I finally got around to trying out mosh, a “replacement for SSH”. Mosh is pretty darned amazing as well as easy to setup.

The immediate benefit I’m seeing is being able to establish a connection from my laptop to a server, close the laptop for minutes/hours, then be able to resume my previous connections right where I left off; no need to ~. close the hung SSH connection, no need to reauthenticate, no need to plug in my YubiKey to access the SSH private key.

Installation was as easy the mosh website indicated:

• OSX: brew install mobile-shell
• Debian: apt install mosh

Note that both the client and server sides of the connection need to have mosh installed.

One of the first hiccups I encountered had to do with locale (LANG) settings. I’ve temporarily addressed this by connecting like so:

LANG=en_US.UTF-8 mosh server.example.com

The second hiccup I ran into had to do with iptables not allowing UDP connections. By default, mosh needs access to UDP ports 60000-61000. There’s a way to specify specific ports to use, but I haven’t looked into that yet. To fix iptables, a rule similar to this worked well:

iptables -A INPUT -p udp -m multiport --dports 60000:61000 -j ACCEPT

Discussion

IIRC, when I first heard of mosh, I didn’t see much reason to try it out since I nearly always use screen to save state across SSH sessions. Back when mosh was released, I used SSH public keys (password protected) to authenticate; reconnecting to a remote server was quick and easy since ssh-agent cached my decrypted private key. However, since then, I’ve migrated to using SSH keys protected by a hardware token (YubiKey); if I’ve removed the hardware token from my laptop or the laptop has gone into sleep mode, I need to retype my password before I use the hardware token again for authentication. I’ve noticed over time this re-auth process can become a bit tedious.

From a security perspective, mosh fits neatly in between using an ssh-agent-cached private key and a hardware-protected key. In the former, new connections can be established without user interaction once the private key is loaded into ssh-agent. In the latter, new connections can require password reentry. With mosh, resumed connections behave as if I were using ssh-agent while connections to new destinations are more strongly protected by requiring the unlocked hardware token.