SSH · 3 min read

Browser SSH vs traditional SSH: what actually changes

Browser-based SSH sounds like a novelty until you ship it. Here's what changes day-to-day, what stays the same, and where teams stumble moving away from the terminal.

When we first put our operators in front of browser SSH, the reaction was either “this is magic” or “wait, how does this work without my dotfiles?” Both are fair. Browser SSH isn’t just a reskin — it changes the threat model, the deployment story, and the daily UX. Here’s what actually shifts.

What stays the same

The wire protocol, mostly. Under the hood, LynxTrac still speaks SSH to the target host — the difference is that the client terminates inside a long-lived outbound tunnel from the agent, not directly from your laptop. Your shell is still PID 1 inside a pty. Jobs, signals, nohup, screen — all normal.

Keyboard shortcuts feel familiar: Ctrl+C, Ctrl+D, Ctrl+A, arrow-key history. Scrollback works, copy/paste works, tmux works. We ship a first-party xterm.js configuration that matches xterm-256color so TUI apps render correctly.

What changes

Key management. Private keys no longer live on operator laptops. Authentication happens at the agent, not the client — the browser gets a short-lived session from our control plane. No keys to rotate, no keys to steal.

Inbound ports. None. The target never listens on 22 from the internet. The agent makes an outbound TLS connection; the browser connects through our relay. This means your firewall rules are simpler, and compromising a shared jumphost no longer means compromising your shell access.

Audit. Every session is keystroke-logged and screen-recorded at the relay, not on the endpoint. Auditors love this because you can produce the exact commands run by an operator two weeks ago.

Latency. There’s a round-trip through the relay that a direct SSH session doesn’t pay. In practice we see 20-40ms on good paths — noticeable for line editors, invisible for everything else.

Where teams stumble

Three patterns come up:

  1. Missing dotfiles. The shell isn’t your laptop. Teams solve this by baking ~/.bashrc into gold images, or by running tmux attach to pre-configured sessions.
  2. File transfer reflex. scp doesn’t exist in the browser. LynxTrac ships a drag-and-drop file panel that maps to the agent’s file system; it takes a day to get used to.
  3. Long-running jobs. Closing the browser tab doesn’t kill the session — the pty runs on the agent — but operators still reach for screen. Letting them keep the habit works fine.

The honest take

Browser SSH isn’t strictly better than terminal SSH. For single-operator workflows on a laptop you control, a ~/.ssh/config with a hardware key is excellent. For teams, contractors, and compliance-heavy environments, the ability to grant and revoke access without touching keys is a category-level improvement.

Try it yourself

LynxTrac is free forever for 2 servers — no credit card, no sales call. Start in under 2 minutes →

Related posts