qssh

Crates.ioqssh
lib.rsqssh
version0.0.2-alpha
created_at2025-09-25 16:12:21.944266+00
updated_at2025-09-26 01:54:54.654075+00
descriptionExperimental quantum-safe SSH using post-quantum crypto. Research project - NOT for production. See LIMITATIONS.md
homepage
repositoryhttps://github.com/QuantumVerseProtocols/qssh
max_upload_size
id1854812
size1,955,406
Silvereau (sylvaincormier)

documentation

README

QSSH - Quantum Secure Shell

License: MIT License: Apache Rust

Quantum-resistant SSH replacement using post-quantum cryptography. Your encrypted connections remain secure even against quantum computers.

Why QSSH?

The Timeline Problem: IBM's quantum roadmap shows 100,000+ qubit systems by 2033. China claims quantum supremacy breakthroughs yearly. Meanwhile, your SSH traffic is being harvested today for retroactive decryption when RSA/ECDSA fall.

Who Needs This Now:

  • Financial institutions with 10+ year data retention requirements
  • Healthcare systems bound by HIPAA's 6-year minimum
  • Government contractors already under NIST mandate for PQC migration
  • Blockchain validators protecting long-lived keys
  • Anyone SSH'ing to critical infrastructure

For Everyone Else: You're probably fine with OpenSSH for now. But if you're curious about post-quantum crypto or want to experiment with QKD hardware, QSSH is here as an open-source playground. We're not claiming to replace OpenSSH - we're offering an alternative for specific threat models.

OSI Layer Positioning

QSSH operates across multiple OSI layers, just like SSH:

  • Layer 7 (Application): Shell access, file transfer (SFTP), Git, tunneled applications
  • Layer 6 (Presentation): Terminal emulation, X11 forwarding, encoding
  • Layer 5 (Session): Connection management, channels, multiplexing
  • Layer 4 (Transport): Uses TCP port 42 (configurable)

QSSH is a session-layer protocol that provides secure remote access and can tunnel any application protocol - from X11 and databases to blockchain RPC - all with post-quantum security.

Quick Start

# Install
cargo install qssh

# Generate quantum-safe keys
qssh-keygen

# Connect (just like SSH)
qssh user@server

That's it! You're now quantum-safe with zero configuration.

Table of Contents

OpenSSH Feature Status

Current: v0.0.1-alpha - Early Experimental Implementation

✅ Implemented (Phase 1 - Core)

  • Basic SSH connection and authentication
  • Interactive shell sessions with PTY support
  • Command execution (qssh user@host -c "command")
  • Post-quantum key exchange (Falcon-512, SPHINCS+, Kyber)
  • SFTP subsystem (file transfer protocol)
  • Port forwarding (-L local, -R remote, -D dynamic/SOCKS)
  • Config file parsing (~/.qssh/config compatible with SSH format)
  • Public key authentication
  • Key generation (qssh-keygen)

✅ Implemented (Phase 2 - Extended)

  • Password authentication (with qssh-passwd utility)
  • SSH agent support (qssh-agent and qssh-add utilities)
  • X11 forwarding (-X for untrusted, -Y for trusted)

✅ Implemented (Phase 2 - Extended Continued)

  • Connection multiplexing (ControlMaster/ControlPath support)
  • ProxyJump support (multi-hop connections through jump hosts)

✅ Implemented (Phase 3 - Security)

  • Known hosts management (host key verification with TOFU)

✅ Implemented (Phase 3 - Advanced)

  • Compression (zlib, zstd, lz4 with adaptive compression)
  • Session resumption (fast reconnection for mobile networks)

⏳ Not Yet Implemented

  • Certificate-based authentication (Planned for v2.0)
  • GSSAPI/Kerberos authentication (Returns 'not implemented' errors)
  • SSH Agent Forwarding (Security review needed)

Known Limitations

Production Status

  • Experimental Software - v1.0.0 is for research and testing
  • Not audited - No formal security audit has been performed
  • Limited testing - Primarily tested on Linux/macOS

Feature Limitations

  • GSSAPI/Kerberos - Returns 'not implemented' errors
  • Multiplexing - Returns proper error instead of creating channels
  • No SSH Agent Forwarding - Keys must be present on each server
  • Certificate auth - Not yet integrated

Security Notes

  • All placeholder implementations have been replaced with proper errors
  • No dummy data or zero-filled buffers returned
  • Debug output uses proper logging framework
  • Performance - Falcon-512 signatures are slower than RSA/Ed25519
  • Compatibility - Not a drop-in replacement for all OpenSSH use cases
  • Code Quality - Needs security audit before production use

Features

Core Security

  • Post-Quantum Algorithms: Falcon-512 (default), SPHINCS+, custom providers
  • Quantum Integration: QKD networks, QRNG devices, hardware security modules
  • Forward Secrecy: Double Ratchet protocol with automatic key rotation
  • Zero-Trust: No default trust, all peers authenticated

Compatibility

  • Drop-in Replacement: Works like SSH, same commands
  • Cross-Platform: Linux, macOS, Windows
  • Standard Protocols: SSH-compatible authorized_keys format

Advanced Features

  • P2P Mode: Direct peer connections without central servers
  • Modular Crypto: Plug in any post-quantum algorithm
  • Blockchain Integration: QuantumHarmony validator discovery
  • Hardware Support: TPM, HSM, PKCS#11 tokens

Installation

From Source

git clone https://github.com/QuantumVerseProtocols/qssh
cd qssh
cargo build --release
sudo cp target/release/qssh* /usr/local/bin/

Package Managers

# Arch Linux
yay -S qssh

# macOS
brew install qssh

# Debian/Ubuntu
sudo apt install qssh

Basic Usage

Configuration File

QSSH supports configuration files similar to OpenSSH. Place your config at ~/.qssh/config:

# Example ~/.qssh/config
Host myserver
    Hostname server.example.com
    User myuser
    Port 22222
    PqAlgorithm falcon
    LocalForward 8080:localhost:80

Host *.internal
    User admin
    PqAlgorithm kyber1024

Then connect simply with:

qssh myserver

See example.qssh.config for a complete configuration example.

Basic Commands

Generate Keys

# Default (Falcon-512)
qssh-keygen

# SPHINCS+ for maximum security
qssh-keygen -t sphincs+

# Custom output location
qssh-keygen -f ~/.qssh/id_production

Password Management

# Set password for user (server-side)
sudo qssh-passwd username

# Verify password
qssh-passwd -c username

Connect to Server

# Standard connection (with public key)
qssh user@quantum.example.com

# Password authentication
qssh -P user@quantum.example.com

# Custom port
qssh user@quantum.example.com:42

# Execute command
qssh user@server "df -h"

# Interactive shell with verbosity
qssh -v user@server

File Transfer

# Copy local to remote
qscp report.pdf user@server:/home/user/

# Copy remote to local
qscp user@server:/data/results.csv ./

# Recursive copy
qscp -r ./project user@server:/deploy/

Server Setup

# Start daemon (default port 42)
qsshd

# Custom configuration
qsshd --listen :22 --max-connections 1000

# With quantum devices
qsshd --qkd qkd://alice.local --qrng /dev/qrandom

Architecture

Quantum Pipeline

┌─────────────────┐     ┌─────────────────┐     ┌─────────────────┐
│ Quantum Devices │     │   QKD Network   │     │  QRNG Sources   │
├─────────────────┤     ├─────────────────┤     ├─────────────────┤
│ • Photon pairs  │     │ • Alice node    │     │ • Quantum decay │
│ • Entangled     │────▶│ • Bob node      │     │ • Shot noise    │
│ • Single photon │     │ • ETSI API      │     │ • Vacuum noise  │
└────────┬────────┘     └────────┬────────┘     └────────┬────────┘
         │                       │                         │
         └───────────────────────┴─────────────────────────┘
                                 │
                    ┌────────────▼────────────┐
                    │      QSSH Protocol      │
                    ├─────────────────────────┤
                    │ • Falcon-512 (default)  │
                    │ • SPHINCS+ (optional)   │
                    │ • Custom providers      │
                    └────────────┬────────────┘
                                 │
         ┌───────────────────────┴─────────────────────────┐
         │                                                 │
┌────────▼────────┐                              ┌─────────▼────────┐
│   Your Device   │                              │  Remote Server   │
├─────────────────┤                              ├──────────────────┤
│ qssh client     │◄────── Encrypted Channel ───►│ qsshd daemon     │
└─────────────────┘         (TCP Port 42)        └──────────────────┘

OSI Model Integration

┌─────────────────────────────────────────────────────┐
│ Layer 7 - Application │ Shell, SFTP, Port Forward   │
├───────────────────────┼─────────────────────────────┤
│ Layer 6 - Presentation│ QSSH Protocol               │
│                       │ • Post-quantum crypto       │
│                       │ • Key exchange & auth       │
├───────────────────────┼─────────────────────────────┤
│ Layer 5 - Session     │ Channel multiplexing        │
├───────────────────────┼─────────────────────────────┤
│ Layer 4 - Transport   │ TCP (Port 42 default)       │
├───────────────────────┼─────────────────────────────┤
│ Layer 3 - Network     │ IP (IPv4/IPv6)              │
├───────────────────────┼─────────────────────────────┤
│ Layer 2 - Data Link   │ Ethernet/WiFi               │
├───────────────────────┼─────────────────────────────┤
│ Layer 1 - Physical    │ Cable/Radio/Fiber           │
└─────────────────────────────────────────────────────┘

Protocol Flow

  1. TCP Connection: Client connects to server port 42
  2. Version Exchange: Protocol version negotiation
  3. Algorithm Selection: Choose quantum-safe algorithms
  4. Key Exchange: Falcon-512 signed ephemeral keys
  5. Authentication: SPHINCS+ signature verification
  6. Session Establishment: AES-256-GCM encrypted channel
  7. Key Rotation: Double Ratchet for forward secrecy

Security Model

Cryptographic Algorithms

Component Default Alternative Purpose
Key Exchange Falcon-512 SPHINCS+, Custom Fast ephemeral keys
Signatures Falcon-512 SPHINCS+, Lamport Authentication
Encryption AES-256-GCM ChaCha20-Poly1305 Channel encryption
KDF SHA3-256 SHAKE256 Key derivation
Random QRNG→System /dev/urandom Nonce generation

Security Levels

  • Level 1 (128-bit): Falcon-512, AES-128
  • Level 3 (192-bit): Falcon-768, AES-192
  • Level 5 (256-bit): Falcon-1024, AES-256, SPHINCS+

Threat Model

QSSH protects against:

  • Quantum attacks: Shor's algorithm (RSA/ECDSA break)
  • Classical attacks: Lattice reduction, collision finding
  • Implementation attacks: Side channels, timing attacks
  • Network attacks: MITM, replay, downgrade

Advanced Configuration

Configuration Files

~/.qssh/config.toml:

[defaults]
algorithm = "falcon-512"
port = 42
compression = true
keepalive = 60

[hosts."*.quantum.net"]
algorithm = "sphincs+"
use_qkd = true
forward_agent = true

[hosts."critical.server"]
require_qkd = true
require_lamport = true
min_entropy = 256

Environment Variables

export QSSH_ALGORITHM=falcon-512
export QSSH_QKD_ENDPOINT=qkd://alice.quantum.net
export QSSH_QRNG_SOURCE=/dev/qrandom
export QSSH_LOG_LEVEL=debug

Quantum Device Integration

QKD (Quantum Key Distribution)

# Connect with QKD
qssh --qkd qkd://alice.local/api user@server

# Require QKD
qssh --require-qkd user@critical.server

# QKD with fallback
qssh --qkd-fallback user@server

QRNG (Quantum Random Number Generator)

# Local quantum device
qsshd --qrng /dev/qrandom

# Network QRNG
qsshd --qrng kirq://entropy.hub:8080

# Multiple sources
qsshd --qrng /dev/qrandom,kirq://backup.net

Port Forwarding

# Local forward (access remote service locally)
qssh -L 5432:db.internal:5432 user@gateway

# Remote forward (expose local service remotely)  
qssh -R 8080:localhost:3000 user@public.server

# Dynamic SOCKS proxy
qssh -D 1080 user@gateway

# Multiple forwards
qssh -L 3306:mysql:3306 -L 5432:postgres:5432 user@server

P2P Mode

Decentralized operation without daemons:

Basic P2P

# Start P2P listener
qssh --p2p --listen

# Connect to peer
qssh --p2p alice@192.168.1.100

# Discover peers
qssh --p2p --discover

P2P with NAT Traversal

# Enable STUN
qssh --p2p --stun stun.l.google.com:19302

# Use TURN relay
qssh --p2p --turn turn.example.com --turn-user alice

Blockchain Discovery

# Use QuantumHarmony validators
qssh --p2p --blockchain harmony://mainnet

Testing

Running Tests

# All tests
cargo test

# Unit tests only
cargo test --lib

# Integration tests
cargo test --test integration

# Specific test
cargo test test_handshake

# With output
cargo test -- --nocapture

# Parallel tests
cargo test -- --test-threads=8

Test Categories

Unit Tests (src/*/mod.rs)

  • Crypto primitives
  • Protocol messages
  • Key derivation
  • Serialization

Integration Tests (tests/)

  • Client-server handshake
  • Key exchange protocols
  • Channel multiplexing
  • Error handling

Quantum Tests (tests/quantum_tests.rs)

  • QKD integration
  • QRNG functionality
  • Lamport signatures
  • Double Ratchet

Performance Tests (benches/)

# Run benchmarks
cargo bench

# Specific benchmark
cargo bench handshake

# Compare implementations
cargo bench --bench crypto_bench

Test Coverage

# Generate coverage report
cargo tarpaulin --out Html

# With branch coverage
cargo tarpaulin --branch --out Lcov

Development

Building from Source

# Development build
cargo build

# Release build (optimized)
cargo build --release

# All targets
cargo build --all-targets

# With features
cargo build --features "qkd,hardware"

Adding Custom Algorithms

  1. Implement CryptoProvider trait:
use qssh::crypto::{CryptoProvider, AlgorithmInfo};

pub struct MyAlgorithm;

#[async_trait]
impl CryptoProvider for MyAlgorithm {
    fn name(&self) -> &str { "my-algo" }
    
    async fn generate_keypair(&self, algorithm: &str) -> Result<KeyPair> {
        // Your implementation
    }
    
    async fn sign(&self, key: &[u8], data: &[u8]) -> Result<Vec<u8>> {
        // Your implementation
    }
}
  1. Register provider:
let mut registry = CryptoRegistry::new();
registry.register(Box::new(MyAlgorithm));
  1. Use it:
qssh --algorithm my-algo user@server

Debugging

# Verbose output
qssh -vvv user@server

# Debug specific subsystem
QSSH_DEBUG=handshake,crypto qssh user@server

# Protocol trace
qssh --trace protocol.log user@server

# Analyze core dumps
gdb qssh core

Performance

Benchmarks (Intel i7-10700K)

Operation Falcon-512 SPHINCS+ RSA-2048
Keygen 0.8ms 3.2ms 84ms
Sign 0.4ms 5.1ms 1.2ms
Verify 0.1ms 2.4ms 0.04ms
Handshake 3.2ms 14ms 5.6ms

Optimization Tips

  1. Use Falcon for speed: 10x faster than SPHINCS+
  2. Enable compression: For slow networks
  3. Reuse connections: Connection pooling
  4. Hardware acceleration: AES-NI, SHA extensions

Troubleshooting

Connection Issues

# Test connectivity
qssh-diag test user@server

# Check algorithms
qssh-diag algorithms

# Verify quantum devices
qssh-diag quantum

Common Problems

"No quantum entropy available"

  • Install QRNG driver or use --no-qrng

"Algorithm negotiation failed"

  • Update both client and server
  • Check --algorithms match

"QKD key exhausted"

  • Increase key generation rate

  • Enable QKD cache

Quick Guide

  1. Fork the repository
  2. Create feature branch
  3. Write tests
  4. Submit PR

Code Style

# Format code
cargo fmt

# Lint
cargo clippy

# Security audit
cargo audit

License

Licensed under either:

at your option.

Acknowledgments

  • NIST Post-Quantum Cryptography project
  • QuantumHarmony blockchain team
  • PQClean reference implementations
  • Signal Protocol (Double Ratchet)

Building quantum-safe infrastructure for the next generation of secure communications.

Commit count: 0

cargo fmt