[mosh-devel] Fwd: About mosh + ssh-agent forwarding support

[Keith Winstein]

Timo (one of the SSH authors) sent me this and we thought it might be
better to discuss on the list.

---------- Forwarded message ----------
From: Timo J. Rinne <tri at iki.fi>
Date: Wed, Oct 31, 2012 at 4:39 PM
Subject: About mosh + ssh-agent forwarding support
To: keithw at mit.edu


Hi

Just got interested in mosh.  What a great software and what a great
effort in server side terminal emulation!  However, I think today's main
uses for terminal connections are different admin tasks and different
development tasks.  And typical for both uses is that the user wants to
log in to other systems (e.g. ssh/scp/git ...) and typically these
commands need authentication and security aware people typically store
their authentication keys in the machines they use hands on rather than
in a large number servers here or there.  That's what makes ssh-agent
interesting.

I know there are several people that would be happy to see agent
forwarding appear in mosh.  I haven't had opportunity to look into mosh
source code more closely, but still I'd imagine it couldn't be that much
of a problem, because much of the problems apparent in generic channel
forwarding can just be forgotten (mainly i think channel based buffering
+ windowing + flow control that is a major pain in ssh). Also
performance is not an issue. The amount of data is in the magnitude of
kilobyte in one agent connection and it really doesn't matter whether
the authentication takes 10ms or 250ms.

I've personally implemented the agent forwarding for commercial version
of ssh (the original one by SSH Communications Security Corp.) and might
be able to help with this one too so that the obvious caveats are avoided.

I don't know how much you know a about the agent, but basically there is
very little mosh needs to know about it and it surely don't have to know
anything about the agent protocol. Actually if you run ssh-agent in your
local system, it opens a local socket in user owned subdirectory under
/tmp and sets environment variable SSH_AGENT_SOCK to point to that
listener and passes that environment to a shell (or X session) that is
going to be executed.  Then whenever an application wants to access
ssh-agent, it connects to the local listener, lists the keys available,
and requests the cryptographic operation to be executed for one of the
keys and then gets the result.  The result is then used in ssh
authentication.  Agent forwarding is nothing more than a method for ssh
client to request the server to open ssh agent socket listener and
forward all incoming connections to that listener upstream via existing
ssh connection back to the client so that the client can then forward
the connection to local agent listener. Naturally these forwards can be
chained, because apart from delay, there is no difference between local
and forwarded agent connection.

In case of mosh there are a few additional things to consider, because
the connection can be broken and then re-established, but actually they
are quite minor.

1) The server must be aware that agent forwarding is going to be used
before it spawns the user shell, because it must open the socket
listener and set SSH_AGENT_SOCK environment variable accordingly.

2) If the connection is down, the listener must still work, but
naturally what it should do, is to accept connections but immediately
close them.  Other more elaborate alternative would be to code to the
mosh server the ability to tell to the connection that no keys are
currently available (using ssh agent protocol), but I don't really see
much point in it.

3) If the connection goes down while the agent connection is ongoing, it
must close the active agent connection, but still leave the listener
active, so that subsequent connections can be handled (closed if the
connection is down, or forwarded again when the connection is revived).

I've been using mosh only so that the client is running all the time. I
don't know if it's actually possible to kill the client and somehow
start another one and connect to existing connection (using some magic
cookie key or something).  But if this is (or will be) the case, then of
course also new client invocation must be aware that the server can send
agent forwarding requests. Actually I think that in that kind of
scenario, the new client instance must be told whether to allow agent
forwarding or not (just like the initial one too) and if the initial one
allowed those and the new one doesn't, then agent forwarding requests
passed from the server are just denied and the server in its turn just
closes the agent connection.  Then again it might be possible to replace
the second client with the third one again allowing forwarding which
would make the agent forwards to go through again.  The other way it's
not possible. If the initial mosh connection is opened so that the
server doesn't set SSH_AUTH_SOCK environment variable, it's not possible
(in any practical way) to set up forwarding using that server.

Random thoughts, should you be interested about further information, I'm
more than happy to help.  I may also help with some code but I'm quite
busy with other stuff at the moment.  I can however promise to
contribute the local domain socket stuff if someone else does the
required channel stuff (I don't know if mosh has some channel concept
already in the protocol) and upstream connection requests etc.

Best regards,
--
Timo J. Rinne <tri at iki.fi>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mosh-devel/attachments/20121101/caa4c364/attachment.html