Mosh is awesome and totally worth the 30 seconds it takes to install it. As far as security:
Q: What is Mosh's security track record so far?
Mosh 1.0 was released in March 2012. As of the release of Mosh 1.2.5 in July 2015, as far as the developers are aware:
In the last three years, no security vulnerabilities of any kind (major or minor) have been reported in Mosh.
No major security vulnerabilities have ever been reported in Mosh. We define major security vulnerabilities to include privilege escalation, remote code execution, denial-of-service by a third party, etc.
Two denial-of-service issues were discovered and fixed in releases in 2012. One issue allowed a mosh-server to cause the mosh-client to spend excess CPU (CVE-2012-2385, fixed in Mosh 1.2.1, released May 2012). Another issue allowed the server host to cause the mosh-client to send UDP datagrams to an incorrect address, foiling its attempt to connect (fixed in Mosh 1.2.2, released July 2012).
Q: How does Mosh's security compare with SSH's?
We think that Mosh's conservative design means that its attack surface compares favorably with more-complicated systems like OpenSSL and OpenSSH. Mosh's track record has so far borne this out. Ultimately, however, only time will tell when the first serious security vulnerability is discovered in Mosh—either because it was there all along or because it was added inadvertently in development. OpenSSH and OpenSSL have had more vulnerabilities, but they have also been released longer and are more prevalent.
In one concrete respect, the Mosh protocol is more secure than SSH's: SSH relies on unauthenticated TCP to carry the contents of the secure stream. That means that an attacker can end an SSH connection with a single phony "RST" segment. By contrast, Mosh applies its security at a different layer (authenticating every datagram), so an attacker cannot end a Mosh session unless the attacker can continuously prevent packets from reaching the other side. A transient attacker can cause only a transient user-visible outage; once the attacker goes away, Mosh will resume the session.
However, in typical usage, Mosh relies on SSH to exchange keys at the beginning of a session, so Mosh will inherit the weaknesses of SSH—at least insofar as they affect the brief SSH session that is used to set up a long-running Mosh session.
It's a matter of semantics. Parent is correct that mosh requires SSH to function. From the same page you linked:
> Mosh doesn't listen on network ports or authenticate users. The mosh client logs in to the server via SSH, and users present the same credentials (e.g., password, public key) as before. Then Mosh runs the mosh-server remotely and connects to it over UDP.
I know I will continue to be down voted BUT you need to get into politics. Because you are arguing the whole sentence "MOSH is a replacement for SSH." Means It is NOT a replacement? Argument is it has SSH as a requirement so "technically" it isn't replacing SSH, even though based on precise facts it actually does kill SSH and replace it when it is used? The authors of MUSH clearly make a one sentence statement of purpose to "replace SSH." Your statement "It isn't a replacement for SSH." is more correct?
It does have SSH required but it uses it for a limited authorization and than SSH on TCP is abandoned once the connection established and the connection is handed over (Replaced) to a MOSH UDP with encryption that is totally independent from SSH.
Makes me crazy that "technically" always means I will say the EXACT opposite of the statement and say that my opposite is more accurate than the stated statement.
This statement is technically true based on facts and declaration of the authors. MOSH is a mobile shell that replaces SSH connections. It doesn't matter that SSH is there the SSH connection is replaced with a UDP MOSH connection. Does it in literal sense in its actions.
I made that "technically speaking" statement in the context of "I don't feel like installing a not well established ssh server replacement on hosts at work". I thought, maybe Galanwe has concerns about security and the fact that mosh builds on ssh instead of replacing it might be a counter argument.
Mosh is a replacement for ssh (the client), but not for sshd, as it relies on it to make a connection. OpenSSH also is not meant to be replaced, which also has not been claimed in your link.
Please pay attention to semantics while fencing with words.
Joe - you changed the very words from SSH to sshd, sshd is just the server side of SSH really what does that matter at all? What part of "Mosh is a replacement for ssh (the client), but not for sshd, as it relies on it to make a connection" Is any different than my whole previous post?
Read my statement on SSH being replaced. The sshd connection is actually totally and completely replaced with a UDP MISH connection and sshd no longer works after the connection is authorization. So in action SSH connection is shut down and handed over to MOSH (AKA Replaces the Connection) Also it is so you never use SSH for your work except to be authorized by your keys.
>OpenSSH also is not meant to be replaced, which also has not been claimed in your link
My Link - The official website for MOSH. The only statement is that they think MOSH is more secure than OpenSSL and OpenSSH. But yes it replaces OpenSSH and SSH. It replaces the very connection it makes and it replaces SSH or OpenSSH with MOSH to handle EVERYTHING except that initial handshake authorization.
Please Quote your source for "which also has not been claimed in your link"
I say look at the mirror. Joe the statement is 100% true MOSH is a replacement for SSH in purpose, programming and in practice. Where is it okay to say that MOSH is a replacement for SSH is wrong in any sense besides it is a requirement?
