RSS

USSH: A shell protocol and client/server pair built on top of USTP-Secure

thunderbong1 pts0 comments

GitHub - x1colegal/USSH: Recreated SSH over USTPS · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

x1colegal

USSH

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>42 Commits<br>42 Commits

LICENSE

LICENSE

README.md

README.md

aead_udp.py

aead_udp.py

packet.py

packet.py

ussh_client.py

ussh_client.py

ussh_proto.py

ussh_proto.py

ussh_server.py

ussh_server.py

ustp.py

ustp.py

View all files

Repository files navigation

USSH

USSH is a shell protocol and client/server pair built on top of USTP-Secure.

It is not a TCP tunnel and does not wrap SSH inside TCP.

Status: Beta

USSH is no longer just a proof of concept. It is currently in the Beta phase.

License: MIT

Default port

5322

Server

--peer-port 0 \<br>--bind-ip 0.0.0.0 \<br>--bind-port 5322 \<br>--cipher chacha20">python3 ussh_server.py \<br>--peer-ip CLIENT_IP_OR_DOMAIN> \<br>--peer-port 0 \<br>--bind-ip 0.0.0.0 \<br>--bind-port 5322 \<br>--cipher chacha20

If --password is omitted, the server prompts for the USSH login password on startup.

On interactive startup, the server asks whether it should install itself as a systemd service. Answer n to run it normally. Use --no-systemd-prompt to skip that question.

Client

--peer-port 5322 \<br>--bind-ip 0.0.0.0 \<br>--bind-port 0 \<br>--cipher chacha20">python3 ussh_client.py \<br>--peer-ip SERVER_IP_OR_DOMAIN> \<br>--peer-port 5322 \<br>--bind-ip 0.0.0.0 \<br>--bind-port 0 \<br>--cipher chacha20

The client prompts for the password interactively, like SSH.

The client stores the first seen server X25519 public key in ~/.ussh_known_hosts.json.<br>If that key changes later, the client aborts with a TOFU mismatch error instead of silently trusting the new key.<br>If you intentionally rotated the server host key, run the client with --regen-key to allow replacing the stored TOFU key after interactive confirmation.

Notes

Transport is USTP-Secure over UDP.

USTP-Secure itself remains unordered.

USSH does not turn the transport into an ordered TCP-like channel.

USSH only reassembles the logical stdout byte stream before writing to the terminal.

That reassembly exists because an interactive shell output is a continuous byte stream, and rendering terminal bytes in raw arrival order can corrupt large outputs such as ls, find, or compiler logs.

This means USTP-Secure still avoids transport-level Head-of-Line blocking, while USSH restores only the application-level order required for terminal rendering.

Payloads are encrypted per packet with AEAD.

No static PSK is used.

Each client receives a separate ephemeral AEAD session key through X25519.

The password is used for USSH authentication after the secure session is established.

The server launches a real PTY-backed shell on the machine running ussh_server.py.

The client sends stdin bytes and renders stdout bytes.

The server supports multiple clients, with one shell/session per client.

If --cipher is set on the server, the server uses that exact cipher.

If --cipher is omitted or set to auto, the server uses the cipher requested by the client.

Clients reject unexpected cipher negotiation.

TOFU (Trust On First Use) is enabled on the client to detect unexpected server key changes after the first connection.

The server keeps a persistent X25519 host key in ~/.ussh_host_key by default so TOFU remains stable across reconnects and restarts.

A normal server restart does not change the host key.

Use --regen-key on the server only when you intentionally want to rotate that host key.

TOFU entries are stored per :, so a different server at a different address/port is treated as a different host identity.

About

Recreated SSH over USTPS

Topics

udp

beta

secure

unordered

ustp

ssh-alternative

ussh

no-tcp

ssh-recreation

ustps

Resources

Readme

License

MIT license

Uh oh!

There was an error while loading. Please reload this page.

Activity

Stars

stars

Watchers

watching

Forks

forks

Report repository

Releases

No releases published

Packages

Uh oh!

There was an error while...

server ussh client port cipher ustp

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.