Tutorial: Ditch SSH, get started with Mosh
Secure Shell (SSH) is a fundamental component to virtual private servers (VPSs) and, generally speaking, Linux administration. The ability to connect two machines over a secure channel is invaluable, particularly when appropriately done with public keys, and many talented developers have bootstrapped SSH to build excellent tools like rsync.
But SSH isn’t perfect. And there’s room for other tools with slightly different goals, or tools that aim to push SSH’s key benefits even further. Enter Mosh, the “mobile shell,” which, according to its developers, “allows roaming, supports intermittent connectivity, and provides intelligent local echo and line editing of user keystrokes.”
Mosh is meant to be a complete replacement for SSH, and focuses on providing a more robust connection, particularly over spotty internet connections. If you want to get started with the tutorial part of this post right away, hop down to the first step.
It’s not graceful on spotty connections. Well, sometimes SSH is terrible even when you’re using extremely reliable internet. That’s because when the connection between client and server falters, even momentarily, it can stall entirely, forcing you to kill it and reconnect. This process is annoying once, but after dozens of repetitions, it’s a real annoyance and leech on your time.
SSH has a few security vulnerabilities. No piece of software is infallible, and SSH is no different—over the last two decades, security experts have discovered a few vulnerabilities in the SSH protocol, including a little something the NSA worked up. Despite these, SSH remains the most popular and respected method of connecting
Network latency leads to lackluster typing performance. When you type into a terminal running an SSH connection, the client sends data about each keystroke to the remote server, which responds in kind. Only once the data has traveled to the server and back will your local terminal show the keys you typed. The inherent latency in network connections creates a noticeable delay between you pressing a key and seeing it on your screen. There’s nothing wrong with this delay, but it doesn’t make for a stellar user experience.
Using states for more reliability. Mosh uses what it calls the State Synchronization Protocol (SSP), which is responsible for synchronizing two snapshots of the current screen state, one on the server, and another on the client. This UDP-based protocol is aimed at showing the client the most recent server-side state, and is designed to use datagrams/“heartbeats” to maintain the connection, even through roaming between Wifi hotspots or between different IP addresses.
A more ‘conservative design’ on security. The developers of Mosh are quick to admit that vulnerabilities both added to inadvertently and discovered within OpenSSH/OpenSSL are primarily due to the decades-long lifespan of each, and just how popular they are. The subtext is that Mosh might have better security solely through obscurity.
Still, Mosh’s SSP authenticates every “datagram,” which prevents some of the potential vulnerabilities in SSH. As of July 2017, no security vulnerabilities have ever been
Significant improvements in latency for better real-world productivity. Because SSP synchronizes two states instead of waiting for data to transfer back and forth, Mosh can make changes to the user interface much faster. According to a study they completed, the median keystroke response time for SSH was 503ms, and only 5ms for Mosh.
Is Mosh perfect? Certainly not. Common criticisms are having to open up a handful of UDP ports, and that it still relies on SSH to create the initial connection. Of course,
tmux also take care of the reliability/persistence issue without opening new ports.
Still, all this adds up to a compelling picture: Mosh might not be perfect for everyone, but it’s definitely worth a test. Let’s get to the installation.
As with SSH, Mosh uses one version of its application on the remote server and another on the local client. Installing on our OS options (Ubuntu, Debian, and CentOS) is a cinch—just use the package manager to install
$ sudo apt-get install mosh # Ubuntu/Debian $ sudo yum install mosh # CentOS
You don’t need to configure anything—you’re good to go on the server front.
Client-side installation depends entirely on the operating system of the machine you’re reading this on right now. The Mosh team has built clients for OS X, Windows (via Cygwin), plenty of Linux distributions, Chrome, *BSD, and more.
To find them all, visit the Getting Mosh section on the Mosh homepage.
Step 3 (optional): Configure your server’s firewall
If your server is configured with a firewall like
iptables, you will need to open specific ports to allow SSP to synchronize between sever and client. With
iptables, you can issue the following command to open these UDP ports.
$ sudo iptables -I INPUT 1 -p udp --dport 60000:61000 -j ACCEPT
You don’t have to open all 1,000 ports—Mosh only needs 1 open port per connection. If you only need a few concurrent connections, you can open far fewer ports, like
Keep in mind that this
iptables rule is not persistent, in that if the server reboots, the rule will disappear. You need to save this rule. There are multiple ways to do this, including
iptables-persistent. Here’s how to do so using
iptables-save, which you’ll need to execute after escalating your privileges using
# iptables-save > /etc/iptables/rules.v4 # Ubuntu/Debian # iptables-save > /etc/sysconfig/iptables # CentOS
Once you have Mosh installed on both the server and client, you can try out your first connection. The syntax is mostly the same as with SSH:
$ mosh [email protected]
So, for example, if you type in
ssh [email protected] to connect to your VPS via SSH right now, you can type in
mosh [email protected] instead, or use the IP address you’ll find in the SSD Nodes dashboard.
You’ll be asked to authenticate using SSH, but as soon as that completes, you’ll be transferred over to the Mosh connection.
If you have a less common case, such as an SSH server running on a port other than the standard 22, or you want to specify a particular Mosh UDP port, be sure to check out the usage area on Mosh’s homepage.
Ending the connection is just as easy as getting it started. As with SSH, you can type
exit to close the session. If you need or want to force close the connection, Mosh uses the
Ctrl-^ escape sequence. On most keyboards, that means typing
Ctrl-Shift-6, followed by a period.
When I first started using Mosh, I was amazed at how suddenly fast and responsive my remote connections felt. There’s always a place for SSH when it comes to one-off connections to remote servers, but for those I know I’m going to spend lots of time on, Mosh seems like a keeper. Once I start combining it with
tmux for more flexibility with panes, I feel like I’ll finally be on the right track toward some real productivity on the remote command line.
If you have tips on using Mosh more productively, or just want to chat terminals, you can find me at [email protected]. Happy Moshing!
A note about tutorials: We encourage our users to try out tutorials, but they aren't fully supported by our team—we can't always provide support when things go wrong. Be sure to check which OS and version it was tested with before you proceed.
If you want a fully managed experience, with dedicated support for any application you might want to run, contact us for more information.