Is mosh now recommended by the security experts? (2014)

Question

Mosh has been around for a while now. Although it's claimed to be "a replacement for SSH" by its authors, mosh does actually depend on ssh to do the initial authentication, after which an instance of the mosh binary is started on the server, the established SSH connection over TCP is abandoned (after serving its purpose for the authentication and the bootstrapping), and all shell communication and the network roaming henceforth happens through a mosh protocol over UDP, still with some kind of encryption, but completely separate from ssh.

This all sounds quite simple and elegant, however, devil is always in the details.

What do the security specialists think of mosh now that it's been around for a couple of years?

Answer 1

This used to appear in their FAQ:

Q: Has your secure datagram protocol been audited by experts?

A: No. Mosh is actively used and has been read over by security-minded crypto nerds who think its design is reasonable, but any novel datagram protocol is going to have to prove itself, and SSP is no exception. We use the reference implementations of AES-128 and OCB, and we welcome your eyes on the code. We think the radical simplicity of the design is an advantage, but of course others have thought that and have been wrong.

Answer 2

Something to keep in mind while using MOSH... Although most of us use SSH to initiate the connection, MOSH doesn't require that to make it work (SSH only kicks off a new mosh-server on the server side and returns two values to the client side: port-# and 22-byte symmetric key). As such, if you get your hands on the two items the server produces, ANYONE can make use of your connection (that is, since its not dependent on the source of the IP, if you have access to those two pieces of information, you effectively are the owner of the connection).

What this means is that there are basically a couple of attack surfaces to deal with.

1. The protocol itself and decrypting it "in-flight". This is highly unlikely for anyone other than possibly your government, your ISP, or someone in the same coffee shop as you. The cost to do that and the requirement to be inline with the transmission makes this highly unlikely (but not completely unheard of)

2. Attacking the open UDP port once the mosh-server is active. This is more likely and this is where the protocol needs more investigation. For instance, there already has been a proven DOS attack against the MOSH system (I don't know about hijacking yet). And of course if someone gets your symmetric key, they can probably guess the port pretty easily.

So, how to use this protocol with all these uncertainties? Well, you can limit via your iptables (or firewall, etc) where IP packets can come from or you can set up port knocking on the port to "wake it up" if something happens. Of course you can always leave it alone and just go with the general risk of an un-audited protocol.

Personally, I use a port knocker (I know, lots of reasons this is a pain, insecure, problematic, etc) to block the 60000 addresses. Since most of the time my reconnections are from the same IP (wireless goes down, etc), I rarely need to "re-knock" to continue my MOSH connection. Of course if I close the laptop, leave the coffee shop, switch to the train WiFi, etc, then I need to re-knock to get access to my MOSH ports.

To me, either port knocking or MOSH are inherent risks, but put together, they reduce the target surface area by quite a bit. MOSH mitigates many of the problems I have with port knockers, and the port knocker mitigates my un-audited security connection.