Re: [mosh-devel] SSH agent forwarding

[Keith Winstein]

Hello Daniel,

The issue is basically the same since the original pull request in 2013 --
whatever change we make to the Mosh protocol to support ssh-agent
forwarding is one we have to live with forever, and the limitations of the
Mosh protocol make us not want to commit ourselves to these changes. Mosh
does not handle big Instructions well; our fragmentation system is very
simple, so adding reliable transport of not-exactly bounded OOB data in the
synchronized SSP object makes me nervous.

(We're also pretty paranoid about security, and this leads to maybe
excessive conservatism -- Mosh has never had a security hole, and we hope
to keep it that way. Making intensive protocol changes to add extra
features to the core protocol is also something I'm nervous about, and
nervous about supporting over time. If you look at where SSH and TLS's
security holes have come from, it's basically all from adding this kind of
complexity in a non-isolated way. Of course many entities do run Timo's
version; apparently Facebook uses it extensively.)

I think my preferred approach here is to release something that does
resilient ssh-agent forwarding "to the side" of the Mosh connection, over a
separate connection and with a separate package that users can run if they
choose. We have developed something internally (at Stanford) that you might
like that also does "secure" ssh-agent forwarding, by allowing the agent to
authenticate and limit (1) the host making the request, (2) the remote host
that host is trying to authenticate to, and (3) the command the host wants
to execute on the remote host. (With normal ssh-agent forwarding, the agent
can't learn any of these things and is basically signing a blank check.)
This works alongside SSH and Mosh. We hope to have a public beta soon and
will look forward to reports from anybody who wants to test it.

-Keith

On Thu, Sep 21, 2017 at 9:33 AM, Daniel Roethlisberger 
wrote:

> John, all,
>
> Mosh is still lacking SSH agent forwarding, preventing the use of
> mosh in many setups.  What is blocking the resolution of issue
> 120 and pull request 696?  The issue has been raised in 2012 and
> the pull req is sitting there since 2015:
>
> https://github.com/mobile-shell/mosh/issues/120
> https://github.com/mobile-shell/mosh/pull/696
>
> What would be needed to get SSH agent support into mosh, be it
> with Timo J. Rinne's implementation in the pull req or in a
> different way?
>
> -Daniel
>
> --
> Daniel Roethlisberger
> http://daniel.roe.ch/
>
> ___
> mosh-devel mailing list
> mosh-devel@mit.edu
> http://mailman.mit.edu/mailman/listinfo/mosh-devel
>
___
mosh-devel mailing list
mosh-devel@mit.edu
http://mailman.mit.edu/mailman/listinfo/mosh-devel

[mosh-devel] SSH agent forwarding

[Daniel Roethlisberger]

John, all,

Mosh is still lacking SSH agent forwarding, preventing the use of
mosh in many setups.  What is blocking the resolution of issue
120 and pull request 696?  The issue has been raised in 2012 and
the pull req is sitting there since 2015:

https://github.com/mobile-shell/mosh/issues/120
https://github.com/mobile-shell/mosh/pull/696

What would be needed to get SSH agent support into mosh, be it
with Timo J. Rinne's implementation in the pull req or in a
different way?

-Daniel

-- 
Daniel Roethlisberger
http://daniel.roe.ch/

___
mosh-devel mailing list
mosh-devel@mit.edu
http://mailman.mit.edu/mailman/listinfo/mosh-devel

[mosh-devel] ssh agent forwarding for mainline Mosh

[john hood]

Hi all,

For a very long time, ssh agent forwarding has been the #1 feature
request for Mosh.

For a slightly less long time, Timo J. Rinne's ssh agent forwarding code
has been available on GitHub, the current merge is at
.

We're about to release mosh 1.2.6.  Agent forwarding will *not* be in
1.2.6.  But after 1.2.6 comes 1.3, and then I think I would like to pull
that code into Mosh for that release.

So I'm writing this email to restart the discussion on agent forwarding.
 Obviously, many people want it.  But less obviously, it is a
significant change to Mosh's security story, and the user is trusting us
for their SSH authentication if they use this feature.

Also, though I think the code is generally good quality, I have some
specific concerns-- it seems possible that Mosh could block with a
particularly uncooperative agent or agent client, leaving the user with
a stuck terminal session.

How do people feel about doing agent forwarding in general, and this
code in particular?  I'd like to see some consensus on the security
issues, and I'd like to hear other opinions on the code involved.

regards,

  --jh
___
mosh-devel mailing list
mosh-devel@mit.edu
http://mailman.mit.edu/mailman/listinfo/mosh-devel

[mosh-devel] Ssh-agent forwarding support.

[Muhamad Ramli]

Dear Dev, Mosh

I am ramli as student and freelace sysadmin interested in mosh. since a month 
ago I replaced ssh with mosh. Now,  I find good topic for theses or student 
project. (Mosh support ssh-agent forwarding).

Is this project already working?

If I want to join how to start learning resource of mosh and ssh-agent?

Thank for your attention.
- Ramli
Sent from Yahoo Mail on Android

___
mosh-devel mailing list
mosh-devel@mit.edu
http://mailman.mit.edu/mailman/listinfo/mosh-devel

[mosh-devel] Ssh-agent forwarding support.

[Muhamad Ramli]

Dear Dev, Mosh

I am ramli as student and freelace sysadmin interested in mosh. since a month 
ago I replaced ssh with mosh. Now,  I find good topic for theses or student 
project. (Mosh support ssh-agent forwarding).

Is this project already working?

If I want to join how to start learning resource of mosh and ssh-agent?

Thank for your attention.
- Ramli
Sent from Yahoo Mail on Android

___
mosh-devel mailing list
mosh-devel@mit.edu
http://mailman.mit.edu/mailman/listinfo/mosh-devel