Post Ad3HMmIPTQ4hfCLJWy by leonerd@fosstodon.org
 (DIR) More posts by leonerd@fosstodon.org
 (DIR) Post #Ad3HMarly7EQDOnNz6 by leonerd@fosstodon.org
       2023-12-21T22:52:41Z
       
       0 likes, 0 repeats
       
       I have spent the last 5 years or so looking for a thing that I begin to conclude nobody has made, and I have no idea why.I want an `ssh` that is transparent to client IP address migrations (i.e. things like mobile hotspots, wifi-to-ethernet cable swaps, etc...)Please do not say "mosh". Mosh is for *interactive* shell use. I am using ssh as a data transport for an application. (1/3)
       
 (DIR) Post #Ad3HMc3rWeUpvBSYT2 by leonerd@fosstodon.org
       2023-12-21T22:54:13Z
       
       0 likes, 0 repeats
       
       Specifically; on a client of mine I run  ssh USER@HOST -t perl -E SOME-CODE-HEREand this connects to the given host as the given user, and runs the code. The code contains a little injected program that just basically pipes to a local UNIX socket, which is where my server program really runs. But that part is not too essential.What I'm using ssh for here is * Secrecy * Authentication * User-addressing * Application-addressing(2/3)
       
 (DIR) Post #Ad3HMcq4dP3qKi13c8 by leonerd@fosstodon.org
       2023-12-21T22:55:16Z
       
       0 likes, 0 repeats
       
       After 5 years of not being able to find any suitable replacement for this, I am coming to the conclusion that I will have to make it. Which upsets and annoys me because I would have thought someone else had by now. But anyway.I'm therefore starting to think about things like names for whatever I make, and bits and pieces of technology to use to create it.Suggestions welcome. (3/3)
       
 (DIR) Post #Ad3HMdxCUOM7n6MGMS by xtaran@chaos.social
       2023-12-21T23:01:47Z
       
       0 likes, 0 repeats
       
       @leonerd: I think the point is that for being able to roam, you'll need something else than TCP (e.g. UDP), but #SSH requires TCP…That's also why #Mosh uses UDP after authenticating and bootstrapping via SSH.So I see two possibilities for that:Use SSH over a non-TCP based tunnel like #WireGuard (https://www.wireguard.com/).Or reconnect everytime the client IP changes again, e.g. with #Autossh (https://www.harding.motd.ca/autossh/) and maybe GNU Screen or Tmux. But that's usually interactive again yet.
       
 (DIR) Post #Ad3HMeu2xbQYjbtG5I by leonerd@fosstodon.org
       2023-12-21T23:17:56Z
       
       0 likes, 0 repeats
       
       Aha I think I already have a cute name. Mobility Aware Secure Transport. MAST.  mast USER@HOST APPNAME other args here...would basically be a drop-in replacement for ssh. Now just to work out how to implement the damn thing. But since we have a name that's the easy part, right? ;)
       
 (DIR) Post #Ad3HMf04bCFR2Ii4Tg by leonerd@fosstodon.org
       2023-12-21T23:03:03Z
       
       0 likes, 0 repeats
       
       @xtaran screen or tmux are interactive, for terminal use. They don't behave like a "dumb serial port".The key thing about using ssh in this manner is that everything is transparent to the application. It's a long-lived bidirectional fully-duplex stream of arbitrary random bytes. Either side can just send at any time and know the other side will receive it. This is the part I want to preserve.
       
 (DIR) Post #Ad3HMg6UUoyYSUii7U by xtaran@chaos.social
       2023-12-21T23:04:20Z
       
       0 likes, 0 repeats
       
       @leonerd: Then I see not much other choice as running SSH over a client-IP-agnostic (i.e. non-TCP) tunnel.
       
 (DIR) Post #Ad3HMgzRCWvbCuQalU by leonerd@fosstodon.org
       2023-12-21T23:05:47Z
       
       0 likes, 0 repeats
       
       @xtaran Huh? A custom program could easily do this. I've spent 5 years hoping someone else had already written that custom program so I don't have to, but it appears not. It seems I will have to write it then.I am not looking forward to having to reïmplement the authentication and secrecy parts of ssh. I am still hoping I can find some other implementation of those parts, so I can just add the user/application addressing and stream coherence on top.
       
 (DIR) Post #Ad3HMhjsPs4hWw9g9I by leonerd@fosstodon.org
       2023-12-21T23:06:51Z
       
       0 likes, 0 repeats
       
       @xtaran And of course the other downside of my writing it myself is now there's something custom to be installed on clients and servers. ssh is already ubiquitous, it's everywhere.. You can rely on justabout any client or server to already have it available. It was *almost* perfect, apart from this inability to handle client IP mobility.
       
 (DIR) Post #Ad3HMiUfbtVNs4335M by leonerd@fosstodon.org
       2023-12-21T23:07:54Z
       
       0 likes, 0 repeats
       
       @xtaran Infact furthermore I could solve it entirely *within* ssh, by giving it a client IP mobility-aware transport solution for it to then tunnel its encrpytion and authentication systems over the top of, again meaning I don't have to bother with those.That is also a thing I could do. But again requires making custom stuff.
       
 (DIR) Post #Ad3HMjFombDeEI6hZg by xtaran@chaos.social
       2023-12-21T23:11:29Z
       
       0 likes, 0 repeats
       
       @leonerd: Sounds rather complex to me. Yes, you could internally separate STDIN from the actually TCP connection and handle TCP reconnects transparently inside the client without disconnecting STDIN. But that means to either patch an existing SSH client heavily or write one from scratch. Which to me both seemed something you're not really willing to do. (Nor would I want to that. 🙂)
       
 (DIR) Post #Ad3HMk2jqiLog0zlpI by leonerd@fosstodon.org
       2023-12-21T23:15:53Z
       
       0 likes, 0 repeats
       
       @xtaran Uh or just use the jumpcommand support that ssh clients have had for years now
       
 (DIR) Post #Ad3HMkrQoEttDEiFqC by xtaran@chaos.social
       2023-12-21T23:17:10Z
       
       0 likes, 0 repeats
       
       @leonerd: Good point, but that again you need something which either tunnels TCP over UDP or does the same as I mentioned before, just outside SSH. Granted, that's probably easier.
       
 (DIR) Post #Ad3HMlbW2tlPWAH3fk by leonerd@fosstodon.org
       2023-12-21T23:24:17Z
       
       0 likes, 0 repeats
       
       @xtaran Yes but I'm 99% sure I have to create that anyway. Simply making a UDP-based client-mobility data transport on some custom UDP port number really isn't hard. Making it secure (private and authenticated) is the hard part that I was hoping not to do by just reusing parts of SSH that already exist
       
 (DIR) Post #Ad3HMmIPTQ4hfCLJWy by leonerd@fosstodon.org
       2023-12-21T23:33:51Z
       
       0 likes, 0 repeats
       
       @xtaran Actually another way to do it is to flip the thing entirely upside-down.Use ssh as the transport with some kind of multi-path mux setup around it. The client can start one or more of those tunnels, choose the best one, it knows when to switch; but then you need some demuxing container on the server end to ensure your actual application connection can outlive those individual sessions.Plus it still has the TCP head-of-line-blocking problem to deal with.
       
 (DIR) Post #Ad3HMn5KXXCs6vENma by leonerd@fosstodon.org
       2023-12-21T23:35:24Z
       
       0 likes, 0 repeats
       
       @xtaran It's usually around this point when I give up and despair that nobody else seems to be attempting to solve it. Nothing else jumps out as an obvious "oh just use Foo" technology for it.
       
 (DIR) Post #Ad3HMnnzrSw4LS83P6 by xtaran@chaos.social
       2023-12-21T23:41:13Z
       
       0 likes, 0 repeats
       
       @leonerd: Yet another thought: Google has kinda solved that for HTTP with QUIC, albeit for other reasons. So would something like SSH over QUIC would do it? (And yeah, of course, someone would have to implement it. 🙂)
       
 (DIR) Post #Ad3HModkl2KsvyLO4m by leonerd@fosstodon.org
       2023-12-21T23:49:30Z
       
       0 likes, 0 repeats
       
       @xtaran If QUIC can do arbitrary bidirectional full-duplex push then sure. Plain HTTP is purely request/response so it's no good here but maybe QUIC has solved that thing? But I don't believe QUIC already solves the user authentication part of the problem, which again ssh gives me for free.Don't forget that once connected, ssh really does feel totally transparent like a pipe, plain TCP socket, serial port, etc... and that is a really strong attraction. You don't get that at all out of HTTP.
       
 (DIR) Post #Ad3HMphgnt4wETC2qm by xtaran@chaos.social
       2023-12-21T23:47:40Z
       
       0 likes, 0 repeats
       
       @leonerd: Whoa "#SSH over #QUIC" gives quite some hits:https://github.com/moul/quicsshhttps://github.com/francoismichel/ssh3https://datatracker.ietf.org/doc/id/draft-bider-ssh-quic-03.htmlhttps://v1.manfred.life/ssh-quic/https://github.com/hugefiver/qush
       
 (DIR) Post #Ad3HMq6rIJDBUWy956 by jgrg@mstdn.science
       2023-12-21T23:56:41Z
       
       0 likes, 0 repeats
       
       @leonerd @xtaran Websockets gives you that bidirectional full-duplex, doesn't it?
       
 (DIR) Post #Ad3HMqz62eb4CkLSca by xtaran@chaos.social
       2023-12-22T00:03:51Z
       
       0 likes, 0 repeats
       
       @jgrg @leonerd: Yes, but can you use them outside a webbrowser?
       
 (DIR) Post #Ad3HMrx0RuWFCYNJ0C by reto@pleroma.labrat.space
       2023-12-22T01:13:14.796787Z
       
       0 likes, 0 repeats
       
       @xtaran @jgrg @leonerd Sure, it's just a protocol https://www.rfc-editor.org/rfc/rfc6455.txtHas bindings in all the usual languages.