[mosh-devel] mosh without ssh?

Daniel kyhwana at gmail.com
Fri Dec 6 15:25:12 EST 2013 

You could also do something like using a key pair, with the public key
on the server, use this to encrypt the random mosh-server key and then
publish it in a DNS TXT record, then change it every <x> days or
script it so when you start a new mosh-server instance, it generates
another mosh key and then publishes that, etc.


On Sat, Dec 7, 2013 at 4:11 AM, Weiwu Zhang <zhangweiwu at realss.com> wrote:
> Thanks all of you for answering my posts, and especially Keith who
> listed almost all possible methods. I don't usually reply email in
> half a year, except when caught in busines for too long, like now.
>
>
> 2013/7/2 Keith Winstein <keithw at mit.edu>:
>> Pretty much _any_ means of getting the server to start a mosh-server
>> process and convey the session key back to you would work. That's why
>> I think writing our own authenticating daemon on top of all the
>> existing ones is probably unnecessary.
>
> Then this should also work:
>
> Server:
>
> 1. store my public key (ssh public key for example) on the server --
> while it is already on the server, in ~/.ssh/authorized_key
> 2. wrap mosh-server in inetd, and emit the session key encrypted with
> the public key.
>
> Client:
>
> 1. get an encrypted session key from given port.
> 2. decrypte it and with it establish mosh client.
>
> Both server and client can be done with one line command, if properly
> pipe the session key to cipher tools, which I don't know how to. Few
> would elaborately reinvent ssh authentication using this homebrew
> workaround to prevent the connection being detected as ssh, but in the
> worst times in Beijing, during political events, housing area network
> outgoing ssh connection attempts can get your ssh server graylisted
> for days. In these critical eventful days, not a single clue should be
> given to the big brother sensorship that somebody is doing ssh.
>
> The thick Kerberos admin manual always daunts me. However it also
> daunts big brother sensorship, who, I feel sure, doesn't bother to
> detect Kerberos, except the version wrapped in other products like
> ActiveDirectory. If somebody offers Kerberos authentication server as
> an inexpesive online service like DNS, backed by his own reputation or
> two cents of bitcoins, I would consider buying it just to free myself
> from the manuals - my security requirement is only that it should
> stand against botnet membership recruitment, not that it stands
> against targeted attempts.
> _______________________________________________
> mosh-devel mailing list
> mosh-devel at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mosh-devel

More information about the mosh-devel mailing list