Mosh, the SSH Alternative Option for System Administration

Reasons to use Mosh instead of SSH

Mosh, or mobile shell, is the ideal tool for remote system administration. While SSH is great, Mosh beats it in several areas. Let’s dive into the reasons why it makes sense to learn about Mosh.

Pros

Session Resumption

Remember the last time your connection was interrupted? It it frustrating and sometimes even leads to losing some of your work. The stable TCP connection is not always a blessing. Mosh comes to the rescue, especially for less stable connections. It solves this issue by picking up where you left. Mosh has a roaming function, allowing you to even between connections. Very useful when you are on the move, or your WiFi connection provides you suddenly with a new IP lease. No longer you need to run everything in a screen session.

No root permissions needed

Mosh can run without root privileges. This is because it uses normal binaries (mosh, mosh-client, and mosh-server). There is no daemon (of its own) waiting for incoming connections.

Default UTF8 support

Every terminal reacts differently to “strange” characters. Mosh will not break your terminal, as it uses UTF-8 by default. So the intended output ends up correctly on your screen, every time. This is much better than showing garbled text or even hanging your terminal screen.

Responsive

SSH has the tendency to be slow to respond to your Ctrl+C requests. This is caused by network buffers be filled and your Ctrl+C has to wait in a long line. Mosh can deal with this, and ensures you it quits much quicker. Interestingly enough Telnet was in some ways much better than SSH, like local echo. Mosh brings back some of the good features.

Another great use-case is when having to do administration on slow connections, especially with “long” network links, including a high latency). With SSH you are waiting for every character to show up, Mosh makes it much more responsive. It does so with the combination of previous input and predictions. It shows what it expects to be there, by using underlining. Then it does a validation step to ensure things are right and tells you that by removing the underlining.

 

How Mosh Works

Mosh uses SSH to do authentication. So instead of reinventing the wheel, it leverages the available basic components of the system. After it performed the authentication via SSH, it will fire up a server component (mosh-server), which runs as a process by the user itself. The client will then use connect to this mosh-server process via a new channel. This channel uses UDP (opposed to TCP for SSH) and consists of a UDP port in the higher port range (60000-61000). Everything is encrypted, using AES-128 in OCB mode.

Firewall Rules

One of the disadvantages of Mosh is that the additional UDP port means opening up a set of ports in your firewall. As one port per connection is used, you can limit this (e.g. 60000-60005). For environments which strict rules, this might be a deal breaker. Still for many situations Mosh is a useful addition to simplify work.

IPv6 support

Mosh had a disadvantage in the networking options, which was the lacking IPv6 support. Fortunately, that is solved and initial IPv6 support is now available.

 

Installation

Convinced Mosh can help you in your work? Great, then it is time to do the installation. Mosh works on pretty much all UNIX-based systems, like Linux, Mac OS X, *BSD, Android, and even in Chrome.

Screenshot of Mosh installation as alternative to SSH

Here are some quick starters:

  • Arch Linux – pacman -S mosh
  • CentOS and Fedora – yum install mosh
  • Debian and Ubuntu – apt-get install mosh or use the PPA for mosh-dev

More details can be found on the project page, or by using: Mosh project page (GitHub).

Clients for Android

JuiceSSH supports Mosh as well.

 

So how is your experience with Mosh? Love to hear it in the comments!

Lynis Enterprise

Lynis Enterprise screenshot to help with system hardening

This blog post is part of our Linux security series and the mission to get Linux and Unix-based systems more secure.

Does system hardening take a lot of time, or do you have any compliance in your company? Have a look at Lynis Enterprise.

Or start today with the open source security scanner Lynis (GitHub)


2 comments

  • PiskvorPiskvor

    That’s just sensationalist reporting. “there is no daemon waiting for incoming connections.” Except there is. On port 22. Equating “SSH does this for us” with “look, Ma, no daemons!” is just braindead: you’re not using it *instead* of SSH, but *with* SSH (how exactly are you authentizing and launching mosh-server again?).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *