Mosh (software)

Last updated
Mosh
Original author(s) Keith Winstein
Initial releaseMarch 12, 2012;11 years ago (2012-03-12)
Stable release
1.4.0 / October 26, 2022;14 months ago (2022-10-26) [1]
Repository
Operating system Unix-like systems
Type Utility software
License GNU GPLv3 with OpenSSL and iOS exceptions
Website mosh.org OOjs UI icon edit-ltr-progressive.svg

In computing, Mosh (mobile shell) is a tool used to connect from a client computer to a server over the Internet, to run a remote terminal. [2] Mosh is similar [3] to SSH, with additional features meant to improve usability for mobile users. The major features are:

Contents

The main drawbacks of mosh are additional prerequisites to the server, that it lacks some special features of SSH (such as connection forwarding) and the lack of a native Windows client. [2] An alternative for Linux servers (that still require installation on the server) is to use GNU Screen on top of a regular SSH connection.

Design

Mosh works at a different layer from SSH. Whereas SSH transmits a stream of bytes in each direction (from server to client or client to server) using TCP, Mosh runs a terminal emulator at the server to figure out what should be on the screen. [2] The server then transmits this screen to the client at a varying frame rate, depending on the speed of the network. [8] This allows Mosh to save on network traffic on slow or intermittent connections.

Supported platforms

Mosh is available for most Linux distributions, macOS, FreeBSD, NetBSD, and OpenBSD, Android, Solaris, Cygwin, and as a Chrome App. [2] The iOS program Termius includes an independent implementation of the Mosh protocol. [9]

Performance

Roaming

Mosh is built on the State-Synchronization Protocol (SSP), [10] which supports single-packet roaming. [11] After the client has switched to a new IP address, a single packet that successfully reaches the server is enough to "roam" the connection. The client does not need to know it has roamed. (The client may be using NAT and the NAT roamed instead.) [8]

Packet loss

In the Mosh research paper, [8] the creators tested SSP on a link with 29% packet loss, and found that SSP reduced the average response time by a factor of 50 (from 16.8 seconds to 0.33 seconds) compared with SSH, which uses TCP. A different study, by students at Stanford University, found that SSP reduced the average response time by a factor of 30 (from 5.9 seconds to 0.19 seconds). [12]

Local echo

According to Mosh's developers, the program was found to be able to predict and immediately display 70% of user keystrokes, [2] [8] reducing the median response time to a keystroke to less than 5 milliseconds (masking the latency of the network). A different study, by students at Stanford University, found that Mosh was able to quickly echo 55% of user keystrokes. [13]

Drawbacks

Compared to the more popular SSH, mosh has the following drawbacks:

Prerequisites on the server

The major drawback of mosh is that it requires the server to fulfill additional prerequisites which are not needed by ssh itself. Due to its design, mosh needs the server to allow direct connections via UDP. [14] Servers not fulfilling these prerequisites cannot be used by mosh. Examples of such systems include servers behind firewalls which restrict connections to the ssh-port via TCP. Also problematic are servers which are only indirectly reachable. The latter is usually accommodated by ssh via the 'ProxyCommand' option, but this is not supported by mosh. [15]

One port per connection

By default, the server tries to allocate the first free UDP port in the range 60001–61000, per connection. This dynamic port allocation is considered an extra burden and risk for firewall maintenance. [16] A significant part of the firewall-filtering happens through connection tracking, so called stateful filtering, this is based on the SYN/ACK flags in TCP segments, UDP packets don't have such flags. [17]

Mitigation:

  1. The UDP port on the server can be set per mosh connection, so that only a limited number of ports need to be opened [18]
  2. Deep packet inspection firewalls and application firewalls can handle this better by looking at content of the packet and associate it to the initial connection

Output drops and lack of terminal scrollback

Scrollback is not supported in the current release of mosh, and when using it in a terminal emulator with scrollbars they disappear, but is planned for the 1.3 release. [19] This functionality is trade-off for garbage cleaning, as binary output is wiped away[ clarification needed ]. One way to mitigate this currently is by using mosh in combination with a terminal multiplexer like screen or tmux. [20]

Lack of ssh-agent forwarding

ssh-agent forwarding is not currently supported. [21]

Lack of X11 forwarding

X11 Forwarding is not yet supported. [22]

See also

Related Research Articles

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

Telnet is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet. It is a protocol for bidirectional 8-bit communications. Its main goal was to connect terminal devices and terminal-oriented processes.

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a plain-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

A virtual private network (VPN) is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

The Berkeley r-commands are a suite of computer programs designed to enable users of one Unix system to log in or issue commands to another Unix computer via TCP/IP computer network. The r-commands were developed in 1982 by the Computer Systems Research Group at the University of California, Berkeley, based on an early implementation of TCP/IP.

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

NX technology, commonly known as NX or NoMachine, is a remote access and remote control computer software, allowing remote desktop access and maintenance of computers. It is developed by the Luxembourg-based company NoMachine S.à r.l.. NoMachine is proprietary software and is free-of-charge for non-commercial use.

<span class="mw-page-title-main">X display manager</span>

In the X Window System, an X display manager is a graphical login manager which starts a login session on an X server from the same or another computer.

<span class="mw-page-title-main">Terminal server</span> Device that interfaces serial hosts to a network

A terminal server connects devices with a serial port to a local area network (LAN). Products marketed as terminal servers can be very simple devices that do not offer any security functionality, such as data encryption and user authentication. The primary application scenario is to enable serial devices to access network server applications, or vice versa, where security of the data on the LAN is not generally an issue. There are also many terminal servers on the market that have highly advanced security functionality to ensure that only qualified personnel can access various servers and that any data that is transmitted across the LAN, or over the Internet, is encrypted. Usually, companies that need a terminal server with these advanced functions want to remotely control, monitor, diagnose and troubleshoot equipment over a telecommunications network.

This page is a comparison of notable remote desktop software available for various platforms.

Adaptive Internet Protocol (AIP) is a multi-channel protocol that allows an application running on any of multiple platforms to be displayed on any of a wide range of client systems. It supports rich remote display and input services with a number of display options to deliver the presentation of the remote applications onto the local display either as a standalone window, or within a contained remote environment delivered full-screen or in a standalone window. The protocol also supports audio, printing, and other device mapping services.

Web-based SSH is the provision of Secure Shell (SSH) access through a web browser. SSH is a secure network protocol that is commonly used to remotely control servers, network devices, and other devices. With web-based SSH, users can access and manage these devices using a standard web browser, without the need to install any additional software.

Slirp is a software program that emulates a PPP, SLIP, or CSLIP connection to the Internet using a text-based shell account. Its original purpose became largely obsolete as dedicated dial-up PPP connections and broadband Internet access became widely available and inexpensive. It then found additional use in connecting mobile devices, such as PDAs, via their serial ports. Another significant use case is firewall piercing/port forwarding. One typical use of Slirp creates a general purpose network connection over a SSH session on which port forwarding is restricted. Another use case is to create external network connectivity for unprivileged containers.

<span class="mw-page-title-main">OpenSSH</span> Set of computer programs providing encrypted communication sessions

OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.

<span class="mw-page-title-main">SoftEther VPN</span> Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

References

  1. "Release mosh-1.4.0 · mobile-shell/Mosh". GitHub .
  2. 1 2 3 4 5 "Mosh: the mobile shell". Retrieved on 28 March 2013.
  3. Brockmeier, Joe. "Into the Mosh Pit: A Mobile Shell Replacement for SSH" Archived 2014-03-20 at the Wayback Machine , linux.com, 10 April 2012. Retrieved on 28 March 2013.
  4. Delony, David. "Mosh: Secure Shell Without the Pain", Technopedia, 19 October 2012. Retrieved on 28 March 2013.
  5. Cox, John. "MIT researchers chart a new approach for mobile Internet protocols" Archived 2012-10-18 at the Wayback Machine , Network World, 6 July 2012. Retrieved on 28 March 2013.
  6. Beckert, Axel. "Mosh and AutoSSH: Remote shell tools that make your life easier on a slow or constantly morphing network", Linux Magazine, November 2012.
  7. Leyden, John. "MIT's mind-reading Mosh pits itself against SSH daemons", The Register, 13 April 2012. Retrieved on 28 March 2013.
  8. 1 2 3 4 Winstein, Keith. "Mosh: An Interactive Remote Shell for Mobile Clients", USENIX Annual Technical Conference 2012, Boston, Mass., 14 June 2012.
  9. "Termius Features", Crystalnix.
  10. "MIT unveils a new Internet protocol for mobile clients"
  11. Winstein, Keith and Balakrishnan, Hari. "Mosh: An Interactive Remote Shell for Mobile Clients (more detailed draft)". Retrieved on 28 March 2013.
  12. Nagaraj, Kanthi and McMilin, Emily. "Mosh", Reproducing Network Research, 14 March 2013. Retrieved on 28 March 2013.
  13. Aljunied, Ahmed. "Evaluation of Mosh 'Mobile Shell' Performance Results", Reproducing Network Research, 13 March 2013. Retrieved on 28 March 2013.
  14. "'Mosh will log the user in via SSH, then start a connection on a UDP port between 60000 and 61000.'", Retrieved on 19 June 2014.
  15. "Mosh bug report #285: Can't use a ProxyCommand-based SSH connection", Retrieved on 18 June 2014
  16. "Dangers of opening up a wide range of ports? (mosh)", IT Security (Stack Exchange), 13 April 2012. Retrieved on 28 March 2013.
  17. Multiplexing more sessions into same UDP port
  18. "use -p to define remote UDP port"
  19. https://github.com/keithw/mosh/issues/2 "Scrollback support is planned for version 1.3"
  20. "Scrollback and alternate screen (was: Use alternate screen on smcup/rmcup)"
  21. "SSH Agent Forwarding"
  22. "Support X forwarding"