port | Service |
|---|---|
| 7681 | ttyd web terminal (WebSocket-based) |
| 2222 | SSH server (when ENABLE_SSH=true) |
Included Tools
| Category | Tools |
|---|---|
| Editors | vim-tiny, nano |
| File management | tree, file, less, findutils |
| Network | curl, wget, dnsutils, iputils-ping, net-tools |
| Process management | htop, procps |
| Data tools | jq |
| Version control | git |
| Archives | bzip2, xz-utils, unzip, zip |
| Remote access | openssh-server |
Authentication
No Authentication (default)
Anyone with network access can use the terminal. Suitable for local development or behind a trusted reverse proxy.
Basic Auth (ttyd built-in)
docker run -d -p 7681:7681 \
-e TTYD_CREDENTIAL="admin:secretpass" \
ghcr.io/oorabona/web-shell:latest
TLS Encryption
docker run -d -p 7681:7681 \
-v /path/to/cert.pem:/certs/cert.pem:ro \
-v /path/to/key.pem:/certs/key.pem:ro \
-e TTYD_SSL_CERT=/certs/cert.pem \
-e TTYD_SSL_KEY=/certs/key.pem \
ghcr.io/oorabona/web-shell:latest
Reverse Proxy Auth Header
For integration with authentication proxies (OAuth2 Proxy, Authelia, etc.):
docker run -d -p 7681:7681 \
-e TTYD_AUTH_HEADER="X-Forwarded-User" \
ghcr.io/oorabona/web-shell:latest
SSH Access
docker run -d -p 7681:7681 -p 2222:2222 \
-e ENABLE_SSH=true \
-e SSH_PUBLIC_KEY="ssh-ed25519 AAAA... user@host" \
ghcr.io/oorabona/web-shell:latest
# Connect via SSH
ssh -p 2222 debian@localhost
Health Check
Built-in health check via ttyd token endpoint:
GET http://localhost:7681/token β {"token": "..."}
Hosting Use Case
Web Shell is designed as a building block for web hosting platforms, providing browser-based terminal access to container environments. Combined with other containers from this project:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Client Browser β
β βββββββββββββ ββββββββββββββ ββββββββββββββββββββ β
β β Web App β β phpMyAdmin β β Web Terminal β β
β β :80/:443 β β :8080 β β :7681 (ttyd) β β
β βββββββ¬ββββββ βββββββ¬βββββββ ββββββββ¬ββββββββββββ β
ββββββββββΌββββββββββββββββΌβββββββββββββββββΌβββββββββββββββββ
β β β
ββββββββββΌββββββββββββββββΌβββββββββββββββββΌβββββββββββββββββ
β βββββββΌββββββ ββββββββΌββββββ ββββββββΌββββββββββββ β
β β OpenResty β β PHP-FPM β β Web Shell β β
β β (proxy) β β WordPress β β (tools + shell) β β
β βββββββββββββ ββββββββββββββ ββββββββββββββββββββ β
β βββββββββββββ ββββββββββββββ β
β β PostgreSQLβ β Vector β β
β β (database)β β (logs) β β
β βββββββββββββ ββββββββββββββ β
β Docker Host β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Considerations
- Runs as root for
chpasswdandsshd, but ttyd spawns shells as the configuredSHELL_USER - No default password β set
SHELL_PASSWORDat runtime (account is locked without it) - SSH listens on port 2222 (non-standard) with root login disabled
- For production: use
TTYD_CREDENTIALor place behind an auth reverse proxy - Mount TLS certificates for encrypted connections
- The
--writableflag enables terminal input β remove for read-only sessions
Dependencies
| Component | Version | Source | Monitoring |
|---|---|---|---|
| ttyd | 1.7.7 | GitHub | upstream-monitor |
| Debian (base) | trixie | ghcr.io/oorabona/debian | upstream |