> How would you propose to let the client roam, if the proxy is unable to > authenticate the client's datagrams?
Well, it depends on the exact architecture. If we're using ssh tunnels then that's all handled by ssh. I suppose that if you wanted an ssh-independent process that would be spawned at each intermediate site, then you might want to authenticate. One issue I think you should consider is that often these ssh proxy hosts are very minimal in terms of what they offer. For example, I can't install the full mosh binary on one host that I need to go through because the required libraries are not available and my home directory quota is very small. Otherwise the obvious thing would be to set up mosh on that host and then rely on ssh for the local network connection. > One option is to just send replies to the source address of the most recent > datagram to arrive on the datagram socket -- authentic or not. But I'm > worried this will be too flaky, since it's pretty easy to have stray UDP > packets arrive (especially if there might be an old mosh client still > sending to the same port number...). And it certainly won't be secure > against a malintentioned adversary. It will require a little thought. My original architecture was udp server listens on local host only -> ssh tcp tunnel listening on local port only -> intermediate host on internet and remote network -> host on remote network listening on tcp port to forward to udp -> mosh on remote network So, there wouldn't really be a way for a malicious user to access the proxy. -- Mark Lee Stillwell mark...@fortawesome.org _______________________________________________ mosh-users mailing list mosh-users@mit.edu http://mailman.mit.edu/mailman/listinfo/mosh-users
