Features — QUICSSH

QUICSSH Features

From proof-of-concept to production-ready. Everything you need for modern, secure remote access.

TLS Client/Server Certificates & Certificate Authority

QUICSSH includes a built-in certificate authority. Every client and server gets a TLS 1.3 certificate issued at setup time. No external PKI, no manual certificate management. The CA can be used to issue short-lived certificates for zero-trust environments.

$ quicssh-ca init
✓ CA initialized at ~/.quicssh/ca/

$ quicssh-ca issue --name myserver
✓ Certificate issued: ~/.quicssh/certs/myserver.crt
  Valid for: 90 days
  Key type: Ed25519

Identity Management: OIDC / OAuth / OTP / MFA

Plug QUICSSH into your existing identity infrastructure. Support for OpenID Connect (OIDC) and OAuth 2.0 means your SSH access control lives alongside your web SSO. TOTP-based OTP and hardware MFA tokens are supported for all authentication flows.

$ quicssh user@server.example.com
[AUTH] OIDC provider: accounts.example.com
[AUTH] Browser opened for authentication...
[AUTH] OTP required: ______
> 847291
[AUTH] Authenticated as user@example.com
Welcome to server.example.com

TCP / UDP Port Forwarding

QUICSSH can forward arbitrary TCP and UDP ports through the QUIC connection. Because QUIC natively multiplexes streams, tunnels don't interfere with your interactive session. Forward a database port, a local dev server, or an entire SOCKS5 proxy — all over a single QUIC connection.

# Forward local port 5432 to remote PostgreSQL
$ quicssh -L 5432:localhost:5432 user@server.example.com

# UDP forward for DNS
$ quicssh -U 5353:localhost:53 user@server.example.com

# SOCKS5 proxy
$ quicssh -D 1080 user@server.example.com

SSH to Docker, LXD, and Incus

QUICSSH integrates directly with container runtimes. Use a single SSH command to open a shell inside a Docker container, LXD instance, or Incus container on a remote host — without exposing container ports or running extra daemons.

# Connect to a Docker container by name
$ quicssh user@host docker:my-webapp

# Connect to an LXD instance
$ quicssh user@host lxd:database-node

# Connect to an Incus container
$ quicssh user@host incus:build-agent

Auto-Reconnect and Connection Migration

QUIC's connection migration means your SSH session survives IP address changes. When you switch from Wi-Fi to mobile, or your laptop wakes from sleep, QUICSSH reconnects transparently using the QUIC connection ID — no session loss, no re-authentication.

[QUIC] Connection established to server.example.com
[QUIC] Network changed: wifi → mobile
[QUIC] Migrating connection...
[QUIC] Migration successful — session preserved
$ _