Towards SSH3: how HTTP/3 improves secure shells

TL;DR

This paper introduces SSH3, an enhanced secure shell protocol leveraging HTTP/3 and QUIC to improve authentication, performance, and security features, enabling new authentication methods and faster session setup.

Contribution

The paper presents SSH3, a novel protocol that integrates HTTP/3 and QUIC to extend SSH's capabilities with new authentication options and improved performance.

Findings

SSH3 supports HTTP-based authentication methods like Google and GitHub accounts.

SSH3 achieves faster session establishment compared to SSHv2.

Performance evaluation shows SSH3's efficiency over quic-go.

Abstract

The SSH protocol was designed in the late nineties to cope with the security problems of the telnetf family of protocols. It brought authentication and confidentiality to remote access protocols and is now widely used. Almost 30 years after the initial design, we revisit SSH in the light of recent protocols including QUIC, TLS 1.3 and HTTP/3. We propose, implement and evaluate SSH3, a protocol that provides an enhanced feature set without compromise compared to SSHv2. SSH3 leverages HTTP-based authorization mechanisms to enable new authentication methods in addition to the classical password-based and private/public key pair authentications. SSH3 users can now configure their remote server to be accessed through the identity provider of their organization or using their Google or Github account. Relying on HTTP/3 and the QUIC protocol, SSH3 offers UDP port forwarding in addition to regular TCP forwarding as well as a faster and secure session establishment. We implement SSH3 over quic-go and evaluate its performance.