<div dir="ltr">Hello Daniel,<div><br></div><div>The issue is basically the same since the original pull request in 2013 -- whatever change we make to the Mosh protocol to support ssh-agent forwarding is one we have to live with forever, and the limitations of the Mosh protocol make us not want to commit ourselves to these changes. Mosh does not handle big Instructions well; our fragmentation system is very simple, so adding reliable transport of not-exactly bounded OOB data in the synchronized SSP object makes me nervous.</div><div><br></div><div>(We're also pretty paranoid about security, and this leads to maybe excessive conservatism -- Mosh has never had a security hole, and we hope to keep it that way. Making intensive protocol changes to add extra features to the core protocol is also something I'm nervous about, and nervous about supporting over time. If you look at where SSH and TLS's security holes have come from, it's basically all from adding this kind of complexity in a non-isolated way. Of course many entities do run Timo's version; apparently Facebook uses it extensively.)</div><div><br></div><div>I think my preferred approach here is to release something that does resilient ssh-agent forwarding "to the side" of the Mosh connection, over a separate connection and with a separate package that users can run if they choose. We have developed something internally (at Stanford) that you might like that also does "secure" ssh-agent forwarding, by allowing the agent to authenticate and limit (1) the host making the request, (2) the remote host that host is trying to authenticate to, and (3) the command the host wants to execute on the remote host. (With normal ssh-agent forwarding, the agent can't learn any of these things and is basically signing a blank check.) This works alongside SSH and Mosh. We hope to have a public beta soon and will look forward to reports from anybody who wants to test it.</div><div><br></div><div>-Keith</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 21, 2017 at 9:33 AM, Daniel Roethlisberger <span dir="ltr"><<a href="mailto:daniel@roe.ch" target="_blank">daniel@roe.ch</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">John, all,<br>
<br>
Mosh is still lacking SSH agent forwarding, preventing the use of<br>
mosh in many setups. What is blocking the resolution of issue<br>
120 and pull request 696? The issue has been raised in 2012 and<br>
the pull req is sitting there since 2015:<br>
<br>
<a href="https://github.com/mobile-shell/mosh/issues/120" rel="noreferrer" target="_blank">https://github.com/mobile-shel<wbr>l/mosh/issues/120</a><br>
<a href="https://github.com/mobile-shell/mosh/pull/696" rel="noreferrer" target="_blank">https://github.com/mobile-shel<wbr>l/mosh/pull/696</a><br>
<br>
What would be needed to get SSH agent support into mosh, be it<br>
with Timo J. Rinne's implementation in the pull req or in a<br>
different way?<br>
<span class="m_-1233783643391048571m_86421276715595543m_3470690379321070453m_2929777743104742188m_-4188744090696434851m_-5391701531031099711m_4933563534959338113HOEnZb"><font color="#888888"><br>
-Daniel<br>
<br>
--<br>
Daniel Roethlisberger<br>
<a href="http://daniel.roe.ch/" rel="noreferrer" target="_blank">http://daniel.roe.ch/</a><br>
<br>
______________________________<wbr>_________________<br>
mosh-devel mailing list<br>
<a href="mailto:mosh-devel@mit.edu" target="_blank">mosh-devel@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/mosh-devel" rel="noreferrer" target="_blank">http://mailman.mit.edu/mailman<wbr>/listinfo/mosh-devel</a><br>
</font></span></blockquote></div><br></div></div>