SSH3: Faster and Feature-Rich Secure Shell Using HTTP/3 Read article | Internet-Draft specification --- Overview SSH3 is a new version of the SSH protocol built on top of HTTP/3 and QUIC, aiming to improve speed and security by leveraging modern internet protocols. It is currently experimental and presented as an Internet-Draft for community feedback. --- Key Features and Improvements Faster Session Establishment SSH3 reduces session establishment time to 3 network round-trips (compared to 5-7 for SSHv2), improving user experience without affecting throughput or latency during an active session. Modern Authentication Options Supports classical password and public-key authentication (RSA, EdDSA/ed25519), plus OAuth 2.0 and OpenID Connect, enabling login via Google, Microsoft, GitHub accounts, or company SSO systems. Robust Security Uses TLS 1.3 and QUIC for secure channels, relying on established, audited protocols widely used for sensitive applications like e-commerce. Invisibility Against Scanning Attacks Servers can be hidden behind secret URL paths to avoid detection from port scanning and dictionary attacks (similar to secret sharing of Google Drive links). UDP Port Forwarding SSH3 supports forwarding of UDP packets via QUIC datagrams, enabling access to UDP-based services such as QUIC, DNS, RTP through the SSH3 tunnel. Connection Migration and Multipath Benefits from modern QUIC features including connection migration and multipath support (soon available). X.509 Certificate Integration Allows the use of HTTPS certificates (e.g., from Let's Encrypt) for server authentication, enhancing security over traditional SSH host keys. Proxy Jump Support Enables multi-hop connections via gateways running SSH3 without decrypting or altering the traffic. Compatibility with OpenSSH Features Implements support for: Parsing ~/.ssh/authorizedkeys and ~/.ssh3/authorizedidentities Certificate-based server authentication known_hosts mechanism when not using certificates Integration with ssh-agent Agent forwarding TCP port forwarding (reverse port forwarding planned) Parsing of .ssh/config options (Hostname, User, Port, IdentityFile) and new SSH3-specific options (URLPath, UDPProxyJump) --- Experimental Status and Security Notice SSH3 is a research proof-of-concept and not yet recommended for production use. Security requires extensive expert cryptographic review and formal adoption. Users are advised to deploy SSH3 in sandboxed or private network environments. Hiding the server behind secret URLs reduces attack surface but does not replace strong authentication. Collaboration and feedback from security researchers and standards bodies are welcomed. --- Getting Started Installation Download release binaries Or install using Go: Or compile from source (requires Golang and gcc): Running SSH3 Server The ssh3-server executable serves as the server. Requires an X.509 certificate and private key (can auto-generate using Let's Encrypt or self-signed). Example to start server with Let's Encrypt cert on port 443: Server must run with root privileges to log in as other users. Use the -url-path option to specify a secret path; only requests to this path are processed, improving stealth. Authorized Keys and Identities Server looks for identity files: