My Statement: MOSH is a replacement for SSH It doesn't matter that SSH is there the SSH connection is replaced with a UDP MOSH connection. MOSH is a mobile shell that replaces SSH connections. This statement is technically true based on facts and declaration of the authors. Makes me crazy that "technically" always means I will say the EXACT opposite of the statement and say that my opposite is more accurate than the stated statement. It does have SSH required but it uses it for a limited authorization and than SSH on TCP is abandoned once the connection established and the connection is handed over (Replaced) to a MOSH UDP with encryption that is totally independent from SSH. Because you are arguing the whole sentence "MOSH is a replacement for SSH." Means It is NOT a replacement? Argument is it has SSH as a requirement so "technically" it isn't replacing SSH, even though based on precise facts it actually does kill SSH and replace it when it is used? The authors of MUSH clearly make a one sentence statement of purpose to "replace SSH." Your statement "It isn't a replacement for SSH." is more correct? I know I will continue to be down voted BUT you need to get into politics. "Technically Speaking" = Political Double Talk However, in typical usage, Mosh relies on SSH to exchange keys at the beginning of a session, so Mosh will inherit the weaknesses of SSH-at least insofar as they affect the brief SSH session that is used to set up a long-running Mosh session. A transient attacker can cause only a transient user-visible outage once the attacker goes away, Mosh will resume the session. By contrast, Mosh applies its security at a different layer (authenticating every datagram), so an attacker cannot end a Mosh session unless the attacker can continuously prevent packets from reaching the other side. That means that an attacker can end an SSH connection with a single phony "RST" segment. In one concrete respect, the Mosh protocol is more secure than SSH's: SSH relies on unauthenticated TCP to carry the contents of the secure stream. OpenSSH and OpenSSL have had more vulnerabilities, but they have also been released longer and are more prevalent. Ultimately, however, only time will tell when the first serious security vulnerability is discovered in Mosh-either because it was there all along or because it was added inadvertently in development. Mosh's track record has so far borne this out. We think that Mosh's conservative design means that its attack surface compares favorably with more-complicated systems like OpenSSL and OpenSSH. Q: How does Mosh's security compare with SSH's? Another issue allowed the server host to cause the mosh-client to send UDP datagrams to an incorrect address, foiling its attempt to connect (fixed in Mosh 1.2.2, released July 2012). One issue allowed a mosh-server to cause the mosh-client to spend excess CPU (CVE-2012-2385, fixed in Mosh 1.2.1, released May 2012). Two denial-of-service issues were discovered and fixed in releases in 2012. We define major security vulnerabilities to include privilege escalation, remote code execution, denial-of-service by a third party, etc. No major security vulnerabilities have ever been reported in Mosh. In the last three years, no security vulnerabilities of any kind (major or minor) have been reported in Mosh. As of the release of Mosh 1.2.5 in July 2015, as far as the developers are aware: Q: What is Mosh's security track record so far? Mosh is awesome and totally worth the 30 seconds it takes to install it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |