[mosh-users] How can I mosh over multiple hops (for example, via tunnel or ProxyCommand)?
Mark Stillwell
marklee at fortawesome.org
Mon Mar 31 17:51:35 EDT 2014
> How would you propose to let the client roam, if the proxy is unable to
> authenticate the client's datagrams?
Well, it depends on the exact architecture. If we're using ssh tunnels
then that's all handled by ssh. I suppose that if you wanted an
ssh-independent process that would be spawned at each intermediate
site, then you might want to authenticate.
One issue I think you should consider is that often these ssh proxy
hosts are very minimal in terms of what they offer. For example, I
can't install the full mosh binary on one host that I need to go
through because the required libraries are not available and my home
directory quota is very small. Otherwise the obvious thing would be to
set up mosh on that host and then rely on ssh for the local network
connection.
> One option is to just send replies to the source address of the most recent
> datagram to arrive on the datagram socket -- authentic or not. But I'm
> worried this will be too flaky, since it's pretty easy to have stray UDP
> packets arrive (especially if there might be an old mosh client still
> sending to the same port number...). And it certainly won't be secure
> against a malintentioned adversary.
It will require a little thought. My original architecture was
udp server listens on local host only -> ssh tcp tunnel listening on
local port only -> intermediate host on internet and remote network ->
host on remote network listening on tcp port to forward to udp -> mosh
on remote network
So, there wouldn't really be a way for a malicious user to access the proxy.
--
Mark Lee Stillwell
marklee at fortawesome.org
More information about the mosh-users
mailing list