[mosh-devel] SSH agent forwarding

Keith Winstein keithw at cs.stanford.edu
Fri Sep 22 14:41:21 EDT 2017


Hello Daniel,

The issue is basically the same since the original pull request in 2013 --
whatever change we make to the Mosh protocol to support ssh-agent
forwarding is one we have to live with forever, and the limitations of the
Mosh protocol make us not want to commit ourselves to these changes. Mosh
does not handle big Instructions well; our fragmentation system is very
simple, so adding reliable transport of not-exactly bounded OOB data in the
synchronized SSP object makes me nervous.

(We're also pretty paranoid about security, and this leads to maybe
excessive conservatism -- Mosh has never had a security hole, and we hope
to keep it that way. Making intensive protocol changes to add extra
features to the core protocol is also something I'm nervous about, and
nervous about supporting over time. If you look at where SSH and TLS's
security holes have come from, it's basically all from adding this kind of
complexity in a non-isolated way. Of course many entities do run Timo's
version; apparently Facebook uses it extensively.)

I think my preferred approach here is to release something that does
resilient ssh-agent forwarding "to the side" of the Mosh connection, over a
separate connection and with a separate package that users can run if they
choose. We have developed something internally (at Stanford) that you might
like that also does "secure" ssh-agent forwarding, by allowing the agent to
authenticate and limit (1) the host making the request, (2) the remote host
that host is trying to authenticate to, and (3) the command the host wants
to execute on the remote host. (With normal ssh-agent forwarding, the agent
can't learn any of these things and is basically signing a blank check.)
This works alongside SSH and Mosh. We hope to have a public beta soon and
will look forward to reports from anybody who wants to test it.

-Keith

On Thu, Sep 21, 2017 at 9:33 AM, Daniel Roethlisberger <daniel at roe.ch>
wrote:

> John, all,
>
> Mosh is still lacking SSH agent forwarding, preventing the use of
> mosh in many setups.  What is blocking the resolution of issue
> 120 and pull request 696?  The issue has been raised in 2012 and
> the pull req is sitting there since 2015:
>
> https://github.com/mobile-shell/mosh/issues/120
> https://github.com/mobile-shell/mosh/pull/696
>
> What would be needed to get SSH agent support into mosh, be it
> with Timo J. Rinne's implementation in the pull req or in a
> different way?
>
> -Daniel
>
> --
> Daniel Roethlisberger
> http://daniel.roe.ch/
>
> _______________________________________________
> mosh-devel mailing list
> mosh-devel at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mosh-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mosh-devel/attachments/20170922/86fadb38/attachment.html


More information about the mosh-devel mailing list