All posts
August 25, 20222 min read

Bastion Host Alternative: Mosh

Mosh (short for "mobile shell") is gaining attention as a reliable alternative to traditional bastion hosts for secure remote server access. While bastion hosts have long been the default choice for accessing servers behind firewalls, many developers and DevOps teams are exploring alternatives to address latency issues, connection drops, and other challenges common with old-school SSH-based setups. Here's how Mosh stacks up as an alternative and why you might want to consider it for your infrast

Free White Paper

SSH Bastion Hosts / Jump Servers: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Mosh (short for "mobile shell") is gaining attention as a reliable alternative to traditional bastion hosts for secure remote server access. While bastion hosts have long been the default choice for accessing servers behind firewalls, many developers and DevOps teams are exploring alternatives to address latency issues, connection drops, and other challenges common with old-school SSH-based setups. Here's how Mosh stacks up as an alternative and why you might want to consider it for your infrastructure.

Why Replace a Bastion Host?

Bastion hosts act as a gateway for accessing private network resources. They improve security by forcing users to connect to centralized access points. However, they have limitations:

  • High Latency: For users working from remote locations or high-latency networks, the response speed can degrade significantly.
  • Connection Interruptions: Bastion hosts maintain the session state via SSH, which means interruptions—a common issue on unstable networks—can lead to frequent re-authentication.
  • Complex Management: Scaling bastion hosts, monitoring logs, and aligning them with zero trust principles require constant effort and resources.

These pain points have encouraged teams to look for modern and more resilient solutions like Mosh.

Continue reading? Get the full guide.

SSH Bastion Hosts / Jump Servers: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

What is Mosh?

Mosh is an open-source tool designed for remote access. It operates over the SSH protocol but builds upon it to provide a more stable and resource-efficient user experience. Unlike standard SSH connections, Mosh handles intermittent disruptions gracefully and delivers near real-time responsiveness even on less reliable networks.

How Mosh Solves Key Bastion Host Challenges

  1. Resilient Sessions
    Mosh uses a connectionless UDP protocol, which makes it immune to network interruptions. If you lose your internet connection or switch networks, Mosh keeps your session running in the background. Contrast this with SSH sessions that get terminated abruptly when connections drop, requiring you to reconnect and re-enter credentials.
  2. Low-Latency Input
    For teams experiencing lag when typing commands via a bastion host, Mosh offers a better experience. Mosh works by predicting user input locally, which provides a smoother interface even when there's network lag.
  3. Easier Configuration
    Setting up and using Mosh is more lightweight compared to provisioning, maintaining, and securing bastion servers. With Mosh, there's no need for an extensive configuration process to enable session stability across different machines.
  4. End-to-End Encryption
    Like SSH, Mosh provides strong encryption to keep sessions secure. While bastion hosts require more robust traffic monitoring and auditing policies, Mosh ensures encrypted communication without the need for additional complex tools.
  5. Host-Independence
    Traditional bastion hosts tie you to specific infrastructure. Mosh simplifies developer workflows by allowing direct remote access without relying on a middle layer of infrastructure.

Challenges to Consider Before Adopting Mosh

While Mosh has advantages, there are a few caveats to keep in mind:

  • UDP Requirements: Mosh relies on the UDP protocol, which may require additional configuration on firewalls that primarily allow TCP traffic.
  • Limited Port Forwarding: If you're currently using dynamics like SSH port forwarding with your bastion host, Mosh might not fit your use case without additional tools.
  • Server Compatibility: Mosh requires both client and server installations, which may require you to touch production servers during migration.

A Modern Alternative to Both: Secure Workflows Without Hassle

In scenarios where even Mosh or bastion hosts feel cumbersome, a modern solution like Hoop offers a fresh perspective. Hoop streamlines secure network access with zero hassle, eliminating the constant maintenance you'd face with traditional bastion setups or manual installs like Mosh. Hoop ensures access policies, auditability, and performance stay top-notch, all while being ridiculously easy to deploy.

Skip the guesswork. See how your team can experience seamless secure access with Hoop in just a few minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts