search

mobile-shell / mosh

Mobile Shell
https://mosh.org
GNU General Public License v3.0
12.56k stars 730 forks source link

Implement ProxyJump #970

Open Gunni opened 6 years ago

Gunni commented 6 years ago

mosh -o ProxyJump proxy.example.com target.example.com (or similar, use ssh config?)

local mosh authenticates with proxy.example.com and starts the mosh server on proxy that forwards the packets to target.example.com.

local mosh then connects to the mosh server on proxy as usual and asks to forward a stream which then gets forwarded to target where it authenticates and finally connects to the mosh server on target.

This way, no agent forwarding is ever required since i can always connect from localhost and all agents and keys stay there.

Also lets me authenticate using my yubikey / pgp key directly with the end host, again, without ever exposing my agent og key.

todo:

Daviey commented 6 years ago

Is this the same issue as issue #285 ?

cgull commented 6 years ago

@Gunni, I think you're proposing that mosh-server (mosh-proxy?) would 1) tunnel another SSH session to target.example.com (I don't see how you'd avoid exposing the ssh agent to the proxy otherwise) and 2) would forward the UDP session to target.example.com. Have I got that right?

It is in fact pretty much impossible for a proxy to know when the session ends (unless it had the Mosh session key, which it wouldn't in the description I gave). The client can disappear at any time and reappear on a different address and/or port, and the server will stop sending messages a short while after messages from the client stop.

Pretty much the only two ways a proxy can know about a session's lifetime in the existing Mosh architecture are 1) having the session key and decrypting/observing the session, or 2) maintaining some sort of out-of-band observation of the server's lifetime such as a TCP connection or pipe or something.

Gunni commented 6 years ago

Hey,

How about this:

Local client authenticates to the first hop, asking mosh-server to start in proxy mode, mosh-server starts and listens for the connection.

The local client then exits that ssh connection and starts a new one like this: ssh -J proxyserver.example.com destinationserver.example.com

and on that connection performs the normal mosh-server setup, when ready, exits this ssh connection but leaving mosh-server listening.

The local client then sends some packets to the proxy mosh-server, with a "ping" packet, and an encrypted blob to forward to the target ip address. The proxy can never decrypt this blob because it does not have the session keys for that blob.

On the target host, it receives the udp frames as per normal procedure, not even caring that the proxy is there.

The dead session handler that mosh-server already uses could be used here, currently when i connects it displays a list of idle mosh-servers that i can kill, and i can use the idle kill feature which is already documented.

This way:

  1. i can proxy to hosts behind firewalls
  2. authentication is done end-to-end
  3. no ssh authentication keys EVER leave my system
  4. no ssh agent forwarding is required
  5. idle timeout will kill proxies that recieive no data if i choose to configure it
  6. if it is implemented well, i should be chainable endlessly
oparkins commented 5 years ago

This feature would be super useful. I've just started to use mosh, but it is very limiting to not be able to use the ProxyJump feature. More than half the hosts in my ssh config file use ProxyJump due to firewall policies.

srd424 commented 5 years ago

I have implemented a bodge to allow me to use ProxyJump: https://github.com/mobile-shell/mosh/issues/285#issuecomment-515752843

pabloab commented 4 years ago

This was already discussed on #120, where @keithw suggest using guardian-agent. From IRC:

I usually have to go through a proxy/bastion/jump server to get to my servers:
ssh -J john@jumpbox john@myserver. Iis this not possible with mosh?

(-J is somewhat similar to -A)

@keithw said:

I think our position on jump servers is that you really don't want to be giving the bastion access to the plaintext -- better to just relay the ciphertext (in our case, the UDP datagrams) and run one pair of mosh-client/mosh-server. This is also a lot better for the predictive local echo algorithm. Of course it would be better if we had a real mosh-proxy that you could run on the bastion that would do this and also track the roaming client for you.

Also said there:

it may be possible for someone to develop a mosh-proxy as a separate project from mosh itself

Maybe @keithw could create a new repository called mosh-proxy so people could start sending PRs to have this feature separately of the secure mosh core.

quentinmit commented 4 years ago

I built a prototype already:

https://github.com/quentinmit/mosh-jump

But this really needs to be embedded in mosh/mosh-server, not a separate repo. You should see what I have as a proof-of-concept.

maximeborges commented 4 years ago

+1 Could be very useful in high-latency configuration, i.e connecting to a server in Asia from Europe with an intermediate proxy

aduong commented 3 years ago

I think it'd be great if there were an official way to accomplish this. I've been getting around this with a wrapper by doing some UDP proxying, bookkeeping, and calling mosh-server and mosh-client directly: https://github.com/aduong/mosh-with-jump. It seems it's quite similar to the approach at https://github.com/mobile-shell/mosh/issues/970#issuecomment-611128129.

matheusfillipe commented 3 years ago

I think it'd be great if there were an official way to accomplish this. I've been getting around this with a wrapper by doing some UDP proxying, bookkeeping, and calling mosh-server and mosh-client directly: https://github.com/aduong/mosh-with-jump. It seems it's quite similar to the approach at #970 (comment).

This doesn't work for me. Fails with:

Network exception: Bad IP address (): Name or service not known: Success
[mosh is exiting.]

This is very important to me since most ISP's here block outgoing on port 22.

xanoni commented 3 years ago

See also https://github.com/mobile-shell/mosh/issues/285

ayr-ton commented 2 years ago

It could be just a wrapper around SSH as well. Just for enabling replacing SSH by Mosh in VSCode SSH environments for example (It needs SSH forwarding for working as expected)

tbjornli commented 2 years ago

Any updates or news here?

I'm looking for a way to use mosh to connect to my proxy then proxy jump to another server by ssh.

Panky-codes commented 2 years ago

Probably not the most efficient way but this is what I am doing to use mosh with a proxy server in between.

jamesavery commented 2 years ago

What is the current status of enabling proxyjump for mosh, possibly based on the two proof-of-concept implementations?

I often want to use mosh to work while traveling: mosh used to be the best way to not be drowned by latency. However, these days everything is behind bastion jump hosts, it is very rare to have servers directly exposed. This makes mosh impossible to use without proxyjump functionality: even though the experience is much, much nicer with mosh, it's not much use if we can't use it to connect anywhere. I haven't been able to use mosh for years for this reason, but was really hoping the issue had been solved in the mean while.

This github issue is 4.5 years old and still open: is it a "wont solve" or what is the situation? Still fingers crossed that this will be implemented.

Kyshman commented 2 years ago

Probably not the most efficient way but this is what I am doing to use mosh with a proxy server in between.

  • Use sshuttle to connect to the proxy with --method=tproxy so that UDP port can be used.
  • Just run mosh <final-server-to-connect> I hope this helps someone until proxyjump feature is directly supported by mosh

Works in Linux but not in MacOS / FreeBSD / OpenBSD / pfSense which are unable to use the tproxy method thus no UDP. This is stated in the Requirements for sshuttle

3f6a commented 1 year ago

+1, We use an intermediate server to ssh into our compute nodes. With ssh this works through the ProxyJump config.

Would love this to work with mosh too.

VergeDX commented 6 months ago

ping

Kyshman commented 6 months ago

This doesn't work for me. Fails with:

Network exception: Bad IP address (): Name or service not known: Success
[mosh is exiting.]

This is very important to me since most ISP's here block outgoing on port 22.

Took the script from @aduong (in the comment above) and added the ability to specify an outgoing port along with tweaking it here and there to cater for my use cases. Comments or ideas welcome

You can find it here --> Mosh-With-Jump

Here is how I use it with an alias