

Do you use Mosh? (SSH replacement) - macarthy12

I'm looking at Mosh, http://mosh.mit.edu/, and wondering if it is secure / worth it etc. Do many of you use it on production machines?
======
andrewcooke
have not used it and am no crypto expert, but:

\- it's based on ssh (your initial login is with ssh) so login is secure (as
secure as ssh, probably)

\- because ssh does much of the hard work, the smarts needed by mosh are
reduced

\- it's not a replacement for ssh so much as an improved interactive shell (so
of course it doesn't do port forwarding etc)

\- the crypto it does use sounds right, in their paper

\- it only runs on the server when you are using it, and it runs as you (not
root or some daemon), so if you're not connected then there's nothing for
anyone to attack (but "connected" includes an open, "hanging" session)

\- mit lends some cred.

in short, now that i have heard of it i will likely try it myself. the design
makes a lot of sense to me - just feels like smart people were involved.

------
overand
I do recall hearing that there were possible security issues a few months ago,
but damned if I can remember the source. I _do_ remember more concretely that
it hadn't had much review.

------
dClauzel
Not really, because « Mosh does not support X forwarding or the non-
interactive uses of SSH, including port forwarding ». (cf README)

------
Goranek
I use it on android tablet.. It's nice

