Secure Shell (SSH) is a fundamental component to virtual private servers (VPSs) and, generally speaking, Linux administration. The ability to connect two machines over a secure channel is invaluable, particularly when appropriately done with public keys, and many talented developers have bootstrapped SSH to build excellent tools like rsync.
But SSH isn’t perfect. And there’s room for other tools with slightly different goals, or tools that aim to push SSH’s key benefits even further. Enter Mosh, the “mobile shell,” which, according to its developers, “allows roaming, supports intermittent connectivity and provides intelligent local echo and line editing of user keystrokes.”
Mosh is meant to be a complete replacement for SSH and focuses on providing a more robust connection, particularly over spotty internet connections. If you want to get started with the tutorial part of this post right away, hop down to the first step.
How does Mosh do those things better?
Using states for more reliability. Mosh uses what it calls the State Synchronization Protocol (SSP), which is responsible for synchronizing two snapshots of the current screen state, one on the server, and another on the client. This UDP-based protocol is aimed at showing the client the most recent server-side state and is designed to use datagrams/“heartbeats” to maintain the connection, even though roaming between Wifi hotspots or between different IP addresses.
A more ‘conservative design’ on security. The developers of Mosh are quick to admit that vulnerabilities both added to inadvertently and discovered within OpenSSH/OpenSSL are primarily due to the decades-long lifespan of each, and just how popular they are. The subtext is that Mosh might have better security solely through obscurity.
Still, Mosh’s SSP authenticates every “datagram,” which prevents some of the potential vulnerabilities in SSH. As of July 2017, no security vulnerabilities have ever been
Significant improvements in latency for better real-world productivity. Because SSP synchronizes two states instead of waiting for data to transfer back and forth, Mosh can make changes to the user interface much faster. According to a study they completed, the median keystroke response time for SSH was 503ms and only 5ms for Mosh.
Is Mosh perfect? Certainly not. Common criticisms are having to open up a handful of UDP ports, and that it still relies on SSH to create the initial connection. Of course, screen and tmux also take care of the reliability/persistence issue without opening new ports.
Still, all this adds up to a compelling picture: Mosh might not be perfect for everyone, but it’s definitely worth a test. Let’s get to the installation.
Installing Mosh, Step 1: Installing mosh-server
As with SSH, Mosh uses one version of its application on the remote server and another on the local client. Installing on our OS options (Ubuntu, Debian, and CentOS) is a cinch—just use the package manager to install mosh.
$ sudo apt-get install mosh # Ubuntu/Debian $ sudo yum install mosh # CentOS
You don’t need to configure anything—you’re good to go on the server front.
Step 2: Installing mosh-client
Client-side installation depends entirely on the operating system of the machine you’re reading this on right now. The Mosh team has built clients for OS X, Windows (via Cygwin), plenty of Linux distributions, Chrome, *BSD, and more.
To find them all, visit the Getting Mosh section on the Mosh homepage.
Step 3 (optional): Configure your server’s firewall
If your server is configured with a firewall like iptables, you will need to open specific ports to allow SSP to synchronize between sever and client. With iptables, you can issue the following command to open these UDP ports.
$ sudo iptables -I INPUT 1 -p udp --dport 60000:61000 -j ACCEPT
You don’t have to open all 1,000 ports—Mosh only needs 1 open port per connection. If you only need a few concurrent connections, you can open far fewer ports, like 60000:60020.
Keep in mind that this iptables rule is not persistent, in that if the server reboots, the rule will disappear. You need to save this rule. There are multiple ways to do this, including iptables-save and iptables-persistent. Here’s how to do so using iptables-save, which you’ll need to execute after escalating your privileges using sudo -i.
# iptables-save > /etc/iptables/rules.v4 # Ubuntu/Debian # iptables-save > /etc/sysconfig/iptables # CentOS
Step 4: Your first connection
Once you have Mosh installed on both the server and client, you can try out your first connection. The syntax is mostly the same as with SSH:
$ mosh USER@YOUR-IP-ADDRESS
So, for example, if you type in ssh person@somedomain.xyz to connect to your VPS via SSH right now, you can type in mosh person@somedomain.xyz instead, or use the IP address you’ll find in the SSD Nodes dashboard.
You’ll be asked to authenticate using SSH, but as soon as that completes, you’ll be transferred over to the Mosh connection.
If you have a less common case, such as an SSH server running on a port other than the standard 22, or you want to specify a particular Mosh UDP port, be sure to check out the usage area on Mosh’s homepage.
Ending the connection is just as easy as getting it started. As with SSH, you can type logout or exit to close the session. If you need or want to force close the connection, Mosh uses the Ctrl-^ escape sequence. On most keyboards, that means typing Ctrl-Shift-6, followed by a period.