guardian-agent
Mosh
Our great sponsors
guardian-agent | Mosh | |
---|---|---|
5 | 152 | |
433 | 12,189 | |
0.5% | 0.6% | |
0.0 | 4.6 | |
9 months ago | 12 days ago | |
Go | C++ | |
BSD 3-clause "New" or "Revised" License | GNU General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
guardian-agent
-
Restricting SSH Agent Keys
https://github.com/StanfordSNR/guardian-agent
The problem basically is the current agent forwarding protocol doesn't have a way to reliably identify the source and remote host that can't be spoofed. guardian-agent tries to do that using some extra software, this linked SSH proposal is to add that to SSH but it will require software upgrades even to the sshd of the intermediate and remote hosts - it's not ideal that it can't just work out of the box - but I welcome this we just need to get it done now for later.
I frequently finding myself thinking about adding useful things to software I want to use now and go well it will be years before its on every host I use and can be used reliably. I have had this thought on and off for more than a decade. Ship some new stuff, it'l be great later :D
-
The pitfalls of using SSH-agent, or how to use an agent safely
ObPlug for Guardian Agent, which is basically "safe" ssh-agent forwarding (and works with Mosh and SSH): https://github.com/StanfordSNR/guardian-agent
The basic story is that ssh-agent really just exposes a primitive of "please sign this challenge," which is useful locally, but the protocol wasn't designed to be forwarded. If requests are coming from a semi-trusted intermediary host, the protocol doesn't tell the agent (a) what remote server is being authenticated to [i.e., who generated the challenge?], or (b) what command is going to be executed. It doesn't even really know (c) what (semi-trusted) host has forwarded the challenge?
Guardian Agent is a sort of hack that allows the agent to know (a), (b), and (c) before deciding whether to grant or deny the request, and you can set up policies like, "I'd like to allow `jump host x` to use to run "git pull" when talking to `git server y`, but that's it." The basic ssh-agent protocol just doesn't have enough info to be able to do something like that.
-
Mosh: The Mobile Shell
there is a fork with port forwarding support https://github.com/rinne/mosh and a PR with a long discussion https://github.com/mobile-shell/mosh/pull/696 on why it's not merged
you can compile them yourself or if you want to skip the step I recently set up GitHub actions to compile linux binaries of this [1][2], tested by a sample of 1 so no guarantees it works, was planning on doing a tap PR/tap of it at some point
also the official developers have been involved a project to solve this while improving the whole-agent approval things also https://github.com/StanfordSNR/guardian-agent , but I couldn't get it to work which is why I tried the fork and got that working
-
AskReddit: is there such a thing as async SSH that allows for zero latency typing? (explanation in text)
‘mosh’ is amazing for this, although I had to stop using it years ago because it didn’t support key forwarding. Apparently, there’s now a solution for that: https://github.com/StanfordSNR/guardian-agent
Mosh
-
The IDEs we had 30 years ago and we lost
If you haven’t already, and I know this doesn’t hold up for GUI emacs or vim, but consider running them through https://mosh.org/
- mosh: Mobile Shell
-
Write Your Own Terminal
FWIW, I wouldn't try to parse escape sequences "directly" from the input bytestream -- it's easy to end up with annoying bugs. Longer-term it's probably better to separate the logic e.g.:
- First step (for a UTF-8-input terminal emulator) means "lexing" the input bytestream as UTF-8 into a stream of USVs, which involves some subtleties (https://github.com/mobile-shell/mosh/blob/master/src/termina...).
- Second step is to run the DEC parser/FSM logic on the sequence of USVs, which is independent of the escape sequences (https://vt100.net/emu/dec_ansi_parser ; https://github.com/mobile-shell/mosh/blob/master/src/termina...).
- And then the third step is for the terminal to execute the "dispatch"/"execute"/etc. actions coming from the FSM, which is where the escape sequences and control chars get implemented (https://github.com/mobile-shell/mosh/blob/master/src/termina...).
Without this separation, it's easier to end up with bugs where, e.g., a UTF-8 sequence or an ANSI escape sequence is treated differently when it's split between multiple read() calls vs. all in one call.
-
Typing Fast Is About Latency, Not Throughput
Btw, you can use mosh to hide the latency of SSH. https://mosh.org/
-
How do I enable new pane/tab with CWD while using mosh?
I've been using Kitty's SSH features for as long as I can remember but I recently setup Mosh and I really like how it doesn't drop connections and supports roaming.
-
Buying an iPad Pro for coding was a mistake
I am surprised many people write about ssh into a server. Mosh[1] feels more responsive and it also supports longer sessions.
[1] - https://mosh.org/
-
Prompt2, heads up; they are readying up another version Prompt2 has been abandoned by devs since iOS 14 / 1y ago in a crashing state - Now they want to make another money-heist cash-grab from its users by forcing them to upgrade one of the most expensive apps of all time.
Also they support Mosh which I install on my servers. It's way better than plain ssh when you're on mobile networks and wifi, especially with connections that are unreliable or bandwidth-constrained.
- Zellij New WASM Plugin System
-
networkingStarterPack
I’ve recently been experimenting with MoSH (Mobile Shell). Basically think SSH but with UDP - so more resilient to shoddy network conditions, roaming access points, etc.
-
How can I get a lisp image to run in the background?
If it is not for production (e.g. running as a daemon or a server) and you only care about the development, another ad-hoc way is using screen/tmus-like software incl. byobu, and combine it with mosh.
What are some alternatives?
openssh-portable - Portable OpenSSH
Eternal Terminal - Re-Connectable secure remote shell
muxile - Putting tmux on your mobile - Muxile is a tmux plugin that lets you control a running tmux session with your phone, no app needed.
tmux - tmux source code
mosh - Mobile Shell
Gravitational Teleport - Protect access to all of your infrastructure
DomTerm - DOM/JavaScript-based terminal-emulator/console
Advanced SSH config - :computer: make your ssh client smarter
mac-ssh-confirm - Protect against SSH Agent Hijacking on Mac OS X with the ability to confirm agent identities prior to each use
Code-Server - VS Code in the browser
widecharwidth - public domain wcwidth implementation
PowerShell - PowerShell for every system!