Beacon

v0.6.7-remote-access-passphrase Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 4d Server & OS Management

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

home-lab home-lab-dashboard home-security hosting-deployment iot iot-application

+3 more

monitoring monitoring-automation self-hosted

Affected surfaces

auth rce_ssrf

ReleasePort's take

Light signal

editorial:auto 4d

Version v0.6.7‑remote‑access‑passphrase adds a browser‑based remote terminal to Beacon and introduces an allow‑list for shell execution, while renaming the `beacon master` CLI command.

Why it matters: The new remote terminal requires rebuilding agent binaries; older agents will ignore the `terminal_open` command. The added shell allow‑list (fixing Gosec G702) restricts executable shells to approved entries.

Summary

AI summary

Updates ✨ Highlights, 🛠️ What's included, and 📋 What's next across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Adds remote terminal capability to Beacon via browser UI. Adds remote terminal capability to Beacon via browser UI. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Low	Adds Deploy button on device detail page for project‑name triggered deployment. Adds Deploy button on device detail page for project‑name triggered deployment. Source: llm_adapter@2026-05-30 Confidence: high	—
Feature	Low	Renames command `beacon master` to `beacon start`; keeps alias for backward compatibility. Renames command `beacon master` to `beacon start`; keeps alias for backward compatibility. Source: llm_adapter@2026-05-30 Confidence: low	—
Bugfix	Low	Implements shell allow‑list (Gosec G702 fix) to restrict executable shells. Implements shell allow‑list (Gosec G702 fix) to restrict executable shells. Source: llm_adapter@2026-05-30 Confidence: low	—
Bugfix	Low	Requires agent binary rebuild for remote terminal functionality; older agents ignore `terminal_open` command. Requires agent binary rebuild for remote terminal functionality; older agents ignore `terminal_open` command. Source: llm_adapter@2026-05-30 Confidence: low	—

Full changelog

🚀 Beacon Release — Remote Terminal & Command Rename

This release adds remote terminal to Beacon — open a shell on any device from your browser, through BeaconInfra. No SSH port, no VPN, no port forwarding. Also renames beacon master to beacon start.

✨ Highlights

🚇 Tunneling on HA OS

With the beacon home-assistant OS addon you can now enable tunneling (remote access).

🖥️ Remote Terminal and Tunneling

The cloud relays a shell session (PTY) between your browser and the Beacon agent — no SSH port, no VPN needed. Sessions auto-expire after 15 minutes. Set a remote-access passphrase to require a device-verified second factor before any session opens.

How it works:

Click "Open Terminal" on a device in the dashboard (Remote Access tab or the Remote Access page)
BeaconInfra creates a session and sends a terminal_open piggyback command to the device
The Beacon agent picks it up on the next heartbeat, dials back to the cloud via WebSocket, and spawns a local shell
Browser ↔ Cloud Hub ↔ Agent PTY — bidirectional relay, binary-safe

How it stays secure — the cloud never sees your passphrase:

The passphrase is never stored. Setup writes only an Argon2id-derived key, its salt, and the cost parameters to ~/.beacon/remote-access.json (mode 0600).
At session time the agent issues a single-use, short-lived nonce. The browser derives the key from your passphrase and returns a proof = HMAC-SHA256(key, nonce ‖ action ‖ session_id). The agent recomputes and compares it in constant time. BeaconInfra only relays this challenge — it never sees the passphrase or any reusable proof, so a fully compromised cloud still cannot open a session.
A successful unlock is in-memory, session-bound, and TTL-limited, and is cleared on restart (fail-closed).
Repeated wrong attempts trigger rate-limiting / backoff to slow brute force.

Security:

One-time btt_ tokens per session — SHA-256 hashed, only the hash stored server-side
Sessions auto-expire after 15 minutes (max duration) or 5 minutes idle
Shell restricted to an allow-list (/bin/bash, /bin/zsh, /bin/sh, /bin/ash, /bin/dash, /usr/bin/bash, /usr/bin/zsh, /usr/bin/fish)
The agent runs the shell as its own OS user — no privilege escalation
A stale session reaper runs every 60s to clean up abandoned sessions

⌨️ `beacon start` (was `beacon master`)

The command to start the agent is now beacon start. More intuitive, less jargon. beacon master still works as an alias for backward compatibility — existing scripts and systemd units are unaffected.

🚀 Deploy from beaconinfra dashboard

The device detail page now has a prominent "Deploy" button that opens a dialog where you can enter a project name. Triggers the same deploy flow as a new tag detection.

🛠️ What's included

Remote terminal: terminal_open piggyback command, agent-side PTY spawner, cloud WebSocket relay hub
Browser terminal UI (xterm.js) with resize support and session status feedback
Terminal session API: POST /api/terminal/sessions, GET .../sessions/:id, POST .../sessions/:id/terminate
Browser and agent WebSocket endpoints with JWT and btt_ token auth
Shell allow-list (gosec G702 fix) — rejects arbitrary $SHELL values
Stale session reaper with ExpireStale storage method
Structured logging (zerolog) for all terminal events: session create, browser connect, agent connect, relay start, close
beacon master → beacon start rename across both repos (agent + cloud), master kept as Cobra alias
Deploy dialog on device detail page with project name input
Terminal accessible from Remote Access page (device dropdown) and device detail Remote Access tab

📋 What's next

Agent binary rebuild required — devices must run this version for terminal to work. Older agents silently ignore the terminal_open command.
Terminal sessions are single-user, single-device for now. Multi-tab and session sharing are future work.
The deploy dialog currently triggers a device-level deploy. Project-targeted deploy via piggyback commands is planned.

Full Changelog: https://github.com/Bajusz15/beacon/compare/v0.6.3-remote-ssh...v0.6.4-remote-ssh-access

Full Changelog: https://github.com/Bajusz15/beacon/compare/v0.6.3-remote-ssh...v0.6.5-remote-tty

What's Changed

Feature: Local Secrets Manager by @Bajusz15 in https://github.com/Bajusz15/beacon/pull/159

Full Changelog: https://github.com/Bajusz15/beacon/compare/0.6.6-remote-tty-ha-os-tunnel...v0.6.7-remote-access-passphrase

Breaking Changes

Renames `beacon master` to `beacon start`; the old alias remains for backward compatibility.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Beacon

Get notified when new releases ship.

About Beacon

All releases →

Related context

Related tools

Earlier breaking changes

v0.6.8-remote-access-pass Renames command `beacon master` to `beacon start`; alias retained for compatibility.
v0.6.6-remote-tty-ha-os-tunnel Renames command `beacon master` to `beacon start`; alias retained for compatibility.