MOSH - A better alternative to ssh
SSH is the best method available out there for the job of establishing connection with remote server's in a secure manner. System administrators use ssh, too ofter to carry out their administration tasks. SSH was truly a revolutionary protocol to take shell remotely and carry out operations very securely.
However there are some shortcomings in the protocol, due the overhead, as well as design limitations. Some of them are listed below.
- Suppose you are working on a critical machine, remotely, and your connection is slow. Then your ssh console session will lag a lot.
- You can never expect your ssh connection state to remain intact,in case of a connection drop.
- SSH works over TCP, due to which, IP address roaming is not supported.
- large network latency and round trip time, will affect the ssh operation.
Keith Winstein, along with Anders Kaseorg, Quentin Smith, Richard Tibbetts and Keegan McAllister came up with a good solution to these problems. Its called Mosh or call it Mobile Shell.
What is MOSH-Mobile Shell?
Mosh is a remote terminal application that can be used to take remote shell similar to ssh. But it addresses, most of the limitations available in SSH.
You will seldom experience issues like slow terminal response, in MOSH.
MOSH achieves this by paying too much importance to the data that's transmitted from the server to the client. In normal ssh session, server will never care about the client's network connection speed, due to this difference in server and client connection speed, the client side terminal will experience a slow response.
This problem is solved in MOSH by taking a communication frame rate, that depends upon the connection speed.
How does MOSH(mobile shell) achieve this?
MOSH makes use of State Synchronization Protocol. This protocol works over UDP, which helps to maintain the screen state on both the sides, almost the same.
The client does make some prediction's about the screen state after each and every key is pressed from the client side. And sometimes correction's are also made, on a wrong prediction.
How does MOSH connection stays intact even after IP change?
This is because of the thing called initial sequence number. Initial sequence number allows to determine the packet count and its order. Whenever the server receives a data gram, with an incremented ISN(Initial sequence number), the server change's the new target IP to the IP in the datagram.
How to install MOSH mobile Shell?
Installing MOSH is quite easy. mosh rpm is available from epel repo, so you can easily install it through YUM.
Note : You need to have rpmforge and epel repo's enabled to install this.
================================================================================ Package Arch Version Repository Size ================================================================================ Installing: mosh i386 1.2.3-1.el5 epel 385 k Installing for dependencies: perl-IO-Tty i386 1.08-2.el5.rf rpmforge 64 k Transaction Summary ================================================================================ Install 2 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 449 k Is this ok [y/N]: y
You can also download the tar ball from http://cloud.github.com/downloads/keithw/mosh/mosh-1.2.3.tar.gz
and install it using the following commands as shown below.
Step 1: Download the tar file from the above link.
Step 2: Extract it using tar -xvf mosh-1.2.3.tar.gz
Step 3: change to the extracted directory and run the below commands to configure and install.
./configure
make
make install
How to connect using MOSH?
You can use mosh to connect to a remote machine, just like we do an ssh. Simply type mosh with the remote IP address or hostname.
[root@slashroot2 ~]# mosh 192.168.0.103 The authenticity of host '192.168.0.103 (<no hostip for proxy command>)' can't be established. RSA key fingerprint is c7:14:f4:85:5f:52:cb:f9:53:56:9d:b3:0c:1e:a3:1f. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.103' (RSA) to the list of known hosts. root@192.168.0.103's password: [root@slashroot1 ~]#
In the above example, i have used mosh to login to the machine slashroot1 from slashroot2. You can see that, it works exactly the same way as ssh.
Now after logging in slashroot1, i can see a process named mosh-server and its running on a udp port 60001, as shown below.
root@slashroot1 ~]# ps aux | grep mosh root 2634 5.3 0.8 14960 4144 pts/0 S+ 06:58 0:00 mosh-client 192.168.0.102 | 192.168.0.102 60001 root 2642 6.2 0.4 14876 2524 ? S 06:58 0:00 mosh-server new -s -c 8 -l LANG=en_US.UTF-8 root 2675 0.0 0.1 3912 668 pts/3 R+ 06:58 0:00 grep mosh [root@slashroot1 ~]# lsof -i :60001 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mosh-serv 2642 root 3u IPv4 7330 UDP 192.168.0.102:60001
In the above mentioned scenario, mosh is not running on the remote server as a process all the time. But whenever you connect to the remote machine, using mosh, what mosh does is to connect to the server usings ssh, and then run mosh-server command on the remote server to open a high UDP port on that server(60001 by default), and then make the client talk on that UDP port.
Note: You need to have mosh package installed on both the machine's for this to work. The default port for mosh server range from 60001 to 61000
As explained before, in the above example we saw our client established the mosh connection with slashroot1 machine, but initially connecting by ssh, and running mosh-server binary on the server, to later connect to a UDP port reported by mosh-server.
You can also start your mosh-server as shown below. but this mosh-server which you will start manually will only last 60 seconds, if no connection is made in that 60 seconds time period, mosh-server process get killed by its own.
[root@slashroot1 ~]# mosh-server MOSH CONNECT 60001 cCBMJe5UDo6UvINhpWhJow mosh-server (mosh 1.2.3) Copyright 2012 Keith Winstein <mosh-devel@mit.edu> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. [mosh-server detached, pid = 2995]
As shown above, when we start mosh-server binary manually as shown above, it reports us an encryption-key that the client must use to connect to it, and the port no 60001. This process will only exist for 60 seconds, and will get killed by itself, if no connection is made.
[root@slashroot2 ~]# MOSH_KEY=cCBMJe5UDo6UvINhpWhJow mosh-client 192.168.0.102 60001 [root@slashroot1 ~]#
In the above example i have used the key provided to me by the server to connect.but its not practical, as the mosh-server process will only wait for 60 seconds. This is the same thing, that mosh does, when you directly connect from a client with mosh command, it starts a mosh-server process and informs the client about the port and key, which the client will use for the communication.
suppose you have your mosh-server binary in a different location, other than the default one. You can pass that path as an argument to mosh command from the client as shown below.
mosh --server=/path/to/mosh-server-binary <hostname>
Now as i told before mosh, gets connected initially using ssh. So what if your server is using an another ssh port than the default. In that case you can specify that ssh port to your mosh command.
$ mosh --ssh="ssh -p 1000" <hostname>
Tests show that, mosh reduce key stroke response from 550ms to 170ms. Which is a nice achievement. Mosh uses AES-128(Advanced Encryption Standard) with OCB(offset codebook mode). OCB helps in dropping two methods for authentication(MAC for authentication and encryption for privacy.)
However the linux security community is not yet fully ready to adopt it. We hope mosh becomes a default thing in the comming future, for its advantages over ssh. Thanks to the writers of MOSH, for this achievement.
Today's Most Popular
Most Commented
Sarath Pillai
Satish Tiwary
Add new comment