SSH3, a secure version of SSH that uses HTTP3

Darkcrizt

4 minutes

SSH3

SSH3: Faster, richer secure shell using HTTP/3

Recently became known the official launch of the first experimental version of the server and client for the SSH3 protocol designed as a complement to the HTTP3 protocol and that uses QUIC (based on UDP), TLS 1.3 that takes advantage of HTTP mechanisms for user authentication, as well as to establish a secure communication channel

SSH3 uses authorization mechanisms based on the HTTP protocol, which allow new authentication methods, in addition to classic authentication using a password and a key pair, plus in SSH3 you can configure access to a remote server through the identity provider of an organization or with a Google account or GitHub. SSH3 is based on HTTP/3 and QUIC and, in addition to normal TCP forwarding, also offers UDP port forwarding and faster, more secure session establishment.

About SSH3

The project developers mention that the creation of SSH3 arose as a result of a complete review of the SSH protocol, carried out by an independent group of researchers separate from the teams working on projects like OpenSSH and other implementations of the classic SSH protocol. In SSH3, the semantics of the classic SSH protocol are implemented through HTTP mechanisms, which not only allows for additional capabilities, but also ensures that SSH-related activities are hidden among other traffic, among other things, SSH3 allows the following improvements over the SSH2 protocol could not provide, as well as many of the popular OpenSSH features:

  • Significantly faster session establishment
  • New HTTP authentication methods, such as OAuth 2.0 and OpenID Connect, in addition to classic SSH authentication.
  • Parsing ~/.ssh/authorized_keys on the server.
    Parses ~/.ssh/config on the client and handles the Hostname, User, and Portconfig IdentityFile options (the other options are currently ignored)
    Certificate-based server authentication
  • Robustness against port scanning attacks: your SSH3 server can become invisible to other Internet users
  • UDP Port Forwarding – You can now access your QUIC, DNS, RTP or any UDP based server that can only be accessed from your SSH3 host.
  • X.509 Certificates: You can now use your classic HTTPS certificates to authenticate your SSH3 server. This mechanism is more secure than the classic SSHv2 host key mechanism.
  • Ability to hide the server behind a secret link.
  • All features enabled by the modern QUIC protocol: including connection migration and multipath connections
  • Automatically use ssh-agent public key authentication
  • SSH agent forwarding to use your local keys on your remote server
  • Secure keyless user authentication using OpenID Connect.

To encrypt the communication channel, SSH3 uses the TLS 1.3 protocol and traditional methods based on passwords and public keys (RSA and EdDSA/ed25519) can be used. Additionally, SSH3 offers the option of using methods based on the OAuth 2.0 protocol, allowing authentication to be transferred to external providers.

Another of the SSH3's strengths are that it offers significantly faster session establishment than SSH2, For example, establishing a new session with SSH2 can take 5 to 7 network iterations (round trip), which the user can easily notice since SSH3 only needs 3 iterations.

If you are interested in learning more about it, you should know that the client and server are written in Go and distributed under the Apache 2.0 license, you can consult the details In the following link.

In addition, it is worth mentioning that SSH3 is still experimental and its use is not recommended for production or critical environments and as such its installation is only recommended to learn about its functionalities or to be able to test.

Download and install SSH3

For interested in being able to implement an SSH3 server for testing, You can do this by compiling the source code with Go following the instructions we share below.

git clone https://github.com/francoismichel/ssh3
cd ssh3
go build -o ssh3 cmd/ssh3/main.go
CGO_ENABLED=1 go build -o ssh3-server cmd/ssh3-server/main.go

Once this is done, we now proceed to add our environment variable in .bashrc with:

export PATH=$PATH:/path/to/the/ssh3/directory

Regarding the implementation of the server, since SSH3 runs over HTTP3, a certificate is necessary and one can be generated with the script:

sh ./generate_openssl_selfsigned_certificate.sh

Finally, I invite you to consult the documentation on the use and implementation of additional functions in the following link


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.