{"id":31074172,"url":"https://github.com/haukened/quicshell","last_synced_at":"2025-09-16T02:05:23.860Z","repository":{"id":313554518,"uuid":"1051828244","full_name":"haukened/quicshell","owner":"haukened","description":"a next-generation post-quantum secure remote shell protocol over QUIC","archived":false,"fork":false,"pushed_at":"2025-09-13T21:18:14.000Z","size":167,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-14T04:19:47.657Z","etag":null,"topics":["post-quantum","post-quantum-cryptography","quic","quicshell","remote-shell","shell","ssh"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/haukened.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"roadmap.sh","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-06T20:00:42.000Z","updated_at":"2025-09-13T21:18:18.000Z","dependencies_parsed_at":"2025-09-06T22:11:27.008Z","dependency_job_id":"7a0f1256-ff66-47c6-9776-6c05a92442cf","html_url":"https://github.com/haukened/quicshell","commit_stats":null,"previous_names":["haukened/quicshell"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/haukened/quicshell","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haukened%2Fquicshell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haukened%2Fquicshell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haukened%2Fquicshell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haukened%2Fquicshell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/haukened","download_url":"https://codeload.github.com/haukened/quicshell/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haukened%2Fquicshell/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275109782,"owners_count":25407103,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-14T02:00:10.474Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["post-quantum","post-quantum-cryptography","quic","quicshell","remote-shell","shell","ssh"],"created_at":"2025-09-16T02:05:21.497Z","updated_at":"2025-09-16T02:05:23.844Z","avatar_url":"https://github.com/haukened.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![GitHub License](https://img.shields.io/github/license/haukened/quicshell?color=blue)](LICENSE)\n[![Static Badge](https://img.shields.io/badge/TRL-3-red)](https://en.wikipedia.org/wiki/Technology_readiness_level)\n[![Build](https://github.com/haukened/quicshell/actions/workflows/build.yaml/badge.svg)](https://github.com/haukened/quicshell/actions/workflows/build.yaml)\n[![Codacy Quality Badge](https://app.codacy.com/project/badge/Grade/3115454a626a4b7c80cc524a91b964f1)](https://app.codacy.com/gh/haukened/quicshell/dashboard?utm_source=gh\u0026utm_medium=referral\u0026utm_content=\u0026utm_campaign=Badge_grade)\n[![Codacy Coverage Badge](https://app.codacy.com/project/badge/Coverage/3115454a626a4b7c80cc524a91b964f1)](https://app.codacy.com/gh/haukened/quicshell/dashboard?utm_source=gh\u0026utm_medium=referral\u0026utm_content=\u0026utm_campaign=Badge_coverage)\n![Dynamic TOML Badge](https://img.shields.io/badge/dynamic/toml?url=https%3A%2F%2Fraw.githubusercontent.com%2Fhaukened%2Fquicshell%2Frefs%2Fheads%2Fmain%2FCargo.toml\u0026query=%24.package.edition\u0026logo=rust\u0026label=Edition\u0026color=4bb543)\n![GitHub last commit](https://img.shields.io/github/last-commit/haukened/quicshell)\n\n\n\n# QuicShell (qsh)\n\nqsh is a modern secure remote shell, designed as a clean successor to SSHv2. The project is in the design \u0026 early implementation phase; this README is intentionally minimal and aimed at future users (not contributors).\n\n## Why rethink SSH?\n\nSSHv2 has served for decades, but several structural issues are hard to fix in-place:\n\n1. Algorithm negotiation complexity creates downgrade / configuration risk.\n2. One set of session keys stretches across all channels with infrequent rekeys.\n3. TCP-only transport suffers head‑of‑line blocking and brittle network migration.\n4. Ad‑hoc binary framing and sprawling extensions raise parsing \u0026 audit complexity.\n5. Host key rotation is awkward; users either click through or get locked out.\n6. Privacy signals (capability ordering, message sizing) are inconsistent.\n7. Post‑quantum readiness requires bolt‑on patches instead of a coherent design.\n\n## How qsh addresses this\n\nqsh keeps the familiar user model (keys, TOFU, `qsh user@host`) while changing foundations:\n\n* Fixed, modern hybrid cryptography (post‑quantum + classical) — no cipher negotiation.\n* QUIC‑first transport with seamless TCP fallback for blocked UDP environments.\n* Independent, frequently refreshed per‑channel (per direction) keys to narrow exposure windows.\n* Deterministic, compact CBOR control messages for easier auditing and fuzzing.\n* Explicit, signed host key rotation (“TOFU‑plus”) instead of silent trust shifts.\n* Built‑in privacy measures (adaptive padding, canonical capability ordering).\n* Versioned evolution (new ALPN for future modes) instead of in‑band option sprawl.\n\n## Comparison\n\n| Aspect | SSHv2 (today) | qsh v1 |\n|--------|---------------|--------|\n| **Crypto** | RSA / Ed25519 / Curve25519 (classical only) | **Hybrid post-quantum by default** (X25519 + ML-KEM-768, Ed25519 + ML-DSA-44) |\n| **Key lifecycle** | One session key for all channels, rekey ~1GB/hour | **Per-channel, per-direction keys**; automatic rekey ≤1 MiB or 30 s (whichever first) |\n| **Handshake** | Multi-roundtrip `KEXINIT`, cipher negotiation, downgrade risks | **Single 1-RTT handshake**, fixed suite (no negotiation) |\n| **Transport** | TCP only → head-of-line blocking, fragile across NAT/Wi-Fi hops | **QUIC/UDP preferred** (multiplexing, migration, congestion control), **TCP fallback** |\n| **Wire format** | Custom ad-hoc binary blobs, extension hell | **Deterministic CBOR maps**, simple, fuzzable, extensible |\n| **Host trust** | TOFU `known_hosts`, awkward rotation | **TOFU-plus** (pinned hybrid keys, explicit signed rotations) |\n| **Audit posture** | Optional session logging, weak tamper evidence | Planned option: **per-channel MAC chaining** (tamper-evident logs) |\n| **Legacy behavior** | SSH to non-SSH service = confusing hangs | **Preface “QSH1” → fast fail** (“protocol mismatch”), predictable |\n\n**Bottom line:**  \n- For the user: looks and feels like SSH.  \n- For the implementer/admin: a simpler spec, smaller attack surface, future-proof crypto, and better transport resilience.\n\n## Current status\n\nPlanning \u0026 specification work are active. The reference implementation is **not yet ready for production use**. Interfaces and on‑disk formats may still change.\n\nIf you need a stable tool today: keep using SSH. Monitor this project if you care about a QUIC‑native, post‑quantum‑ready successor with a smaller, stricter spec.\n\n## When might you switch later?\n\n* You want lower latency interactive shells over variable networks.\n* You need forward secrecy windows measured in seconds/megabytes, not hours/gigabytes.\n* You operate in environments planning for post‑quantum migration.\n* You prefer fixed suites (no negotiation spreadsheets) and simpler compliance narratives.\n\n## Where are the details?\n\nDeep technical definitions (message formats, key schedule, limits, staging) live in [`spec.md`](./docs/spec.md) and [`roadmap.md`](./docs/roadmap.md). This README intentionally defers those so it stays approachable.\n\n## License\n\nMIT — see `LICENSE`.\n\n## Author\n\nCreated by @haukened (David Haukeness).\n\nProject home: https://github.com/haukened/quicshell\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhaukened%2Fquicshell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhaukened%2Fquicshell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhaukened%2Fquicshell/lists"}