←back to thread

SSH3: Faster and rich secure shell using HTTP/3

(github.com)
532 points tempaccount420 | 6 comments | 27 Sep 25 14:27 UTC | HN request time: 0.353s | source | bottom
Show context
kelnos ◴[27 Sep 25 18:50 UTC] No.45398425[source]
> Establishing a new session with SSHv2 can take 5 to 7 network round-trip times, which can easily be noticed by the user. SSH3 only needs 3 round-trip times. The keystroke latency in a running session is unchanged.

Bummer. From a user perspective, I don't see the appeal. Connection setup time has never been an annoyance for me.

SSH is battle-tested. This feels risky to trust, even whenever they end up declaring it production-ready.

replies(7): >>45399046 #>>45399565 #>>45399743 #>>45399861 #>>45401100 #>>45401784 #>>45402561 #
Levitating ◴[27 Sep 25 22:06 UTC] No.45399743[source]
> Connection setup time has never been an annoyance for me.

It has always bothered me somewhat. I sometimes use ssh to directly execute a command on a remote host.

replies(1): >>45399849 #
1. E39M5S62 ◴[27 Sep 25 22:23 UTC] No.45399849[source]
If you're doing repeated connections to the same host to run one-off commands, SSH multiplexing would be helpful for you. SSH in and it'll open up a local unix domain socket. Point additional client connections to the UDS and they'll just go over the existing connection with out requiring round trips or remote authentication. The socket can be configured to keep itself alive for a while and then close after inactivity. Huge huge speed boost over repeated fresh TCP connections.
replies(1): >>45401980 #
2. oezi ◴[28 Sep 25 05:26 UTC] No.45401980[source]
Why isn't this the default behavior to use this UDS?

How to enable this?

replies(2): >>45402138 #>>45415661 #
3. oarsinsync ◴[28 Sep 25 06:14 UTC] No.45402138[source]
> Why isn't this the default behavior to use this UDS?

Because it’s insecure to use on multiuser systems, as it presents an opportunistic access to remote systems for root users on your local system: root can read and write into your UDS too.

As a user, you have to explicitly opt into this scenario if you deem it acceptable.

replies(2): >>45403769 #>>45411717 #
4. ◴[28 Sep 25 12:14 UTC] No.45403769{3}[source]
5. immibis ◴[29 Sep 25 09:11 UTC] No.45411717{3}[source]
I don't think that's the reason. root can theoretically do everything and not much is protected from root. root can su to your account and make a new SSH connection. root can replace the ssh command with one that copies their public key before opening a shell.
6. E39M5S62 ◴[29 Sep 25 16:26 UTC] No.45415661[source]
Look for documentation on the ControlMaster / ControlPath / ControlPersist options for OpenSSH.