tmate - Efficient remote maintenance and data sovereignty

Editor’s note, as of 2025-08-27: tmate.io and the tmate project have not been updated since fall 2019, so security vulnerabilities that may have arisen since then may not have been addressed. The tool is no longer recommended.

Especially in the current situation surrounding COVID-19, a functioning remote maintenance/remote control solution is extremely important.

It has been clear for some time, and not just since the discovery of massive security problems affecting several well-known providers, that there is a broad attack vector here.

In light of the current situation, it is also becoming clear that resources (e.g., bandwidth) should be used sparingly when in doubt and that it can be worthwhile to operate critical infrastructure yourself.

That’s why we at credativ operate a tmate relay for ourselves, our customers, and the users of elephant-shed, the free database software appliance we developed. We’ll explain what that is in this article.

What is tmate?

tmate is a fork of the well-known terminal multiplexer tmux, supplemented with additional remote control functions.

The software allows you to share the current shell with others from a Linux system, both for reading and writing. This enables simple remote maintenance in accordance with the dual control principle. As soon as the host terminates the local tmate, access ends for all participants.

Benefits

• Low bandwidth requirement, only the characters of the terminal are transmitted (compression)
• Low latency, enabling features such as collaborative typing
• High security through encryption and dual control principle
• Participation possible via SSH or browser
• Outgoing connection to a relay, therefore also usable behind NAT/firewall

Disadvantages

• No transfer of images/GUIs
• The relay operator can terminate or hijack connections.

In order to use the software reliably for critical applications, it makes sense to operate your own relay. This means you are not dependent on external service providers or their infrastructure for remote maintenance.

Installation

tmate is packaged on all common Linux distributions. SSH clients and browsers should be available on all other platforms.

Debian / Ubuntu:

apt install tmate

CentOS:

yum install tmate

credativ-Relay

Are you a credativ GmbH customer, or would you like to use credativ Relay for other reasons? Simply use the configuration we provide. All you need to do is download tmate.conf and save it under ~/.tmate.conf.

For Debian, Ubuntu, CentOS, and RHEL, we also offer ready-made packages to keep both the software and the configuration up to date. The packages can be found in the elephant-shed repositories.

# Use credativ repo, packages.credativ.com
echo "deb https://packages.credativ.com/public/postgresql/ stretch-stable main" | sudo tee -a /etc/apt/sources.list.d/elephant-shed.list  
curl https://packages.credativ.com/public/postgresql/aptly.key | sudo apt-key add -

# Update
apt update

# Install tmate with credativ config 
apt install elephant-shed-tmate

Usage

start tmate

$ tmate

Show connection information

$ tmate show-messages                                                                                                               Di 21 Apr 2020 13:44:28 CEST
Tue Apr 21 13:43:27 2020 [tmate] Connecting to tmate.credativ.com...
Tue Apr 21 13:43:28 2020 [tmate] Note: clear your terminal before sharing readonly access
Tue Apr 21 13:43:28 2020 [tmate] ssh session read only: ssh -p10022 ro-klCtlf7VeNfdoiDa5T6DfdsYB@tmate.credativ.com
Tue Apr 21 13:43:28 2020 [tmate] ssh session: ssh -p10022 jqAFSZpJU1558uKHACKe2S2i8@tmate.credativ.com

If you give someone the ssh session read only command, the current shell is shared with that person in read-only mode.
The recipient can see all input and output in real time, but cannot send any commands.
With the command behind ssh session, each user can also type and send commands independently.

If desired, the relay can also provide a web client that allows access via the browser.
Here, the command tmate show-messages also displays the two URLs for read-only and read-write access.

$ tmate show-messages
Tue Apr 21 14:49:33 2020 [tmate] Connecting to ssh.tmate.io...
Tue Apr 21 14:49:33 2020 [tmate] Note: clear your terminal before sharing readonly access
Tue Apr 21 14:49:33 2020 [tmate] web session read only: https://tmate.io/t/ro-S7kR7yGGzmn8fnyWJJ3gvek6z
Tue Apr 21 14:49:33 2020 [tmate] ssh session read only: ssh ro-S7kR7yGGzmn8fnyWJJ3gvek6z@lon1.tmate.io
Tue Apr 21 14:49:33 2020 [tmate] web session: https://tmate.io/t/quZcDHJNtjbYnCrJtuS7XhnZp
Tue Apr 21 14:49:33 2020 [tmate] ssh session: ssh quZcDHJNtjbYnCrJtuS7XhnZp@lon1.tmate.io

Could it be any easier?

tmate is specifically designed to grant temporary access to third parties while also tunneling NAT and firewalls.

If all users already have access to a shared system, the tmate extensions are not necessary; tmux can simply be used here.
Communication then takes place via a local socket without encryption or access controls.

Host

tmux new-session -s my_cool_pairprogramming_session

Each additional participant

tmux attach-session -t my_cool_pairprogramming_session

Support

If you need assistance using tmate or would like to operate your own relay, our Open Source Support Center is happy to help—24 hours a day, 365 days a year, if desired.

This article was originally written by Alexander Sosna.