<div dir="ltr">On 1 December 2015 at 14:26, Giles Orr <span dir="ltr"><<a href="mailto:gilesorr@gmail.com" target="_blank">gilesorr@gmail.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><a href="https://mosh.mit.edu/" rel="noreferrer" target="_blank">https://mosh.mit.edu/</a><br>
<br>
If you scroll down, there's an introductory video that's pretty<br>
interesting. Sounds like a great idea, with a couple caveats: I<br>
wonder about the security and there's a wicked hook in a question<br>
right at the end that suggests it's very NOT firewall friendly.<br>
<br>
Packages are available for Debian, and apparently other distros too.<br>
<br>
Anyone tried it, or using it on a regular basis?</blockquote><div><br></div><div>I use it quite a lot on my "wandery laptop." It's very nice to be able to<br></div><div>just not worry about session survival most of the time.<br><br></div><div>(I'm *well* aware of Screen/tmux as a different model on that...)<br><br></div>The thing I find mighty likable is that unlike the other mechanisms. it<br>is consciously lossy about traffic. That is, it tracks the state of the<br>screen, and happily throws away past updates that took place while <br>you've been gone.<br><br>That's a nice feature when running "top" in a window; if you<br>ssh'ed in, and have a network glitch for a few seconds, the ssh<br>session is then busy for seconds (or more...) drawing all of the<br>screen updates that happened while you weren't properly<br>connected.<br><br>With Mosh, it ignores those interim changes, and updates to the<br>latest state of the terminal session.<br><br></div><div class="gmail_quote">That also means that if you are running a more/less session<br></div><div class="gmail_quote">(on, say, logs), and hit "space" a few times, you will find it<br></div><div class="gmail_quote">scrolls MUCH more quickly than an ssh session would, as<br></div><div class="gmail_quote">the page-forward requests get across and invalidate some<br></div><div class="gmail_quote">interim screens of data. Running that across ssh, you'd <br></div><div class="gmail_quote">find that the session plays *all* the data.<br></div><div class="gmail_quote"><br>Security shouldn't be *too* bad; it uses the usual (ssh-based<br>and doubtless TCP) mechanisms to negotiate the initial<br>connection, then uses UDP to update state after that.<br><br>They do describe security somewhat:<br><br>-------------------------------------------------<br>Q: How does Mosh's security compare with SSH's?<br><br>We think that Mosh's conservative design means that its attack surface compares favorably with more-complicated systems like OpenSSL and OpenSSH. Mosh's track record has so far borne this out. Ultimately, however, only time will tell when the first serious security vulnerability is discovered in Mosh—either because it was there all along or because it was added inadvertently in development. OpenSSH and OpenSSL have had more vulnerabilities, but they have also been released longer and are more prevalent.<br><br>In one concrete respect, the Mosh protocol is more secure than SSH's: SSH relies on unauthenticated TCP to carry the contents of the secure stream. That means that an attacker can end an SSH connection with a single phony "RST" segment. By contrast, Mosh applies its security at a different layer (authenticating every datagram), so an attacker cannot end a Mosh session unless the attacker can continuously prevent packets from reaching the other side. A transient attacker can cause only a transient user-visible outage; once the attacker goes away, Mosh will resume the session.<br><br>However, in typical usage, Mosh relies on SSH to exchange keys at the beginning of a session, so Mosh will inherit the weaknesses of SSH—at least insofar as they affect the brief SSH session that is used to set up a long-running Mosh session.<br>-------------------------------------------------</div></div><div class="gmail_extra"><br>-- <br><div class="gmail_signature">When confronted by a difficult problem, solve it by reducing it to the<br>question, "How would the Lone Ranger handle this?"<br></div>
</div></div>