Domestic users often become very frustrated by latency when managing international servers via SSH. Although you can wrap SSH’s TCP traffic in any other protocol using ProxyCommand /bin/nc -X 5 -x 127.0.0.1:port %h %p, pure QUIC/UDP access to remote server terminals may have its advantages.
Mosh uses UDP, but relies on OpenSSH for the initial session authentication.
The SSH3 presented in this article can be used completely independently of the OpenSSH server/client, and it is very convenient to use. (Whether it improves remote terminal responsiveness remains to be seen). The operation is risky; please read the project README in full before using.
Installation
go install github.com/francoismichel/ssh3/cmd/...@latest
Server
On first run, generate a cert/key pair
ssh3-server -generate-selfsigned-cert -url-path /XXXXXXXXXXXXX -bind 0.0.0.0:<port>
Alternatively, if you have a domain like example.com pointing to this machine, you can also automatically obtain a Let’s Encrypt certificate:
ssh3-server -generate-public-cert example.com -url-path /XXXXXXXXXXXXX -bind 0.0.0.0:<port>
It will generate cert.pem, priv.key in the current directory. Inspect the certificate fingerprint for reference when the client connects later
openssl x509 -outform DER -in cert.pem | openssl dgst -sha256 -binary | openssl base64
After that, simply run:
ssh3-server -url-path /XXXXXXXXXXXXX -bind 0.0.0.0:<port>
Client
ssh3 -privkey ~/.ssh/<SSH key> root@<ip>:<port>/XXXXXXXXXXXXX
Note that the SSH key here corresponds to the public/private key pair configured in ~/.ssh/authorized_keys (not the cert/key pair generated by the server earlier).
It will prompt you to verify that the certificate fingerprint matches; if it does, the host will be saved to ~/.ssh3/known_hosts, and you won’t need to confirm again later.