I finally got around to trying out mosh
, a “replacement for SSH”. Mosh is
pretty darned amazing as well as easy to setup.
The immediate benefit I’m seeing is being able to
establish a connection from my laptop to a server, close the laptop for minutes/hours, then be able
to resume my previous connections right where I left off; no need to ~.
close the hung SSH
connection, no need to reauthenticate, no need to plug in my YubiKey to access the SSH private key.
Installation was as easy the mosh website indicated:
- OSX:
brew install mobile-shell
- Debian:
apt install mosh
Note that both the client and server sides of the connection need to have mosh installed.
One of the first hiccups I encountered had to do with locale (LANG
) settings. I’ve temporarily
addressed this by connecting like so:
LANG=en_US.UTF-8 mosh server.example.com
The second hiccup I ran into had to do with iptables not allowing UDP connections. By default, mosh needs access to UDP ports 60000-61000. There’s a way to specify specific ports to use, but I haven’t looked into that yet. To fix iptables, a rule similar to this worked well:
iptables -A INPUT -p udp -m multiport --dports 60000:61000 -j ACCEPT
Discussion
IIRC, when I first heard of mosh
, I didn’t see much reason to try it out since I nearly always use
screen
to save state across SSH sessions. Back when mosh
was released, I used SSH public keys
(password protected) to authenticate; reconnecting to a remote server was quick and easy since
ssh-agent
cached my decrypted private key. However, since then, I’ve migrated to using SSH keys
protected by a hardware token (YubiKey); if I’ve removed the hardware token from my laptop or the
laptop has gone into sleep mode, I need to retype my password before I use the hardware token again
for authentication. I’ve noticed over time this re-auth process can become a bit tedious.
From a security perspective, mosh
fits neatly in between using an ssh-agent
-cached private key
and a hardware-protected key. In the former, new connections can be established without user
interaction once the private key is loaded into ssh-agent
. In the latter, new connections can
require password reentry. With mosh
, resumed connections behave as if I were using ssh-agent
while connections to new destinations are more strongly protected by requiring the unlocked hardware
token.