Forgot your password?
typodupeerror
Unix

Mosh: Modernizing SSH With IP Roaming, Instant Local Echo 158

Posted by Unknown Lamer
from the udp-reunion-tour dept.
An anonymous reader writes "Launched in 1995, SSH quickly became the king of network login tools, supplanting the old insecure mainstays TELNET and RLOGIN. But 17 years later, a group of MIT hackers have come out with "mosh", which claims to modernize the most annoying parts of SSH. Mosh keeps its connection alive when clients roam among WiFi networks or switch to 3G, and gives instant feedback on typing (and deleting). No more annoying network lag on typing, the MIT boffins say, citing Bufferbloat, which has been increasing latencies." The folks involved have a pre-press research paper with the gritty details (to be presented at USENIX later this year). Mosh itself is not particularly exciting; the new State Synchronization Protocol it is based upon might be: "This is accomplished using a new protocol called the State Synchronization Protocol, for which Mosh is the first application. SSP runs over UDP, synchronizing the state of any object from one host to another. Datagrams are encrypted and authenticated using AES-128 in OCB mode. While SSP takes care of the networking protocol, it is the implementation of the object being synchronized that defines the ultimate semantics of the protocol."
This discussion has been archived. No new comments can be posted.

Mosh: Modernizing SSH With IP Roaming, Instant Local Echo

Comments Filter:
  • by ArsenneLupin (766289) on Wednesday April 11, 2012 @11:34AM (#39644631)
    ... a negotiable LOCAL_ECHO mode. Then they invented ssh, and left away that LOCAL_ECHO and linebuffered flags, considered to be archaic.

    And 15 years later, LOCAL_ECHO is back in mosh!

    • Then they discover there was usually a good reason for something being done the way it was in the past. Eg local echo was very useful for line buffered programs such as MUDs and chat servers or even talking to SENDMAIL or an FTP server directly. It was easier to write the server to cope with just line by line rather than character by character and it used up less network resources in the process.

      • by Malties (1942112)
        These younger coders don't know what network lag is. In my day I had a connection that was so slow I could type faster than my 150 baud modem could send the keystrokes.
        • Hmmm.. I think you are fibbing.. the next step up from 110 baud was 300... and I surely date myself with that knowledge. I miss my LA-120.

        • by gregben (844056)

          My first computer experience (1972) was at 110 baud, banging away
          on an ASR-33 Teletype connected via leased line to a DEC PDP-8 running Dartmouth Basic.

          I'd get up and run a lap around the building for fresh air while printing
          a program listing. Data rate in/out was 10 CPS (Characters Per Second).

          I recall proudly showing my dad the program listing at home, unrolled on the living room floor at about 10 or 12 feet long...

        • by Lorens (597774)

          Until about 1996 I regularly used a Minitel (v23, http://en.wikipedia.org/wiki/Minitel [wikipedia.org]) 75 bps upload, no chance of it keeping up even with a crappy keyboard!

    • by Animats (122034) on Wednesday April 11, 2012 @12:26PM (#39645379) Homepage

      .. a negotiable LOCAL_ECHO mode. Then they invented ssh, and left away that LOCAL_ECHO and linebuffered flags, considered to be archaic. And 15 years later, LOCAL_ECHO is back in mosh!

      Right. Breaking local echo in Telnet was a Berkeley misfeature. It was in 3COM's UNET, which predated Berkley networking in UNIX. (Berkeley did not introduce networking in UNIX. Theirs was the third or fourth implementation, after ones from BBN, 3COM, and Phil Karn.) With UNET, circa 1983, Telnet had local echo until you used something like VI or the RAND full screen editor, at which point the server noticed the stty call which switched to "raw mode" and switched to remote echo.

      Seamless transition from local echo to remote echo is even older. It was in Tymnet [rogerdmoore.ca], which used markers called a "red ball" and a "green ball" to do the switch seamlessly.

      • Oh God! The flashbacks are killing me! Back in the mid-70's I worked for Tymshare (sister company/parent/?? of Tymnet) doing load testing on a project called OnTyme (commercial email). I was hip-deep in the Tymnet protocol trying to record and then re-create realistic pseudo-user-loads from different points in the country. Massive PITA.
  • by Anrego (830717) * on Wednesday April 11, 2012 @11:35AM (#39644647)

    and gives instant feedback on typing (and deleting).

    That sounds like a step backwards to me. Any utility in that is lost when something doesn’t sync up properly. When I hit a key, I want to know it has been sent and received and see the result.. not see the result as my shell predicts it. Maybe I’m just having local echo flashbacks from past telnet experiences.

    Everything else sounds really neat though. I don’t jump wifi often enough for re-connecting and re-attaching to screen to be a big deal.. but I can see the utility for those who do.

    • by Anonymous Coward

      It's not like you aren't used to passing a bunch of obscure flags to Linux commands anyway. I'm sure there will be one for this, as well as a ssh_config option.

    • by Anonymous Coward on Wednesday April 11, 2012 @11:49AM (#39644849)

      From their website:

      Disable instant echo

      $ mosh --predict=never niennunb

      The -n switch is a synonym. By contrast, passing --predict=always or -a will enable instant local echo even on low-delay links.

      Sounds like it tries to be smart about this, but not so smart as to not allow a human to force things the way he wants them.

      • by Anrego (830717) *

        Hmm, I missed that bit. I assumed there would be a feature to disable it, but didn't realize it would only come on in low latency ..

    • by Anonymous Coward on Wednesday April 11, 2012 @11:54AM (#39644931)

      According to their website, locally echoed but not yet synced input is visually distinct from synced content, so you'll always know what has been sent and what hasn't.

    • by Anonymous Coward on Wednesday April 11, 2012 @11:56AM (#39644949)

      I've been using it for a few days now, and I find the local echo to be quite a useful feature. Many of the machines I remotely use are on different continents, and waiting for my keypress to make a round trip can be frustrating at times.

      Mosh also makes it clear which characters have been successfully transmitted by underlining those that are still finding their way through the tubes... i've never been unsure what has or has not been received.

      After a few days of using mosh, I don't see myself going back to plain old ssh anytime soon.

      • Sounds like a great solution. Responsiveness is critical for user interaction, therefore, local echo is vital for high latency links. Knowing that the remote end has received the same thing you see locally (and if it's performing character-by-character filtering, seeing those results) is also important. Local echo, with remote echo verification.

        • by Anonymous Coward

          Modern shells have completion, and mosh is not going to predict that.

          It seems to me that for my typical usage it is going to have limited utility - I'm either in a shell where I'm leaning heavily on the tab for completion, or in vi where it would need to secondguess what vi is going to display.

          • by Lorens (597774)

            IIRC in the original telnet protocol the list of keys that prompt synchronization with the server is negotiable. Normally that would be carriage return, and going to a full-screen editor would disable local echo, but adding tab to the list when in a shell should be trivial.

    • by Jeremi (14640)

      That sounds like a step backwards to me. Any utility in that is lost when something doesnâ(TM)t sync up properly. When I hit a key, I want to know it has been sent and received and see the result.. not see the result as my shell predicts it.

      Easy to say until you are (attempting to) type in a longish shell command into a server across an overloaded Internet connection. In that situation, you have two choices: either wait 1 second after each character, to make sure you typed it correctly, or blindly type a bunch of characters at once and hope you didn't make any typos. And if you did make a typo, then you're really in the sh*t, because now you have to figure out how many characters you actually since then, and press backspace EXACTLY that num

  • So mosh has brought back the ages-old idea of local echo on the terminal. It disappeared as soon as terminal connections became faster than the old teletype links. I have often wished for such a feature in ssh, some kind of 'cooked mode'. However I usually run a 'screen' session on the other end of ssh, with emacs inside that, and finally a shell-mode under Emacs! Mosh would need to do something quite clever to enable local editing in that.
  • by Anonymous Coward

    "To bootstrap an SSP connection, the user rst logs in to the remote host using conventional means, such as SSH or Kerberos."

    • by isama (1537121)
      So that means it's just like GNU Screen? ctrl+a d on one connection, hop wifi, ssh and screen -x. wow. Really?
      • by Imagix (695350)
        I think the point this has is that it will automatically do the reconnect for you. What I'm not sold on is that this now requires an arbitrary port to be open on the server side in order to connect to the mosh server, and how irritated are the security guys who control the edge firewalls on your corporate network going to get?
        • And many (most?) SSH clients support auto-reconnect on short network drops. And many even support reconnect on IP change (like when switching wireless networks or to 3G). And you can even configure your tmux (way better than screen) session to connect on login.

          Thus, many SSH clients already do everything that MOSH does, but without having to install any new software anywhere.

          • by jgrahn (181062)

            And many (most?) SSH clients support auto-reconnect on short network drops.

            It's not even a case of reconnect. A TCP connection lasts forever or until one side says "stop"; all the client has to do is *not* explicitly time out after N seconds. Misconfigured NAT devices tend to fuck this up though; one of many reasons NAT is evil.

        • by skids (119237)

          This. My guess is fixups for automatically opening pinholes for Cisco gear will be a long time coming for this new protocol. Really this needs to be integrated into the SSH server and run on the SSH port to be useful in a modern enterprise environment.

      • by jgrahn (181062)

        So that means it's just like GNU Screen? ctrl+a d on one connection, hop wifi, ssh and screen -x. wow. Really?

        Except the feature will be there even if you don't want it, I guess. Who cleans up the dead sessions, I wonder? It's already a problem with screen in some setups I've seen; people create sessions and then forget about them.

        (Screen or similar software. I don't care what's the latest and greatest is; we're discussing the general feature of attached/detached terminal sessions.)

    • by jgrahn (181062)

      "To bootstrap an SSP connection, the user rst logs in to the remote host using conventional means, such as SSH or Kerberos."

      I stopped reading where it said they use UDP. People who say "I can outperform TCP" are almost always wrong, and I'm quite fed up with badly behaved UDP-based protocols. Citing the "bufferbloat" theory is also a bad sign, but that may be just a misleading summary.

  • by mikael_j (106439) on Wednesday April 11, 2012 @11:41AM (#39644749)

    While neat for those who are currently in areas with spotty wireless coverage it is a neat idea but for most users I don't think it's that much of an issue, even at the moment.

    Fast forward five years and I just don't see this software being all that useful. Sure, there's always gonna be that handful of people who will scream that this is extremely useful because they're always hopping between wifi hotspots but most users are using 3G/4G when they're on the move and coverage for those is already "good enough" in most civilized places and steadily improving. I've taken 5+ hour train trips several times and only had ssh connections drop once or twice on those trips (due to spotty coverage in what would quality as the middle of nowhere in northern Sweden).

    This is like "solving" the IPv4 address exhaustion problem with NAT, it's a neat workaround but doesn't actually solve the problem.

    • Satellite links, network congestion/delays, and other sources of high latency aren't going to magically disappear in 5 years, nor 10, 15, or 20 years. Until you can bypass the speed of light (in x transmission medium) as the limiting factor, this is useful.

    • by TeknoHog (164938)

      Fast forward five years and I just don't see this software being all that useful. Sure, there's always gonna be that handful of people who will scream that this is extremely useful because they're always hopping between wifi hotspots but most users are using 3G/4G when they're on the move

      Dunno about 4G, but 3G has enough latency to make ssh annoying, so Mosh would definitely be an improvement.

    • by Kidbro (80868)

      I just started using it (after seeing this article) to connect from my laptop which I suspend and carry in my backpack from work to home. Opened the lid, and the session is still seemingly intact after the few seconds it takes to find my home wifi.
      No 4G connection in the world is gonna help a device that's effectively turned off.

      I don't think this is a very unusual use case.

    • I see the need for this all the time. It's a commonplace in large enterprises like hospitals, factories, and financial services corporations.

      Example: I'm working on my hospital laptop. I get called urgently to do something elsewhere in the hospital so somebody won't die right now. I grab the lappie and run, then when I get to the theatre I plug into the malfing imager and fix it. Meanwhile all my SSH connections died because I crossed three wireless boundaries at high speed.

      Example 2: I'm on the line

    • by silanea (1241518) on Wednesday April 11, 2012 @02:02PM (#39646989)
      If we only ever built technology that appeared immediately useful for at least 95% of the population we would still be trying to figure out how to transport messages across long distances without using a horse.
    • by myrdos2 (989497)

      I work with tele-operated robots, and I must say this is an amazingly useful feature. The robots can establish a connection with either WiFi or 3G, and are meant to navigate in indoor environments. With WiFi, you can go a short distance before losing signal. With 3G, you can go a short distance before losing signal.

      People with laptops or mobiles seldom notice the dead zones - they don't suddenly stop walking whenever they hit one.

    • by thegarbz (1787294)

      This is like "solving" the IPv4 address exhaustion problem with NAT, it's a neat workaround but doesn't actually solve the problem.

      I think you're not focusing on what the actual "problem" is. NAT really is a bandaid solution for a lack of IP addresses. NAT does solve the issue of multiple devices sharing an common WAN address.

      Mosh addresses the issues of connections essentially being treated as static routes no more no less. The problem is the proliferation of different protocols and networks and devices which attempt to seemlessly hop between them to remain in a coverage area. While the hopping bit works quite well (as soon as I am ne

    • Not all the world has 4G. Heck, my mom live in a 300k population city (and one of the largest in this country), and there's not even 3G coverage there.

      I've only one or twice picked up 3G coverage myself as well.
      While I agree it 10 years this will be useless, it *is* usefull now.

  • OCB Mode is Toxic. (Score:5, Interesting)

    by TechyImmigrant (175943) * on Wednesday April 11, 2012 @11:48AM (#39644831) Journal

    We tried to put OCB mode in 802.11i. So IBM sent a guy to explain the 'licensing terms' for their patents on OCB mode. The next vote in 802.11i after that presentation was to replace OCB mode with CCM.

    Until the patents expire or are freely licensed, OCB mode should be considered off limits for free and open projects.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      according to Wikipedia: [wikipedia.org]

      Two U.S. patents have been issued for OCB mode. [1] However, a special exemption has been granted so that OCB mode can be used in software licensed under the GNU General Public License without cost, as well as for any non-commercial, non-governmental application. Since the authors have only applied for patent protection in the U.S., the algorithm is free to use in software not developed and not sold inside the U.S. [2].

    • by mikechant (729173) on Wednesday April 11, 2012 @12:39PM (#39645593)

      The patents are freely licensed for any GPL software; see link for details.
      http://www.cs.ucdavis.edu/~rogaway/ocb/offer.htm [ucdavis.edu]

      Mosh appears to be GPL:
      https://github.com/keithw/mosh/blob/master/COPYING [github.com]

    • by vlm (69642)

      It would be an interesting battle. I read the Rogaway original paper years ago and he was granting free use to anything GPL licensed. For a more modern view you can also see"

      http://www.cs.ucdavis.edu/~rogaway/ocb/license.htm [ucdavis.edu]

      I've looked into MOSH recently, and it is GPL. The battle would be, does mosh live under Rogaway's OCB patents which makes it free, or IBMs patents, which makes it unclear... From a "money is justice" perspective, I donno if ucdavis would win against IBM, but they'd have better odds

  • Other improvements ? (Score:5, Interesting)

    by redelm (54142) on Wednesday April 11, 2012 @11:49AM (#39644853) Homepage

    IP roaming looks nice & ought to be secure with the right steps (no reply from old IP:port, correct cryto negotiation with new IP:port).

    But LOCAL ECHO is a big problem -- applications have to be aware of it. On CLI, many keystrokes are commands, not text to be entered. On vi in command-mode, G goes to the last line.

    Personally, a bigger thing is traffic reduction, particularly keystoke combining. Nagel's algorithm is a start, but I've modded ssh to delay and buffer likely-text keystrokes for a short time (400ms) while letting likely commands through immediately to retain responsiveness. The delays aren't irksome, and I reduce outbound traffic by ~80%.

    • by Arathon (1002016)
      It looks like local echo can be turned off with a runtime flag. Additionally, my few experiements with it indicate that it somehow is intelligent enough to properly interpret command keystrokes as such.
  • Firewalls (Score:5, Insightful)

    by Alarash (746254) on Wednesday April 11, 2012 @12:12PM (#39645161)
    Reading the linked research paper a bit, and something strikes me.

    We use the existing infrastructure for authenticating hosts and users. To bootstrap an SSP connection, the user ïrst logs in to the remote host using conventional means, such as SSH or Kerberos. From there, the user or her script runs the server: an unprivileged process that chooses a random shared encryption key and begins listening on a UDP port. The server conveys the port number and key over the initial connection back to the client, which uses the information to start talking to the server over UDP.

    You open a SSH connection (client->server:22). This port is allowed on the firewall, it lets you through. But then the server decides to listen on UDP:(random port) and tells the client, back through the (encrypted) initial connection, which UDP port to contact. So you initiate a SSP UDP session on that port. How does the firewall knows it should let you through? Since the port number is communicated on an encrypted session, it doesn't have access to that information. So how does this work in a secure environment? The paper doesn't mention any mean for the server to communicate with the network which port its listening on.

    • by jimicus (737525)

      Welcome to Yet Another Protocol Devised By Academics Who Have Not Been Near a Real Network in Twenty Years, If Ever.

      Or YAPDBAWHNBNARNITYIE for short.

    • You open a SSH connection (client->server:22). This port is allowed on the firewall, it lets you through. But then the server decides to listen on UDP:(random port) and tells the client, back through the (encrypted) initial connection, which UDP port to contact. So you initiate a SSP UDP session on that port. How does the firewall knows it should let you through? Since the port number is communicated on an encrypted session, it doesn't have access to that information. So how does this work in a secure environment? The paper doesn't mention any mean for the server to communicate with the network which port its listening on.

      My guess is as good as anyone else's, but I surmise it does a bit of packet trickery. Once device A (behind firewall) is connected to device B (may/may not be behind firewall, but at least one port is open, 22 by default in this case), device A can create an SSH tunnel...they really are rather neat and VERY useful as a means of security. For example, I have webmin running on a server, but its port (10 000) is blocked by the firewall. Once I connect to SSH I can redirect packets to a certain IP:Port comb

      • Does not make sense tho.
        They use UDP to bypass the buffering delays of TCP
        If you tunnel UDP in TCP, well.. while you get local echo and state saving.. you might as well type ssh blah.com screen -rd. autossh also auto reconnect 'n stuff. kitty.exe on windows.

    • by DarkOx (621550)

      So how does this work in a secure environment?

      I would say for the most part it work just like every other protocol that requires inspection by the gateway/firewall device. It will look inside the data stream and fish out the port / address numbers, then store them for later use; it might even change them suit its needs going out. "It can't do that if its encrypted!" you say.
      Get with the times if your gateway device does not intercept and MTIM tls/ssl/ssh traffic that you otherwise allow out you are not in a "secure environment".

      In this case

    • by tzot (834456)

      > Since the port number is communicated on an encrypted session, it doesn't have access to that information. So how does this work in a secure environment? The paper doesn't mention any mean for the server to communicate with the network which port its listening on.

      I assume that mosh relies on stateful firewalls allowing outbound UDP packets. So, given that the ssh channel allows handshaking, here's what I guess happens:

      - Client C connects to Server S through ssh.
      - Server S picks a port P, and sends a du

      • by Alarash (746254)
        That was the point of my OP. The paper doesn't describe what you said. It says the client initiates the Mosh UDP session once it got the destination UDP port (the port the server listens on) from the SSH session. A firewall would never allow that. Also, opening a wide range of ports is a... let's say... challenging idea. This goes against all rules of network security known to network administrators.
  • Does this do things like Port Forwarding? or is this not a replacement for SSH, but almost an extension of it?

    I use SSH port forwarding (both directions) compression, and stuff all the time.

  • Heck, people have done that with Objective-C remote proxies have basically been doing that as a form of RPC since NeXT days. Not to mention any other usages of it.

  • As we're talking about things related to terminals, the one thing I'm still anxiously missing is a terminal emulator which implements smooth scrolling of new text, a feature that was also present in some hardware terminals a million years ago. I guess some smart guy could modify an existing terminal to support this. Heck, if I had a bit more skills, I'd roll up my sleeves and do it myself. It would be sweet.
  • Leave the roaming bit to the layer below it (TCP), or even better - below that (IP) ? It seems more appropriate to not just be able to roam ssh. Not everything is http, you know.

The universe does not have laws -- it has habits, and habits can be broken.

Working...