SSH was designed in 1995. It quietly assumes you own a static IP, a router you can reconfigure, and the patience to keep keys rotated. None of that describes a laptop on hotel Wi-Fi, a locked-down corporate network, or the phone in your pocket.

So I built reminal — short for remote terminal. The whole tutorial is one word:

reminal

It prints everything you need to connect and then waits:

  reminal — remote terminal

  Session:  K7M2NP4Q
  PIN:      482916
  Open:     https://reminal-relay.reminal.workers.dev/?s=K7M2NP4Q
  Connect:  reminal --connect K7M2NP4Q --pin 482916

  Scan to join from your phone:

  ██▀▀▀▀▀▀▀██▀▀██▀▀█▀▀▀▀▀▀▀██
  █ █████ █ █ █  ██ █████ █
  █ █   █ █▀ ▀▄█▀█ █   █ █
  █ █████ █ ▄██ ▀█ █████ █
  ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

  Waiting for connection... (Ctrl+C to stop)

Scan the QR from your phone, open the URL and type the PIN in a browser, or run the --connect line from any other shell. You're on your machine. No env vars, no relay setup, no ports.

What's actually messy about SSH

Every "just SSH in" tutorial hides a tail of setup:

• Port 22 open to the internet — a permanent thing to scan, brute-force, and zero-day.
• Long-lived keys on disk — if the laptop is stolen, those keys still grant access.
• NAT and firewalls — behind hotel or corporate Wi-Fi you need a VPN or a jump host before SSH even starts.
• No phone story — there's no native client in your pocket.

reminal inverts all four. Your machine only ever makes outbound HTTPS connections, so there's nothing on the network to attack. Credentials are ephemeral — they exist only while the command is running, and Ctrl+C deletes them forever. Outbound HTTPS is the one thing hostile networks always allow. And the QR code is the phone client.

How it works

  Your laptop                Cloudflare relay             Any device
  ┌─────────────┐           ┌─────────────┐             ┌─────────────┐
  │  reminal    │◄──WSS────►│  Workers +  │◄────WSS────►│  browser or │
  │  (PTY/shell)│           │  Durable Obj│             │  reminal -c │
  └─────────────┘           └─────────────┘             └─────────────┘
              end-to-end encrypted — the relay sees ciphertext only

Both ends dial out to a Cloudflare Workers relay over WSS. The relay's only job is to shuttle bytes between two sockets — and those bytes are AES-256-GCM ciphertext. The key is derived from the PIN and session ID via HKDF on each end and is never sent over the wire, so the relay routes traffic it cannot read. You trust Cloudflare to deliver packets the same way you trust your ISP with SSH traffic. The difference is that reminal never opens your machine to the internet.

Security is dual-factor by construction: an attacker needs both the session ID (~1 trillion combinations) and the 6-digit PIN. Five wrong PINs trigger a lockout. Knowing one without the other is useless.

When I reach for it

• Forgot something at home. Laptop asleep on the desk, phone on the train. Scan, run the command, lock it back up.
• Hostile networks. Conference NAT, guest Wi-Fi, corporate firewall — all block inbound, all allow outbound HTTPS.
• Pairing. Send a teammate a session ID and PIN over two different channels. They join a live shared terminal. Hang up when done — no keys to revoke.

The relay runs on Cloudflare's free tier and you can self-host it in about five commands, so there's no service to depend on but your own.

It's MIT-licensed and on GitHub. brew install and try it:

brew tap harshalgajjar/reminal
brew install reminal