Show HN: Mosh Mallet: Single packet UDP port knocking for Mosh without SSH (opens in new tab)

(gitlab.com)

22 pointsZnZirconium5y ago8 comments

8 comments

8 comments · 5 top-level

Piskvorrr5y ago· 2 in thread

Sure, it looks easy to memorize. There's one thing I'm probably misunderstanding:

it seems to me that the connection has no identification, authentization or authorization whatsoever (as these are the parts that Mosh offloaded to SSH, by design): if you know the port, you're in.

What am I missing?

Edit: ok, I see, you need to also input the MOSH_MALLET_HMAC_KEY and MOSH_MALLET_CCRYPT_KEY into the client. That...helps. Are they static, though?

ZnZirconiumOP5y ago

I memorized it. I really don't want to install a client even though I wrote one. I wanted the protocol to be simpler so the lazy client would be simpler but I realize it needs to check for request forgery.

Authentication is by preshared keys and the client prompts for them or you can set environment variables. The preshared keys are static, yes.

Piskvorrr5y ago

Ah, okay. I was horrified that it's only secured by the port number, but that was just my inability to read :D

This sure looks useful, nice!

dmos625y ago· 1 in thread

No mosh client and no ssh? Wow. Not sure what the implications are though. Or, what the goal is.

Piskvorrr5y ago

In the default client, SSH is "only" used for initiating the connection, if I read the mosh design goals correctly (which includes IAA, indeed). Strictly speaking, you could replace it with any other way of sharing the keys between client and server (e.g. completely out-of-band, as seen here), SSH is just the most common way to do this.

q3k5y ago

I don't see a spec (and the code is not obvious at first glance), but isn't this susceptible to a replay attack for 60s if the initial UDP packet is sniffed?

From what I can tell, the packet is {32 bytes of MAC}:{timestamp}, and MAC = HMACSHA256(timestamp + secret_key), and the 'used' timestamp-nonces are not stored anywhere. This means that this packet is reusable by any host, even one knocking from another IP (eg. an attacker on your LAN or on the public Internet).

EDIT: Ah, no, the response is encrypted with a symmetric cipher (MOSH_MALLET_CCRYPT_KEY). So that particular attack won't work. Leaving this post in case someone also makes a similar assumption to this when reading the code.

phonethrowaway5y ago

Selfless plug: https://gist.github.com/gordol/d3f66e5fa0a53a9ccef30b7788504...

UDP hole punching is pretty straight forward.

This does it securely using SSH.

antb1235y ago

Did mosh ever go through a security audit?

j / k navigate · click thread line to collapse

8 comments

8 comments · 5 top-level

Piskvorrr5y ago· 2 in thread

Sure, it looks easy to memorize. There's one thing I'm probably misunderstanding:

it seems to me that the connection has no identification, authentization or authorization whatsoever (as these are the parts that Mosh offloaded to SSH, by design): if you know the port, you're in.

What am I missing?

Edit: ok, I see, you need to also input the MOSH_MALLET_HMAC_KEY and MOSH_MALLET_CCRYPT_KEY into the client. That...helps. Are they static, though?

ZnZirconiumOP5y ago

Authentication is by preshared keys and the client prompts for them or you can set environment variables. The preshared keys are static, yes.

Piskvorrr5y ago

Ah, okay. I was horrified that it's only secured by the port number, but that was just my inability to read :D

This sure looks useful, nice!

dmos625y ago· 1 in thread

No mosh client and no ssh? Wow. Not sure what the implications are though. Or, what the goal is.

Piskvorrr5y ago

q3k5y ago

I don't see a spec (and the code is not obvious at first glance), but isn't this susceptible to a replay attack for 60s if the initial UDP packet is sniffed?

phonethrowaway5y ago

Selfless plug: https://gist.github.com/gordol/d3f66e5fa0a53a9ccef30b7788504...

UDP hole punching is pretty straight forward.

This does it securely using SSH.

antb1235y ago

Did mosh ever go through a security audit?

j / k navigate · click thread line to collapse