[mosh-users] Using Mosh for Multi-Hop scenarios

Julian Pawlowski mail at loredo.me
Mon Apr 23 12:42:40 EDT 2012 

Hi all,

I am flashed since I got to know Mosh - this new concept is not only
great, it actually works!
Thanks for this guys, also for the ongoing keen development in such a
short time.

Now that I know of the benefits using Mosh, I would like to use it
also for some automatic multi-hop scenarios. It seems this is not
possible yet but let me describe what I have been trying.

Currently I am running a central SSH gateway to proxy incoming and
outgoing SSH connections through our firewall which in short looks
like this:

----------snip---------

Workstation ------- SSH GW -------- Server
|----1st SSH Tunnel------|
|----------------2nd SSH Tunnel----------------|

[~/.ssh/config on client]
Host int-serv.domain.tld int-serv
        HostName int-serv.domain.tld
        User root
        ProxyCommand ssh -q -A -e none connect at ssh-gw.domain.tld %h 2>/dev/null

[/home/connect/.ssh/authorized_keys on ssh-gw]
no-port-forwarding,no-X11-forwarding,no-pty,command="/bin/netcat -q1
-w5 ${SSH_ORIGINAL_COMMAND#* } 22 2>/dev/null" ssh-rsa AAAAB[.....]==
user at workstation

----------snap---------

Using this setup I can simply type "ssh int-serv" to connect to my
internal server.
(I know there is option "-w" in SSH client but as I don't want to
allow general port forwarding through the gateway I'm still using
netcat)

Also benefit: As SSH-gw is dual-homed, I can connect to my IPv6-only
hosts via normal IPv4 when I don't have an IPv6 connection available.

Now I was thinking about how to add mosh to this setup. Unfortunately
Mosh seems not to work together with ProxyCommand as of now ("is SSH
ProxyCommand disabled?).
Although running "mosh root at ssh-gw.domain.tld -- netcat
int-serv.domain.tld 22" directly at least gives the OpenSSH server
welcome text it does not work as a ProxyCommand.
Not sure if this is related to the missing (but planned) port
forwarding feature or if it's because we would be tunneling TCP via
UDP...

An alternative way would be something like this:

"mosh root at ssh-gw.domain.tld -- ssh -A int-serv.domain.tld"

which actually works for general shell access but would not allow all
the features a direct connection (or the SSH double tunnel) would
provide.
What's not working here of course is single sign via SSH-agent
(because of lacking port forwarding feature) or or at least usage of
ssh key (at least as I don't want to install it on the gateway
machine).

So here comes the one million dollar question: Do you already have a
future plan for such scenarios? :-)


Cheers,
Julian

More information about the mosh-users mailing list