Kiosk Access

Kiosk AccessUse kiosk mode to grant SSH users controlled, token-based access to bmux sessions without exposing a general remote shell.
What Kiosk Mode DoesEnforces a forced-command entrypoint (bmux kiosk attach ...) for SSH entry.
Supports multiple named profiles with independent defaults for session, target, SSH user, and token policy.
Uses short-lived tokens (one-shot by default) that can be revoked at any time.
Re-applies attach policy after reconnects, including remote targets.
Quick StartConfigure kiosk defaults + one profile in bmux.toml.
Generate SSH include/wrapper assets.
Include generated SSH config in your sshd_config.
Issue a kiosk token for the profile.
Add the printed authorized_keys forced-command entry.
[kiosk.defaults]
enabled = true
ssh_user = "bmux-kiosk"
role = "observer"
allow_detach = false
token_ttl_secs = 900
one_shot = true

[kiosk.profiles.demo]
session = "demo"
target = "prod"
bmux kiosk status
bmux kiosk init --all-profiles --dry-run
bmux kiosk init --all-profiles
bmux kiosk issue-token demo
bmux kiosk ssh-print-config --all-profiles
Profile ModelKiosk config lives under [kiosk]:
[kiosk.defaults] applies shared defaults for all profiles.
[kiosk.profiles.<name>] applies per-profile overrides.
[kiosk.files] customizes output locations used by bmux kiosk init.
Use one default SSH user via kiosk.defaults.ssh_user unless you need per-profile Unix users:
[kiosk.defaults]
ssh_user = "bmux-kiosk"

[kiosk.profiles.demo]
ssh_user = "demo-kiosk"

[kiosk.profiles.readonly]
ssh_user = "bmux-kiosk"
role = "observer"
Bootstrap Files (kiosk init)bmux kiosk init generates two artifact types:
sshd include content (Match User blocks + ForceCommand)
shell wrappers (one script per selected profile)
Useful commands:
bmux kiosk ssh-print-config --all-profiles
bmux kiosk init --all-profiles --dry-run
bmux kiosk init --all-profiles
bmux kiosk init --profile demo --yes
Notes:
Interactive mode prompts before writing unless --yes is provided.
Non-interactive execution requires --yes.
Wrapper scripts require BMUX_KIOSK_TOKEN and run bmux kiosk attach <profile> --token ....
Token LifecycleIssue, use, and revoke tokens with kiosk commands:
bmux kiosk issue-token demo
bmux kiosk issue-token demo --session hotfix --ttl-secs 600 --multi-use
bmux kiosk revoke-token <token-id>
Token behavior:
Format is k1.<token_id>.<secret>.
Secret is hashed at rest in local token store.
Expired, revoked, or consumed one-shot tokens are rejected.
SSH Integrationbmux kiosk issue-token prints an authorized_keys example you can use directly:
restrict,command="bmux kiosk attach demo --token <token>" <public-key>
Pair this with the generated sshd include file from bmux kiosk init.
Attach Behavior and Security Semanticsallow_detach = false blocks detach for that kiosk connection.
Kiosk attach sets policy before attach and re-applies it after reconnect.
If a profile pins target, conflicting --target overrides are rejected.
Remote-target kiosk attaches reconnect with bounded retry/backoff behavior.
Security Hardening ChecklistUse these defaults for production-style kiosk access.
Keep allow_detach = false unless users explicitly need detach.
Keep one_shot = true and use short token_ttl_secs values.
Pin target (and optionally session) in each production profile.
Use dedicated SSH users for sensitive environments.
Prefer generated sshd settings that disable forwarding/tunneling features.
Revoke tokens immediately after support or demo windows close.
Troubleshootingunknown kiosk profile — check bmux kiosk status and profile names.
unknown kiosk token id — token not issued on this machine/state.
kiosk token is expired — issue a new token or increase TTL.
kiosk token already used — issue another token or use --multi-use.
kiosk init requires --yes in non-interactive mode — rerun with --yes.
Operator ChecklistKeep kiosk enabled only where needed.
Use one-shot tokens by default.
Keep TTL short for interactive support access.
Revoke tokens after support windows end.
Prefer pinned profile targets for production environments.