Skip to content

Beacon

v0.6.8-remote-access-pass Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 4d Server & OS Management
βœ“ No known CVEs patched
Read the diff β†’ Tool health β†’ What is this tool? β†’

✓ No known CVEs patched in this version

Topics

home-lab home-lab-dashboard home-security hosting-deployment iot iot-application
+3 more
monitoring monitoring-automation self-hosted

Affected surfaces

auth

ReleasePort's take

Moderate signal
editorial:auto 4d

Version v0.6.8‑remote‑access‑pass introduces a remote‑terminal passphrase using Argon2id key derivation and HMAC challenge, enhancing session authentication security.

Why it matters: Security engineers must update configurations to enable the new Argon2id‑based passphrase; severityβ€―80 indicates high impact on remote terminal sessions.

Summary

AI summary

Updates ✨ Highlights, πŸ› οΈ What's included, and πŸ“‹ What's next across a mixed release.

Changes in this release

Security High

Introduces remote-access passphrase with Argon2id key derivation and HMAC challenge for session authentication.

Introduces remote-access passphrase with Argon2id key derivation and HMAC challenge for session authentication.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Breaking High

Renames command `beacon master` to `beacon start`; alias retained for compatibility.

Renames command `beacon master` to `beacon start`; alias retained for compatibility.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Feature Medium

Adds remote terminal capability to Beacon.

Adds remote terminal capability to Beacon.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Feature Low

Adds Deploy button on device detail page for project deployment.

Adds Deploy button on device detail page for project deployment.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Feature Low

Adds structured logging (zerolog) for all terminal events.

Adds structured logging (zerolog) for all terminal events.

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Bugfix Medium

Restricts shell execution to allow‑listed binaries (bash, zsh, sh, ash, dash, fish).

Restricts shell execution to allow‑listed binaries (bash, zsh, sh, ash, dash, fish).

Source: llm_adapter@2026-05-30

Confidence: high

 β€”
Full changelog

πŸš€ Beacon Release β€” Remote Terminal & Command Rename

This release adds remote terminal to Beacon β€” open a shell on any device from your browser, through BeaconInfra. No SSH port, no VPN, no port forwarding. Also renames beacon master to beacon start.

✨ Highlights

πŸš‡ Tunneling on HA OS

With the beacon home-assistant OS addon you can now enable tunneling (remote access).

πŸ–₯️ Remote Terminal and Tunneling

The cloud relays a shell session (PTY) between your browser and the Beacon agent β€” no SSH port, no VPN needed. Sessions auto-expire after 15 minutes. Set a remote-access passphrase to require a device-verified second factor before any session opens.

How it works:

  1. Click "Open Terminal" on a device in the dashboard (Remote Access tab or the Remote Access page)
  2. BeaconInfra creates a session and sends a terminal_open piggyback command to the device
  3. The Beacon agent picks it up on the next heartbeat, dials back to the cloud via WebSocket, and spawns a local shell
  4. Browser ↔ Cloud Hub ↔ Agent PTY β€” bidirectional relay, binary-safe

How it stays secure β€” the cloud never sees your passphrase:

The passphrase is never stored. Setup writes only an Argon2id-derived key, its salt, and the cost parameters to ~/.beacon/remote-access.json (mode 0600).
At session time the agent issues a single-use, short-lived nonce. The browser derives the key from your passphrase and returns a proof = HMAC-SHA256(key, nonce β€– action β€– session_id). The agent recomputes and compares it in constant time. BeaconInfra only relays this challenge β€” it never sees the passphrase or any reusable proof, so a fully compromised cloud still cannot open a session.
A successful unlock is in-memory, session-bound, and TTL-limited, and is cleared on restart (fail-closed).
Repeated wrong attempts trigger rate-limiting / backoff to slow brute force.

Security:

  • One-time btt_ tokens per session β€” SHA-256 hashed, only the hash stored server-side
  • Sessions auto-expire after 15 minutes (max duration) or 5 minutes idle
  • Shell restricted to an allow-list (/bin/bash, /bin/zsh, /bin/sh, /bin/ash, /bin/dash, /usr/bin/bash, /usr/bin/zsh, /usr/bin/fish)
  • The agent runs the shell as its own OS user β€” no privilege escalation
  • A stale session reaper runs every 60s to clean up abandoned sessions

⌨️ beacon start (was beacon master)

The command to start the agent is now beacon start. More intuitive, less jargon. beacon master still works as an alias for backward compatibility β€” existing scripts and systemd units are unaffected.

πŸš€ Deploy from beaconinfra dashboard

The device detail page now has a prominent "Deploy" button that opens a dialog where you can enter a project name. Triggers the same deploy flow as a new tag detection.

πŸ› οΈ What's included

  • Remote terminal: terminal_open piggyback command, agent-side PTY spawner, cloud WebSocket relay hub
  • Browser terminal UI (xterm.js) with resize support and session status feedback
  • Terminal session API: POST /api/terminal/sessions, GET .../sessions/:id, POST .../sessions/:id/terminate
  • Browser and agent WebSocket endpoints with JWT and btt_ token auth
  • Shell allow-list (gosec G702 fix) β€” rejects arbitrary $SHELL values
  • Stale session reaper with ExpireStale storage method
  • Structured logging (zerolog) for all terminal events: session create, browser connect, agent connect, relay start, close
  • beacon master β†’ beacon start rename across both repos (agent + cloud), master kept as Cobra alias
  • Deploy dialog on device detail page with project name input
  • Terminal accessible from Remote Access page (device dropdown) and device detail Remote Access tab

πŸ“‹ What's next

  • Agent binary rebuild required β€” devices must run this version for terminal to work. Older agents silently ignore the terminal_open command.
  • Terminal sessions are single-user, single-device for now. Multi-tab and session sharing are future work.
  • The deploy dialog currently triggers a device-level deploy. Project-targeted deploy via piggyback commands is planned.

Full Changelog: https://github.com/Bajusz15/beacon/compare/v0.6.3-remote-ssh...v0.6.4-remote-ssh-access

Full Changelog: https://github.com/Bajusz15/beacon/compare/v0.6.3-remote-ssh...v0.6.5-remote-tty

What's Changed

  • Feature: Local Secrets Manager by @Bajusz15 in https://github.com/Bajusz15/beacon/pull/159

Full Changelog: https://github.com/Bajusz15/beacon/compare/0.6.6-remote-tty-ha-os-tunnel...v0.6.7-remote-access-passphrase

Full Changelog: https://github.com/Bajusz15/beacon/compare/v0.6.7-remote-access-passphrase...v0.6.8-remote-access-pass

Breaking Changes

  • Renames command `beacon master` to `beacon start`; `master` remains as an alias for backward compatibility.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Beacon

Get notified when new releases ship.

Sign up free

About Beacon

All releases β†’

Related context

Earlier breaking changes

Beta — feedback welcome: [email protected]