Sidharth Shambu

Using Google OAuth to ssh into my server

TL;DR

I put an experimental SSH3 server on a separate hostname, kept my normal SSH v2 behind Cloudflare Tunnel, and logged in with Google using OpenID Connect. SSH3 runs over HTTP/3 on UDP 443, supports a secret URL path, and can mint certs with Let’s Encrypt. If your traffic goes through Cloudflare, use a DNS-only record or Spectrum for UDP.


Why I tried this

SSH3 maps the good parts of SSH onto HTTP/3 with QUIC and TLS 1.3. It has faster session setup and modern auth like OAuth 2.0 and OpenID Connect. Sounds fun for a weekend hack, so I tried it on a throwaway hostname and a spare Dell OptiPlex loaded up with Proxmox and an Ubuntu 24.04 VM.

My Dell OptiPlex 7050, running Proxmox with two Ubuntu 24.04 VMs

My setup notes

Gotchas I hit

How to set up OAuth with SSH3

Installation

You can build with Go or grab release binaries:

go install github.com/francoismichel/ssh3/cmd/...@latest
# or clone + build
git clone https://github.com/francoismichel/ssh3
cd ssh3
go build -o ssh3 cmd/ssh3/main.go
CGO_ENABLED=1 go build -o ssh3-server cmd/ssh3-server/main.go

The README documents both paths and the flags shown above.

Install on both the client and the server.

Server setup

On the server, with a secret path and public cert:

ssh3-server \
  -bind 0.0.0.0:443 \
  -generate-public-cert h3.shambu.party \
  -url-path /ssh3-my-super-long-random-secret

Create ~/.ssh3/authorized_identities:

oidc <your_client_id> https://accounts.google.com <your_email@gmail.com>

Now from the client, with Google OpenID Connect:

ssh3 -use-oidc https://accounts.google.com \
     -oidc-config ~/.ssh3/oidc_config.json \
     shambu@h3.shambu.party/ssh3-my-super-long-random-secret

Quick SSH2 vs SSH3 numbers

What to expect: SSH3 is designed to cut round trips during session setup, so new sessions should start faster. Throughput during long transfers is not the goal yet and may be lower than OpenSSH right now. The project itself calls out “faster for session establishment, not throughput,” estimating SSHv2 takes about 5 to 7 RTTs vs about 3 RTTs for SSH3. The paper also measured port-forward throughput and found OpenSSH higher for TCP, while SSH3 uniquely supports UDP forwarding.

1) Measure connection setup time

I used hyperfine to time a trivially short command on each client. This captures DNS plus TCP or QUIC handshakes plus auth.

# install hyperfine
brew install hyperfine # macOS
# or: sudo apt-get install hyperfine  # Debian/Ubuntu

hyperfine -w 5 -r 50 \
 'ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new you@h2.shambu.party "true"'

hyperfine -w 5 -r 50 \
 'ssh3 -privkey <path_to_private_key> you@h3.shambu.party/ssh3-my-super-long-random-secret "true"'

Tip:

Why this matters: SSH3 rides HTTP/3 over QUIC with TLS 1.3, which can complete the TLS handshake in 1-RTT and piggyback the CONNECT that starts your session. That reduces the startup round trips compared to TCP plus SSHv2’s transport and user-auth dance.

My testing

Command Mean [ms] Min [ms] Max [ms] Relative
ssh -o BatchMode=yes -o StrictHostKeyChecking=accept-new you@h2.shambu.party "true" 312.0 ± 24.5 248.0 392.4 4.07 ± 0.87
ssh3 -privkey <path_to_private_key> you@h3.shambu.party/ssh3-my-super-long-random-secret "true" 76.7 ± 15.2 53.9 141.4 1.00

Session establishment is 4.07 ± 0.87 times faster.

Takeaways

What you gain with SSH3: It keeps the familiar SSH connection model, but runs over HTTP/3 on QUIC, which cuts the number of round trips during session setup and makes logins feel snappier. You can authenticate with OAuth 2.0 or OpenID Connect, use normal X.509 certs for the server, and even stick the service behind a secret URL path that looks like a 404 to random scans. On top of TCP forwarding, you also get UDP forwarding, plus QUIC perks like connection migration and upcoming multipath, which opens doors for tunneling DNS or other UDP apps. It is still experimental, so keep it on a side host and do not replace your main SSH just yet. This was a nice little experiment.


References

#cloudflare #http3 #oauth #ssh