Hello Daniel,
The issue is basically the same since the original pull request in 2013 --
whatever change we make to the Mosh protocol to support ssh-agent
forwarding is one we have to live with forever, and the limitations of the
Mosh protocol make us not want to commit ourselves to these changes. Mosh
does not handle big Instructions well; our fragmentation system is very
simple, so adding reliable transport of not-exactly bounded OOB data in the
synchronized SSP object makes me nervous.
(We're also pretty paranoid about security, and this leads to maybe
excessive conservatism -- Mosh has never had a security hole, and we hope
to keep it that way. Making intensive protocol changes to add extra
features to the core protocol is also something I'm nervous about, and
nervous about supporting over time. If you look at where SSH and TLS's
security holes have come from, it's basically all from adding this kind of
complexity in a non-isolated way. Of course many entities do run Timo's
version; apparently Facebook uses it extensively.)
I think my preferred approach here is to release something that does
resilient ssh-agent forwarding "to the side" of the Mosh connection, over a
separate connection and with a separate package that users can run if they
choose. We have developed something internally (at Stanford) that you might
like that also does "secure" ssh-agent forwarding, by allowing the agent to
authenticate and limit (1) the host making the request, (2) the remote host
that host is trying to authenticate to, and (3) the command the host wants
to execute on the remote host. (With normal ssh-agent forwarding, the agent
can't learn any of these things and is basically signing a blank check.)
This works alongside SSH and Mosh. We hope to have a public beta soon and
will look forward to reports from anybody who wants to test it.
-Keith
Post by Daniel RoethlisbergerJohn, all,
Mosh is still lacking SSH agent forwarding, preventing the use of
mosh in many setups. What is blocking the resolution of issue
120 and pull request 696? The issue has been raised in 2012 and
https://github.com/mobile-shell/mosh/issues/120
https://github.com/mobile-shell/mosh/pull/696
What would be needed to get SSH agent support into mosh, be it
with Timo J. Rinne's implementation in the pull req or in a
different way?
-Daniel
--
Daniel Roethlisberger
http://daniel.roe.ch/
_______________________________________________
mosh-devel mailing list
http://mailman.mit.edu/mailman/listinfo/mosh-devel