My proof-of-concept doesn't have packet authentication. But I have considered this, and have a design in mind where, as part of the session initiation, an authentication key is generated. The problem is that this requires an enhanced client that can encapsulate Mosh packets with this authentication header. I could rig that up with a "relay helper agent", and have considered doing so.<br>
<div><br></div><div>It'd be great if, as you suggest, Mosh included an authentication header, so that the use of a relay would not require a specialized client or "relay helper agent".</div><br><div>On Mon Mar 31 2014 at 11:47:49 AM, Keith Winstein <<a href="mailto:keithw@mit.edu">keithw@mit.edu</a>> wrote:</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I like the idea of a relay or proxy -- the problem I've been having is that it's hard for the relay to let the client roam securely unless it can verify that datagrams coming in from a new source address are authentic. But it can't verify that unless it has the plaintext session key, which (1) ideally it would not have (2) even if you did give it to the proxy, how would you set up the UX to do that in a sane way?<div>
<br></div><div>Perhaps in a protocol revision, we should thing about using an Ed25519 signature so that a chain of proxies along the way can authenticate the datagram without also needing to be able to decrypt.</div></div>
<div dir="ltr"><div>
<br></div><div>-Keith</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Mar 31, 2014 at 11:41 AM, Richard Perry Woodbury III <span dir="ltr"><<a href="mailto:rpwoodbu@mybox.org" target="_blank">rpwoodbu@mybox.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Your intuition about the lag-friendly interface being rendered useless is correct. It is critical for the client and server to be on opposite sides of the source of lag. Otherwise you get really bizarre effects, like predictive text getting erased and then redrawn in a flash.<br>
<div><br></div><div>I've been contemplating a Mosh Relay that uses a basic NAT traversal technique, so it can run on any machine with public Internet access and doesn't require any special network configuration. I have a proof-of-concept working. If there's sufficient interest, I may flesh it out.</div>
<div><br></div><div>Richie</div><div><div><br><div>On Mon Mar 31 2014 at 4:12:42 AM, David Seaward <<a href="mailto:dseaward925@gmail.com" target="_blank">dseaward925@gmail.com</a>> wrote:</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Vincent and Mark,<br>
<br>
Thanks for your feedback, it was very helpful. I will look into an SSH<br>
intermediary (mosh-client > mosh-server > ssh > endpoint) as a<br>
solution.<br>
<br>
My primary motivation is the lag-friendly mosh interface, rather than<br>
the connection per se, which makes me wonder if both the mosh client<br>
and server could be on my local machine, which itself makes the<br>
tunneled/ProxyCommand ssh connection with a regular tunnel or similar.<br>
The connection benefits are obviously lost, but I suspect even the<br>
lag-friendly interface would be rendered useless. An experiment for<br>
another day.<br>
<br>
I have summarized your helpful responses as an answer to my SU<br>
question. Thanks again!<br>
<br>
David<br>
<br>
On Fri, Mar 28, 2014 at 6:10 PM, Vincent Lefevre<br>
<<a href="mailto:vincent-mosh@vinc17.net" target="_blank">vincent-mosh@vinc17.net</a>> wrote:<br>
> On 2014-03-28 17:08:00 +0200, David Seaward wrote:<br>
>> Ah, this is more complicated than I thought :D<br>
>><br>
>> I thought it was going to be one of:<br>
>><br>
>> a) mosh-client - ssh - ssh - mosh-server<br>
>><br>
>> ...where "ssh - ssh" may be some kind of transparent hop, or<br>
>><br>
>> b) mosh-client - mosh-? - mosh-? - mosh-server<br>
>><br>
>> ...with funky configuration on the hops.<br>
><br>
> With stone (or similar UDP repeater), if I understand correctly,<br>
> I was thinking of:<br>
><br>
> mosh-client - stone - mosh-server<br>
><br>
> or<br>
><br>
> mosh-client - stone - stone - mosh-server<br>
><br>
> for 2 gateways.<br>
><br>
> --<br>
> Vincent Lefèvre <<a href="mailto:vincent@vinc17.net" target="_blank">vincent@vinc17.net</a>> - Web: <<a href="https://www.vinc17.net/" target="_blank">https://www.vinc17.net/</a>><br>
> 100% accessible validated (X)HTML - Blog: <<a href="https://www.vinc17.net/blog/" target="_blank">https://www.vinc17.net/blog/</a>><br>
> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)<br>
> ______________________________<u></u>_________________<br>
> mosh-users mailing list<br>
> <a href="mailto:mosh-users@mit.edu" target="_blank">mosh-users@mit.edu</a><br>
> <a href="http://mailman.mit.edu/mailman/listinfo/mosh-users" target="_blank">http://mailman.mit.edu/<u></u>mailman/listinfo/mosh-users</a><br>
<br>
______________________________<u></u>_________________<br>
mosh-users mailing list<br>
<a href="mailto:mosh-users@mit.edu" target="_blank">mosh-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/mosh-users" target="_blank">http://mailman.mit.edu/<u></u>mailman/listinfo/mosh-users</a><br>
</blockquote>
</div></div><br>_______________________________________________<br>
mosh-users mailing list<br>
<a href="mailto:mosh-users@mit.edu" target="_blank">mosh-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/mosh-users" target="_blank">http://mailman.mit.edu/mailman/listinfo/mosh-users</a><br>
<br></blockquote></div><br></div>
</blockquote>