Mosh, or “Mobile Shell,” is designed to be a replacement for SSH, specifically for mobile devices or laptops on slow connections. Mosh works over UDP, and will keep your connection alive, even if you change WiFi networks or experience fluctuating cell signal.
What Is Mosh?
Mosh’s UDP-based transfer system makes it more stable than traditional SSH, as it handles packet loss much more effectively. If your connection drops out for a bit, Mosh will reconnect you as soon as it comes back, leaving your commands in place as you were typing.
It also significantly reduces latency; if you’ve ever tried to SSH to a slow server, you’ll notice even your keystrokes become slow and unresponsive. This is because the SSH client waits for a TCP response from the server before showing your typing, in case the server intercepts it for some reason. Mosh is more intelligent, and will display your typing in real-time. It even gives underlined typing predictions, which is also handy.
If long-term persistence is all you’re after, you can instead use
tmux on your server over SSH. Tmux splits your terminal into multiple panes, each with multiple tabs, that all persist on the server across SSH sessions. The benefit here is that if your SSH session gets disconnected, it doesn’t affect what’s going on on the server, similarly to Mosh.
But Mosh and
tmux also play well together, as Mosh will automatically reconnect you to your tmux session if your connection drops out, without having to run
tmux -a t [name] all over again.
How Secure Is Mosh?
Mosh makes the initial connection over SSH, so the authentication is about as secure as SSH is. It uses AES-128 encryption for traffic sent over UDP, so your traffic can’t be sniffed.
The main issue with Mosh is that it requires a lot of ports to be open. Mosh can use any port between 60000-61000, depending on the IP address of the connection. And while you will usually use the same port for the duration of the connection, it’s not guaranteed. This isn’t a major issue, but opening 1000 ports isn’t really good security practice.
If you are running a firewall like iptables, you’ll have to open these ports manually:
sudo iptables -I INPUT 1 -p udp --dport 60000:61000 -j ACCEPT
And if you’re running a server on a service like AWS, you’ll need to open the ports through their firewall as well. If you wanted it to be more secure, you could use port knocking to close these addresses and only open them when Mosh knocks, but this also isn’t ideal if the port changes during your session.
Bottom line, if you’re using Mosh and you’re worried about security, you should probably make it listen on your private network and use a VPN.
Install Mosh Server and Get a Mosh Client
For Mosh to work, the server needs to have Mosh binaries installed. This doesn’t run a daemon like
sshd; rather, it’s the first command your Mosh client runs when connecting over SSH. When the connection closes, the server terminates the running Mosh server.
The installation is quite simple, as it’s available on most package managers. For Debian-based systems like Ubuntu, that would be:
sudo apt-get install mosh
This installs the client and the server, so you’ll install the same package on both. Server-oriented installations will simply require you to substitute
apt-get for your distro’s package manager.
For Windows, you’ll have to install the client for Chrome. There’s no binary yet for Windows.
For macOS, you can install the package directly, or install it using Homebrew:
brew install mosh
In any case, you’ll connect as you would with SSH:
This connects with a username and password. If this isn’t ideal for you, you can also manually specify new SSH options with the
mosh --ssh="~/bin/ssh -i ~/ssh/id_rsa" user@port
This command will make use of your private key rather than a password. Note that the server will need to be configured to accept this private key, especially if it’s a new one coming from a phone or other device.