SSH or Secure Shell is a cryptographic network protocol that enables secure communication and remote access over an unsecured network.
This network protocol is widely used for secure command-line login, file transfers, and tunneling of other protocols.
It provides a secure way to access and manage devices, servers, and systems by encrypting data during transmission and verifying the identity of the connecting parties.
A new version of SSH has been launched recently, SSH3, which has been revamped with HTTP using QUIC+TLS1.3 for security and HTTP Authorization for user authentication.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
SSH3 New Improvements
The new version brings a multitude of new enhancements, and here below, we have mentioned all the enhancements:-
- Significantly faster session establishment.
- New HTTP authentication methods, such as OAuth 2.0 and OpenID Connect, are in addition to classical SSH authentication.
- Robustness to port scanning attacks: your SSH3 server can be made invisible to other Internet users.
- UDP port forwarding, in addition to classical TCP port forwarding.
- All the features allowed by the modern QUIC protocol, including connection migration (soon) and multipath connections.
SSH3 – Faster & Rich Secure Shell
SSH3 leverages TLS 1.3, QUIC, and HTTP for secure channels by adopting proven internet security methods from e-commerce and banking.
It supports standard and new authentication methods like OAuth 2.0, enabling login with accounts from Google, Microsoft, and Github.
SSH3 in early proof-of-concept needs extensive cryptographic review before production approval. Open-source for community feedback, not recommended for production without peer review.
Testing it in sandboxes/private networks is recommended due to potential risks. SSH3 offers security against scanning and dictionary attacks by hiding behind a secret link that enhances the protection against unauthorized access.
OpenSSH features implemented
Here below, we have mentioned all the OpenSSH features implemented:-
- Parses ~/.ssh/authorized_keys on the server
- Certificate-based server authentication
- known_hosts mechanism when X.509 certificates are not used.
- Automatically using the ssh-agent for public key authentication
- SSH agent forwarding to use your local keys on your remote server
- Direct TCP port forwarding (reverse port forwarding will be implemented in the future)
- Proxy jump (see the -proxy-jump parameter). If A is an SSH3 client and B and C are both SSH3 servers, you can connect from A to C using B as a gateway/proxy. The proxy uses UDP forwarding to forward the QUIC packets from A to C, so B cannot decrypt the traffic A<->C SSH3 traffic.
- Parses ~/.ssh/config on the client and handles the Hostname, User, Port, and IdentityFile config options (the other options are currently ignored). Also parses a new UDPProxyJump that behaves similarly to OpenSSH’s ProxyJump.
Developers seek collaboration for the responsible progression of SSH3 by inviting security experts for code review and feedback. Encouraged to engage with standards bodies for formal IETF/IRTF processes.
With collective effort, they aim to enhance SSH3 for safe production but acknowledge the need for thorough cryptographic review and recognition by security authorities for reasonable security claims.
Try Kelltron’s cost-effective penetration testing services to evaluate digital systems security. Free demo available.