
Mosh: SSH for 2012 - pc
http://mosh.mit.edu/?
======
jimmyjim
Pretty cool, but some of its aims can be achieved in other safer ways:

* Use tmux, a multi-plexer, so you never lose the state of a program

* Use KiTTY as an SSH client- <http://kitty.9bis.com/> \- enable 'Reconnect' options

* Configure http tunnelling if you want, it's trivially easy to set up with either Chrome or Firefox

The end result: an SSH connection that's always alive when I need it to be.
When I open up my laptop's lid, it reconnects automatically, and because I've
set up keys (without a passphrase) I do not have to do _anything_ and I'm all
good to go. You can have a tmux attach command coded and you really do not
have to do a thing.

Some other notes: KiTTY is a PuTTY fork, with many new extremely delicious
features (hyper links, better clipboard support, etc.)

To tunnel your http traffic (for when you're in a public spot and would opt
for basic security):

Connection > SSH > Tunnels. Add a dynamic port... and concordantly configure
proxy settings on your browser's end. For Firefox you don't need any
extensions... for Chrome this extension, in my experiences, is fairly decent:
<http://switchy.samabox.com/> \-- these directions will work for both PuTTY
and KiTTY.

>> SSH waits for the server's reply before showing you your own typing. That
can make for a lousy user interface. Mosh is different: it gives an instant
response to typing, deleting, and line editing. It does this adaptively and
works even in full-screen programs like emacs and vim.

If real-time text rendering is a must for you, consider TRAMP:
<http://www.gnu.org/software/tramp/>

Also consider using EmacsClient: <http://www.emacswiki.org/emacs/EmacsClient>

And for vim, apparently there's netrw:
<http://www.vim.org/scripts/script.php?script_id=1075>

~~~
aaronblohowiak
keys without passphrase? i hope they do not connect to a publicly available
server with other people's data on it.

~~~
jimmyjim
I knew someone would raise an issue there.

If you're that concerned about security, there are a handful of additional
things you can do:

* Use a non-standard ssh port

* Disable root ssh login

* Configure 'Single Packet Authorization and Port Knocking' -- <http://www.cipherdyne.org/fwknop/>

* Have decent iptables rules. Use either fail2ban or denyhosts with stringent rules, if you must, that ban on 3+ failed logins.

* Have a whitelist of acceptable IP's for ssh access

* Use any system of 2-factor authentication. I'm partial to Google's Authenticator. Here're some directions to get that set up, if anyone is interested: [http://guides.webbynode.com/articles/security/ubuntu-google-...](http://guides.webbynode.com/articles/security/ubuntu-google-authenticator.html)

But seriously, if you have keys set up and someone manages to steal them...
you've really got bigger things you should be focusing on.

~~~
zobzu
No. Just No.

* Use a non-standard ssh port <= not security. plus i bet you're on 2222.

* Fail2ban: useless for key auth, you don't remote brute keys like that

* 2 factor: that is ok

If your comp can log directly without any authentication that is terrible
practice. Your comp will eventually get compromised, stolen, etc and then its
game over. The passphrase is no silver bullet but it helps a lot.

2 factor or tiny cryptokeys are best.

~~~
jimmyjim
I definitely agree with much of what you've pointed out.

> * Use a non-standard ssh port <= not security. plus i bet you're on 2222.

Right, marginally better than using port 22, but it's still something (better
than non-action, if you will). I do hope one takes the vigilance to set a port
number sufficiently high up, and sufficiently random looking. I recall
something about nmap, that it scans only up to 1023 by default or something.

> * Fail2ban: useless for key auth, you don't remote brute keys like that

Still set it up -- for http and other services.

> If your comp can log directly without any authentication that is terrible
> practice. Your comp will eventually get compromised, stolen, etc and then
> its game over. The passphrase is no silver bullet but it helps a lot.

I agree... I emphasized seamless logging in because that seems to be a big
point that Mosh is apparently selling itself on. I do have stronger
authentication methods set up for the production machine. :)

~~~
cd34
> I do hope one takes the vigilance to set a port number sufficiently high up,
> and sufficiently random looking

Hopefully not over port 1023. If a user gets on the system and crashes your
ssh daemon through OOM killer or one of many other methods, that non-root user
can then restart its own daemon and listen to that port that you put >1023
'for security reasons'.

Accidentally answering yes when it says a new key was detected is all it takes
to get keylogged.

~~~
Dylan16807
I don't see how you could answer yes to that prompt without realizing it was
the 'key has changed' prompt. Especially when half the ssh clients I've seen
abort entirely when the key changes.

------
forgotusername
> Mosh is a replacement for SSH. It's more robust and responsive,

> Mosh doesn't listen on network ports or authenticate users. The mosh client
> logs in to the server via SSH

Umm..

> Unlike SSH, mosh's UDP-based protocol handles packet loss gracefully

So it's not a replacement for SSH, but instead sits on top. Not only that, but
it has some separate self-designed protocol that it uses to implement its ju-
ju, presumably _heavily_ peer reviewed for security design defects considering
the claims of being an SSH replacement that are being made. :)

~~~
ajross
It uses ssh as the authentication and authorization channel to set up the
socket on the remote machine. I don't want to make too many pronouncements as
I haven't used it, but surely that's an example of being _conservative_ with
security behavior, not cavalier.

That said, I think the single biggest annoyance for me with ssh is the
connection setup latencies (something like ... 9 round trips and a by-default-
rdns-lookup I think?). This thing can only be worse in that respect.

~~~
illumin8
Any time you are moving from one IP address to another, it better have some
damn good security or else anyone will be able to hijack your session.

~~~
ajross
For some definition of "damn good" I guess. All security protocols can have
holes. But a trivial session key is hardly rocket surgery. And spoofing
attacks (which I assume is what you're talking about) don't require moving
between one IP and another anyway.

------
stcredzero
_Mosh works differently and at a different layer. With Mosh, the server and
client both maintain a snapshot of the current screen state. The problem
becomes one of state-synchronization: getting the client to the most recent
server-side screen as efficiently as possible._

This is brilliant!

Combine that with the ability to rejoin your session and it's even more so --
only figures since the major use of screen was to enable this functionality
over ssh.

~~~
chimeracoder
> only figures since the major use of screen was to enable this functionality
> over ssh.

Exactly - I don't understand what Mosh provides that GNU Screen doesn't...
what problem is it actually solving?

~~~
stcredzero
Packaging this functionality of screen with fewer manual steps with a protocol
that provides a better experience over high latency connections.

~~~
wdaher
Well, that and, this and screen are not mutually exclusive. I run a screen
session inside my mosh all the time!

------
moonboots
This reminds me of Google Wave's operation transformation protocol except
without the collaboration component [1]. Client edits are reflected instantly
and client state is synchronized and reconciled with the server's.

[1] [http://www.waveprotocol.org/whitepapers/operational-
transfor...](http://www.waveprotocol.org/whitepapers/operational-transform)

------
ezy
Ok, I'll be "that guy". Why not just use tmux or screen? Is character delay a
real issue in 2012? Seems like it's more of a proof of concept of their
syncing algorithm rather than something super useful.

EDIT: Fair enough, I stand corrected. :-)

~~~
joblessjunkie
I find character delay to be an ongoing frustration while using ssh with
remote servers all day long. When I've mis-typed and need to backspace, I'm
usually a couple of keystrokes ahead by the time I see it. I have to pause,
wait, count, and carefully press backspace a precise number of times, and
frequently get it wrong.

For nearby connections, it's no big deal, but cross-continent or overseas it's
a right pain.

~~~
Florin_Andrei
> _a right pain_

British English?

~~~
nollidge
Not sure why you got downvoted. Yes, that's definitely a more British
construction.

~~~
TazeTSchnitzel
I think he was downvoted for needlessly pointing out somebody's preferred
flavour of English. Whilst it might not be your favourite, there's no need to
make a bloody show of it ;)

~~~
Florin_Andrei
I was merely curious. English is not my first language, I learned it at a
pretty ripe age, so sometimes I miss some subtle nuances.

I'm actually reading the Harry Potter books (yeah, I know, but my kids are
reading them too, and I figured I need to become an "insider" to that universe
before they start making references that just go whoosh! over my head) and I
remember seeing the expression "a right pain" somewhere in there.

Finally, I tend to be fascinated by odd and obscure language issues and
details. I guess that's just the way I am.

Anyway, I'll be more careful to explain _why_ I'm asking, in the future.

------
secure
I’ve been using this for a bit and it works pretty well most of the time (I
especially like the prediction). On bad connections, I hadn’t have much luck
with it (it timed out just like other TCP connections), but I only had a
sample size of 1 ;).

Also note that it doesn’t support IPv6 (there is a quick & dirty working patch
in the github issue for that).

------
st3fan
Note to self: "brew install mosh" installs a scheme implementation. Install
mobile-shell instead.

------
DarkShikari
Is there any reason why Windows or at least Cygwin isn't supported? Much of
the time, the whole point of SSH for me is to connect _to a Unix machine_ from
a non-Unix machine.

~~~
keithwinstein
The code compiles under Cygwin with not too much effort -- the current master
may compile. The big problem there is you don't really have a good UTF-8
terminal, but you're welcome to use it. If you know how we can best package
the software for Windows or Cygwin users, we're happy to take a patch.
(github.com/keithw/mosh.git)

~~~
nooop
Cygwin has a built-in utf-8 terminal that I find quite descent. (Only for some
months, it did not have it before.)

~~~
keithwinstein
Just posted some more terminal geekery on <http://mosh.mit.edu> \-- I'd be
interested how the Cygwin terminal does on the test cases shown there.

~~~
J_Darnley
Mintty, badly. The first test gives no hat (or I just can't see it). The
second causes it to get stuck in heiroglyphs. The third doesn't work correctly
either. It looks like it prints xyz correctly, then jumps to the second line
on screen and then continues from there.

The "cygwin bash shell" which uses cmd.exe does the first test correctly but
similarly fails on the others.

------
ComputerGuru
Note (for keithwinstein?):

mosh doesn't handle iftop output properly. It _may_ be that iftop abuses UTF8
or takes advantage of a bug to print certain characters, but it's not working
right with mosh.

~~~
keithwinstein
Thanks.

The quick fix is to run "LANG=C luit iftop" instead.

More detail: The problem is that we've made a design decision not to honor ISO
2022 locking escape sequences (which can be used as line-drawing characters),
because they can end up sticking the terminal in permanent hieroglyphs and
UTF-8 is supposed to be a stateless, self-synchronizing encoding. (See
<http://www.cl.cam.ac.uk/~mgk25/unicode.html#term> for more detail than you
probably want, or the examples I just added to mosh.mit.edu.)

We use the NCURSES_NO_UTF8_ACS=1 environment variable to request UTF-8 from
ncurses instead of ISO 2022, and 99% of programs honor that -- but iftop is
not one of them. It's within its rights, but I think these programs are rare
enough that if you want to use the old-style line-drawing characters in mosh,
it would be better to run just that program in luit (which is a translator),
so that at least when luit exits, you'll be out of hieroglyphs for sure.

~~~
ComputerGuru
No go. "LANG=C luit iftop" in mosh or a normal shell is the same result as
running iftop in mosh.

<http://cl.ly/423P2B0u212B0k3j0g0X> vs <http://cl.ly/0M3f0o2c0O243v3z1N0W>

------
invalidOrTaken
What I find especially interesting is how they explicitly decided to design
the site like a startup's. I always think it's cool when philanthropy learns
from commercial enterprises.

~~~
drivebyacct2
It's just bootstrap [1], it's a laziness/cheapness/time constraint thing, not
really mimicking.

[1]: <http://twitter.github.com/bootstrap>

~~~
elliottcarlson
Note that the screenshot has a listing of "ideas" for the site - including a
note that says "Make it look like a fake startup company."

------
denisu
Am I blind or is there no way to connect to a custom ssh-port (other than 22)
for the initial connection yet?

edit: github-issue: <https://github.com/keithw/mosh/issues/103>

~~~
glesica
I've browsed through the site and installed to look at the man page to find
this out. I can't see a way to do this. Makes it useless for me :-(

Not that I'm complaining. It's not like I'm being asked to pay for it, just a
feature that I imagine would be helpful to many people...

~~~
keithwinstein
Thanks, we're working on it and it will be in a future release.

We're tracking this issue at <https://github.com/keithw/mosh/issues/53>

------
wdaher
I'll confess that I always run mosh with -a because it looks cooler when you
see it predictively echoing text that you wouldn't otherwise get.

------
ramidarigaz
This looks really cool!

One question. I have a firewall (ufw) that is blocking most ports (I have a
small whitelist). It looks like Mosh uses a UDP port between 60000 and 61000.
Is there a way to pick a port for Mosh to use, or do I have to open that range
of ports? It's not a huge deal either way, but it would be cool if I could
tell it to use a specific port.

Oops. Nevermind. It looks like -p is what I want.

------
mock
I wonder how easy it would be to hook this up to dns tunneling software such
as <http://code.kryo.se/iodine/> in such a way that after the the initial ssh
auth step, you would have a useful terminal that would be accessible even
behind captive portals and the like?

~~~
achernya
I've used mosh over iodine, by simply having the iodine-server forward all of
my packets via IPv4 NAT. I then set my client gateway to use dns0 instead of
eth0. Works great!

------
mmahemoff
I'd like to see SSH optimised for touch-based user interfaces.

On mobile, we're stuck with crappy touch keyboards for at least the next few
years (until serious haptic feedback or to some extent voice recognition
becomes feasible).

I'm not even sure what it would look like. I just know that SSH right now is
not a very pleasant experience.

~~~
fusiongyro
I'm having trouble imagining what role SSH or its replacement has in
reinventing the text terminal for touch-based user interfaces. Seems like the
whole idea would have to go out the window. VNC would work if the destination
were also touch-based, but it's probably mouse-based, and I don't know at what
level that's integrated into the protocol (probably too low).

~~~
ryangee
<http://acko.net/blog/on-termkit/>

~~~
fusiongyro
I've actually seen this before, and it is awesome, but it doesn't answer the
question of how to re-imagine a text console for touch.

------
joejohnson
When I try to run mosh on my Mac (after installing from the .pkg provided) I
get this error:

    
    
      Can't locate IO/Pty.pm in @INC (@INC contains:
      /opt/local/lib/perl5/site_perl/5.12.3/darwin-multi-2level
      /opt/local/lib/perl5/site_perl/5.12.3
      /opt/local/lib/perl5/vendor_perl/5.12.3/darwin-multi-2level
      /opt/local/lib/perl5/vendor_perl/5.12.3
      /opt/local/lib/perl5/5.12.3/darwin-multi-2level
      /opt/local/lib/perl5/5.12.3 /opt/local/lib/perl5/site_perl
      /opt/local/lib/perl5/vendor_perl .) at /usr/bin/mosh line 24.
      BEGIN failed--compilation aborted at /usr/bin/mosh line 24.
    

Is anyone else getting this error?

~~~
peterwwillis
I found this annoying too. It's not a core Perl module so it should be listed
on requirements page. And really, do we need this complicated of a perl
wrapper when they already wrote a C++ client?

------
jjcm
How well does this work for something like vim? Line editing and mass transfer
of commands is great if you're sending a long string, but if each keystroke is
a command it seems like things would get stickier.

~~~
a1k0n
It seems to work just fine. The local prediction looks kind of ugly with
colorcolumn enabled, though, since it assumes characters are being inserted
when doing local prediction, which shifts the colored column right for each
keystroke until the update comes in from the server to fix it.

------
redbad

        Datagrams are encrypted and authenticated using
        AES-128 in OCB mode.
    

I'm curious to know more details. Does it leverage existing SSH auth
infrastructure (ie. keys) for that, somehow?

~~~
keithwinstein
Not exactly, no -- it's a new roaming secure datagram protocol. It uses SSH
for the initial key _exchange_: if you run "mosh-server" by itself, you'll see
it spit out a random 128-bit session key that protects the mosh session.

~~~
marshray
Is the protocol documented? I've looked at DTLS and I'm wondering how you
prevent replay attacks and such.

~~~
keithwinstein
It is documented in the research paper linked from the site, yeah. The big
contribution with this protocol is that every authenticated datagram
represents an idempotent operation on the recipient, so we don't have to worry
about replay attacks as such.

~~~
marshray
I'm not sure how a terminal session can use only idempotent operations, but it
sounds cool. I'll have to read the paper!

------
joliss
I'm scared to trust Mosh with my connection security, but the local echo
sounds awesome.

What happens if I tunnel my Mosh connection through SSH? Will I still get all
the features (except for roaming, obviously)?

~~~
guan
Mosh sends its payload data through UDP, which you cannot tunnel through SSH.

------
skeletonjelly
No results for searching for "secur*" on that page. Are there any risks?

~~~
acqq
I also miss a discussion of how the protocol avoid denials of service once
it's assumed that the UDP comes from any address -- if every packet from any
address actually has to be decrypted.

~~~
burgerbrain
Denial of service concerns seem to be at least briefly discussed in the paper
(which I have not finished reading yet):

    
    
      2 We do not prevent against a denial-of-service attack where an ac-
      tive attacker intercepts packets and resends them under its own IP ad-
      dress to fool the server’s roaming detection. Such an attack would not
      compromise the confidentiality of the connection but would disrupt it.
    

(Not the same scenario as you are describing, but still.)

------
lisnake
Does it have -R option like ssh, for port forwarding inside ssh session?
Otherwise, I won't be able to connect to my work machines behind very strict
firewall

------
peterwwillis
Well shit. My VPS's glibc version does not have 64 bit byte-swapping
functions, so I can't compile mosh for my platform. =( Can the authors update
their requirements to list glibc 2.9 and perl IO::Pty module if they're
compiling it themselves?

Edit: I hacked the swapping functions into mosh and built it, but my system
lacks a UTF-8 locale, according to mosh (even after I copied an en_US.utf8
locale to the system). Not sure how to proceed

------
rasengan
Mac OS X Lion: Mac OS X Lion

dyld: Library not loaded:
/Users/keithwinstein/homebrew/lib/libprotobuf.7.dylib Referenced from:
/usr/bin/mosh-client Reason: image not found

~~~
Kishin
same error on OSX Lion. Also tried building from source and got: "No package
'protobuf' found"

Very excited to try this though!

~~~
keithwinstein
Please try the new PKG (mosh-1.1.3-2.pkg) -- should be fixed. Thanks for your
patience!

~~~
rasengan
Thanks Keith

------
markus2012
I've used mosh for about 10 days. It's worked perfectly for me. I
disconnect/re-connect my laptop quite a bit between work/home/meeting
rooms/hotels. My mosh sessions have lived through it all. I haven't had to
restart or reconnect it once.

I'd send feedback directly to the mosh folks, but I have to subscribe to do
so. A general thought for any project: please make it easy for folks to
provide feedback.

------
Arubis
For specific use cases this is an absolute lifesaver. I live a bit away from
"normal" internet connections and will often go days without access to better
than a weak GPRS signal. Being able to reliably issue commands without
stabbing myself waiting for local echo/reinitiating the connection a dozen
times/thinking about my AWS credit slipping away makes this something I would
pay to use.

------
throwaway54-762
Note for Fedora users: this update was only pushed to stable yesterday[0] so
you may not yet see it in your local package mirror.

[0]:
[https://admin.fedoraproject.org/updates/FEDORA-2012-5085/mos...](https://admin.fedoraproject.org/updates/FEDORA-2012-5085/mosh-1.1.1-1.fc16)

~~~
Florin_Andrei
Is there a .src.rpm somewhere?

~~~
achernya
Assuming you are running the latest Fedora, you can get the SRPM from the main
Fedora Project servers:
[http://dl.fedoraproject.org/pub/fedora/linux/updates/16/SRPM...](http://dl.fedoraproject.org/pub/fedora/linux/updates/16/SRPMS/mosh-1.1.1-1.fc16.src.rpm)

There are source and binary packages for Fedora 15, 16, the upcoming 17, and
rawhide. You can configure your yum to use dl.fedoraproject.org instead of a
choosing a mirror to get the latest updates, if you want.

------
Maakuth
Man, this could be perfect companion for screen and irssi. I wish there will
be an Android client soon.

~~~
pooriaazimi
Not yet supported, but on the roadmap:

* X11 forwarding

* IPv6-only hosts or networks

* Android client

~~~
bound008
once it has IPv6 you can use it with iCloud and Back To My Mac.

------
tlack
Brilliant! Wish list: file transfer.

~~~
drivebyacct2
Seing as this already requires ssh, what's wrong with scp (I guess I'm
assuming if you have ssh, you have scp, but I've never found that to not be
the case).

~~~
param
Ability to resume. Actually, this would be awesome for file transfer because I
could fire and forget and not have to worry about interruptions when I get off
the train/my laptop goes to sleep or the battery runs out.

------
stevejb
This looks fantastic and seems like a very much needed part of the ssh
ecosystem. Most of my work is sshing from my home computer to servers in the
cloud, and this seems like it will be perfect for mitigating the feeling of
lag.

------
jongraehl
Nice homage in the terminal window (Mosh Web Site Ideas) to
[http://en.wikipedia.org/wiki/Important_Things_with_Demetri_M...](http://en.wikipedia.org/wiki/Important_Things_with_Demetri_Martin)
:)

------
sgt
When connecting (for the first time) to a mosh server I get the following
error message:

/usr/bin/mosh: Did not find mosh server startup message. <it then disconnects>

Server runs FreeBSD and the client is OS X. Any ideas?

~~~
wdaher
Is mosh installed on the server? If you just normally ssh to the server and
run "mosh-server", does it actually do something? (maybe it's not in your
PATH?)

~~~
sgt
It's in my PATH. If I do that, this happens:

freebsd$ mosh-server

MOSH CONNECT 60001 cPiSdaPVTjKA/JQjy5jExg

mosh-server (mosh 1.1.3) Copyright 2012 Keith Winstein <mosh-devel@mit.edu>
License GPLv3+: GNU GPL version 3 or later
<[http://gnu.org/licenses/gpl.html>](http://gnu.org/licenses/gpl.html>). This
is free software: you are free to change and redistribute it. There is NO
WARRANTY, to the extent permitted by law.

[mosh-server detached, pid = 2751]

Warning: termios IUTF8 flag not defined. Character-erase of multibyte
character sequence probably does not work properly on this platform.

However back on the OS X desktop, if I do the following:

osx$ export MOSH_KEY=cPiSdaPVTjKA/JQjy5jExg

osx$ mosh-client 18.4.12.5 60001

<it now starts connecting, but server side complains "Crypto exception: Packet
failed integrity check.">

------
Scaevolus
I wish this used CurveCP.

------
zhuzhuor
ocb is patented... although the author claims it is "currently" free for gpl
code. What are you guys thinking? At least only supporting one protocol is not
that good.

~~~
djmdjm
I was very surprised at the use of OCB and not one of the other more widely-
used authenticated encryption modes like EAX or GCM.

------
philipithomas
Intriguing, but I feel that most of the efficiency problems it tries to
overcome can be mostly remedied by key-based SSH access. Can anyone comment on
this?

~~~
ef4
It's solving a completely different problem. In fact it doesn't change SSH's
authentication at all, so you'd still use your existing ssh key.

------
nwmcsween
Ok so is the authentication pluggable (authorization I'm presuming is handled
by pam and such)? Can I use Kerberos instead of SSH?

------
ggchappell
Do I understand correctly: to use mosh, I must have mosh-server available on
the remote machine (?).

~~~
mellifluousmind
The documentation doesn't say this, but apparently, after you start mosh-
server, it dies if there is no incoming request within 60 seconds. What is the
point of the server if it is just going to quit after 60 seconds?

~~~
charliesome
mosh-server is started up by mosh-client when it first SSH's in

------
aq11
Nice enough idea; but having protobuf and boost as deps is just silly for a
system utility.

------
excerionsforte
This actually sounds pretty sweet. I'm gonna try it on my vps! You get my
upvote.

~~~
chashaz
Ya...the features of Mosh sound quite interesting..there's been a lot of times
when I forgot to quit out of my shell & had everything messed up...so had to
relogin, etc. so this will certainly help. But one thing that I'm still not
that sure about is the security...is mosh secure like ssh? It obviously acts
as a client on top of that protocol if I'm not wrong then it should be pretty
secure right?

------
kirpekar
No X11 kills the deal for me.

~~~
lfaraone
You can run X11 in a separate terminal?

Anyway, doing network-resilient X11 is a harder problem than just ttys.

------
ricardobeat
Is it usable behind NAT/firewalls, as an alternative to a reverse tunnel?

------
za
related - Rocks: Reliable Sockets (unmaintained)
<http://pages.cs.wisc.edu/~zandy/rocks/>

------
tiernano
wasent Mosh the name of Powershell before it became PowerShell? Monad was the
code name, MOSH (MOnad SHell) was a name for it too...

