I don't see a spec (and the code is not obvious at first glance), but isn't this susceptible to a replay attack for 60s if the initial UDP packet is sniffed?
From what I can tell, the packet is {32 bytes of MAC}:{timestamp}, and MAC = HMACSHA256(timestamp + secret_key), and the 'used' timestamp-nonces are not stored anywhere. This means that this packet is reusable by any host, even one knocking from another IP (eg. an attacker on your LAN or on the public Internet).
EDIT: Ah, no, the response is encrypted with a symmetric cipher (MOSH_MALLET_CCRYPT_KEY). So that particular attack won't work. Leaving this post in case someone also makes a similar assumption to this when reading the code.
Sure, it looks easy to memorize. There's one thing I'm probably misunderstanding:
it seems to me that the connection has no identification, authentization or authorization whatsoever (as these are the parts that Mosh offloaded to SSH, by design): if you know the port, you're in.
What am I missing?
Edit: ok, I see, you need to also input the MOSH_MALLET_HMAC_KEY and MOSH_MALLET_CCRYPT_KEY into the client. That...helps. Are they static, though?
I memorized it. I really don't want to install a client even though I wrote one. I wanted the protocol to be simpler so the lazy client would be simpler but I realize it needs to check for request forgery.
Authentication is by preshared keys and the client prompts for them or you can set environment variables. The preshared keys are static, yes.
In the default client, SSH is "only" used for initiating the connection, if I read the mosh design goals correctly (which includes IAA, indeed). Strictly speaking, you could replace it with any other way of sharing the keys between client and server (e.g. completely out-of-band, as seen here), SSH is just the most common way to do this.
From what I can tell, the packet is {32 bytes of MAC}:{timestamp}, and MAC = HMACSHA256(timestamp + secret_key), and the 'used' timestamp-nonces are not stored anywhere. This means that this packet is reusable by any host, even one knocking from another IP (eg. an attacker on your LAN or on the public Internet).
EDIT: Ah, no, the response is encrypted with a symmetric cipher (MOSH_MALLET_CCRYPT_KEY). So that particular attack won't work. Leaving this post in case someone also makes a similar assumption to this when reading the code.