You could also do something like using a key pair, with the public key on the server, use this to encrypt the random mosh-server key and then publish it in a DNS TXT record, then change it every <x> days or script it so when you start a new mosh-server instance, it generates another mosh key and then publishes that, etc.
On Sat, Dec 7, 2013 at 4:11 AM, Weiwu Zhang <zhangwe...@realss.com> wrote: > Thanks all of you for answering my posts, and especially Keith who > listed almost all possible methods. I don't usually reply email in > half a year, except when caught in busines for too long, like now. > > > 2013/7/2 Keith Winstein <kei...@mit.edu>: >> Pretty much _any_ means of getting the server to start a mosh-server >> process and convey the session key back to you would work. That's why >> I think writing our own authenticating daemon on top of all the >> existing ones is probably unnecessary. > > Then this should also work: > > Server: > > 1. store my public key (ssh public key for example) on the server -- > while it is already on the server, in ~/.ssh/authorized_key > 2. wrap mosh-server in inetd, and emit the session key encrypted with > the public key. > > Client: > > 1. get an encrypted session key from given port. > 2. decrypte it and with it establish mosh client. > > Both server and client can be done with one line command, if properly > pipe the session key to cipher tools, which I don't know how to. Few > would elaborately reinvent ssh authentication using this homebrew > workaround to prevent the connection being detected as ssh, but in the > worst times in Beijing, during political events, housing area network > outgoing ssh connection attempts can get your ssh server graylisted > for days. In these critical eventful days, not a single clue should be > given to the big brother sensorship that somebody is doing ssh. > > The thick Kerberos admin manual always daunts me. However it also > daunts big brother sensorship, who, I feel sure, doesn't bother to > detect Kerberos, except the version wrapped in other products like > ActiveDirectory. If somebody offers Kerberos authentication server as > an inexpesive online service like DNS, backed by his own reputation or > two cents of bitcoins, I would consider buying it just to free myself > from the manuals - my security requirement is only that it should > stand against botnet membership recruitment, not that it stands > against targeted attempts. > _______________________________________________ > mosh-devel mailing list > mosh-devel@mit.edu > http://mailman.mit.edu/mailman/listinfo/mosh-devel _______________________________________________ mosh-devel mailing list mosh-devel@mit.edu http://mailman.mit.edu/mailman/listinfo/mosh-devel