SSH Alternatives and Enhancements

SSH Series: Part 8
Posted by Munish Mehta on Tuesday, January 28, 2025
In this one-stop guide, I will explore how tools like mosh (for high-latency resilience), Teleport (zero-trust and ephemeral certificates), and WireGuard-powered VPNs offer alternatives or enhancements to traditional SSH, each bringing unique advantages for more secure, flexible, and high-performance remote access.

This article is part of a series.

ssh

Welcome back to SSH series! So far, I’ve discussed setup, hardening, and advanced SSH capabilities. Now, I’m going to show you several innovative tools and protocols that address the limitations of traditional SSH or offer new ways to secure remote access. From mosh, which thrives in high-latency environments, to Teleport (tsh) for zero-trust solutions, and even a look at VPNs and emerging protocols like WireGuard, these are valuable additions to your toolkit if you’re looking to push beyond basic SSH usage.

mosh – How It Differs from SSH, and When to Use It

What Is mosh?

mosh stands for “mobile shell”. It’s a replacement for SSH that focuses on robustness and responsiveness in unreliable or high-latency networks. If you’ve ever worked on a slow or spotty connection—like over a flaky Wi-Fi or a distant cellular hotspot—you know how frustrating SSH lag or dropped sessions can be. mosh was built to solve exactly that problem.

Key Advantages Over SSH

  1. Better Handling of Latency

    • mosh uses UDP rather than TCP, which can tolerate high-latency networks much more gracefully.
    • It’s responsive and local-echo: you’ll see your keystrokes immediately, even if the connection lags.
  2. Automatic Roaming

    • If your IP address changes (say, you move from home Wi-Fi to mobile data), mosh re-establishes your session automatically.
    • You won’t have to reconnect and re-authenticate when your network environment changes.
  3. Stateful Sync

    • mosh keeps track of server and client states, preventing many of the “frozen screen” scenarios common with SSH over bad connections.

Installing and Using mosh

  1. Install (client side):

    • Ubuntu/Debian:
      sudo apt-get update
      sudo apt-get install mosh
      
    • macOS (Homebrew):
      brew install mosh
      
    • Windows: Use Mosh for Windows (via WSL) or a third-party client.
  2. Ensure the Server Has mosh:

    • Install mosh on the server as well.
    • mosh typically needs the server to accept inbound UDP on a range of ports (60000-61000 by default).
  3. Launch:

    mosh user@your-server
    
  • If you only have default SSH port open, you may need to allow those mosh UDP ports in your server’s firewall.

Best Use Cases

  • Frequent Roaming: If you switch networks often, you’ll love mosh’s auto-reconnect.
  • High Latency: Satellite or distant data center connections benefit from mosh’s resilience.
  • Flaky Connections: Stays responsive even if packets drop occasionally.

Teleport (tsh) and Other Modern Solutions

Introducing Teleport (tsh)

Teleport is an open-source solution by Gravitational that provides secure access to servers, applications, and Kubernetes clusters. It implements certificate-based authentication and a centralized audit log, aligning with the Zero Trust model—where every connection is continuously verified, and minimal trust is given by default.

tsh - Teleport’s CLI Tool

  • User Certificates: Instead of managing static SSH keys, Teleport issues short-lived certificates. This drastically reduces the risk if a key is leaked.
  • Single Sign-On (SSO): Integrate with Okta, GitHub, or your SAML/LDAP provider to unify access credentials.
  • Session Recording: Teleport can record interactive sessions for auditing, including keystrokes.

Why Zero Trust?

  • Traditional SSH relies on static keys or passwords. If an attacker steals a key, they might have indefinite access until you notice and revoke it.
  • Zero Trust approach ensures continuous verification. Every authentication has limited scope and an expiration. This reduces the blast radius of compromised credentials.

Other Modern Solutions

  • Akita and StrongDM also follow similar zero-trust and centralized access management principles.
  • Bastionlike solutions: Tools that provide an intermediate “gateway” or “jump host” are evolving to include auditing, ephemeral credentials, and advanced logging.

Comparing SSH to VPNs

SSH vs. VPN: What’s the Difference?

  1. Scope:

    • SSH: Primarily for individual remote terminal sessions and secure tunneling on a per-port basis.
    • VPN: Creates a virtual network interface, encrypting all traffic between two or more networks (or hosts).
  2. Use Cases:

    • SSH: Quick access to servers, single-port forwarding, application-level tunneling (HTTP, DB connections).
    • VPN: Secure access to an entire network, letting you act as if physically present on the remote LAN.
  3. Overhead:

    • VPNs can be heavier, introducing more configuration complexity and potential for network conflicts.
    • SSH is simpler to set up, especially if you only need shell or a few forwarded ports.

When to Use a VPN?

  • You want full network access to multiple services without individually forwarding ports.
  • You need site-to-site connectivity for entire subnets, not just a single machine.
  • You prefer a solution that is user-friendly for non-technical staff (e.g., clicking “Connect” on a VPN client).

Emerging Protocols: WireGuard

WireGuard is a modern VPN protocol known for simplicity, speed, and security. It uses state-of-the-art cryptography and typically outperforms traditional VPNs (like OpenVPN or IPsec). If you want the convenience of a VPN without the usual bloat, WireGuard is a strong choice. You might combine SSH and WireGuard to create a secure “management network” where SSH connections run exclusively over your private WireGuard interface.

Best Practices and Considerations

  1. Choose the Right Tool for the Job

    • If you only need shell access on a high-latency link, mosh might be your best bet.
    • For ephemeral certificates and fine-grained control, Teleport stands out.
    • If you need broad network-level connectivity, VPN or WireGuard might be the way to go.
  2. Security Over Convenience

    • Tools like Teleport raise the bar with short-lived certificates and thorough auditing.
    • Evaluate potential trade-offs: a VPN might expose more of your network if misconfigured, whereas SSH is narrower in scope.
  3. Performance

    • UDP-based solutions like mosh or WireGuard can yield better performance in unstable networks.
    • Check overhead and latency requirements before you pick a solution.
  4. Audit & Logs

    • Always keep track of who is connecting, from where, and when.
    • Implement logging (syslog, journalctl, or specialized monitoring solutions) for all remote access tools.
  5. Zero Trust

    • The future of secure access often involves short-lived credentials, continuous verification, and centralized policy management. Evaluate if zero-trust platforms like Teleport align with your organization’s goals.

Conclusion

I hope I’ve shown you that SSH is not the only game in town. While it remains a powerhouse for secure remote access, mosh delivers smooth performance on shaky connections, Teleport steps up your security with zero-trust principles, and VPNs (especially with modern protocols like WireGuard) can handle broader connectivity needs.

Choosing the right solution depends on context: project requirements, network constraints, security policies, and user preferences. In the next parts of our series, I’ll recap our journey and point you toward further resources for advanced SSH mastery.

Any favorited SSH alternatives or new protocols you’ve tried? Let me know in the comments—I’m always interested in hearing about real-world experiences in secure remote access.

Further Reading

Happy exploring, and I’ll see you in the final instalments of our SSH series!

This article is part of a series.


comments powered by Disqus