Releases: Eugeny/russh
v0.49.2
v0.49.0
Changes
This release fixes the regression in v0.48 which made it impossible to choose the hash algorithm when using RSA keys for authentication. Unfortunately, the fix is a breaking API change, hence the version bump.
client::Handle::authenticate_publickey
now takes a russh_keys::key::PrivateKeyWithHashAlg
which you can construct from an Arc<russh_keys::PrivateKey>
+ Option<russh_keys::HashAlg>
.
The latter lets you choose between SHA1, SHA256 and SHA512 for RSA keys, and must be None
for all other key types.
Example:
let key_pair = load_secret_key(key_path, None)?;
let auth_res = session
.authenticate_publickey(
user,
PrivateKeyWithHashAlg::new(Arc::new(key_pair), Some(HashAlg::Sha512))?
)
.await?;
v0.48.2
v0.48.1
Breaking changes
russh
v0.48 drops its own data parsing and key handling code in favor of the RustCrypto project's ssh-key
(#368) and ssh-encoding
(#371) crates. This means there are some breaking changes, which are listed here:
Important for library users
-
russh_keys::key::PublicKey
is replaced withrussh_keys::PublicKey
(ssh_key::PublicKey
) -
russh_keys::key::KeyPair
is replaced withrussh_keys::PrivateKey
(ssh_key::PrivateKey
) -
russh_keys::key::parse_public_key
no longer takes a hash algorithm argument as RSA keys are no longer locked down to a specific algorithm internally. RSA key specific hash algorithms are only used inPreferred::key
. -
Key type constants in
russh_keys::key
andrussh_keys::key::Name
are removed - use therussh_keys::Algorithm
enum instead.Config::preferred::key
now also takesrussh_keys::Algorithm
s instead ofrussh_key::key::Name
s. -
russh::client::Handle::authenticate_future
is renamed torussh::client::Handle::authenticate_publickey_with
Less important
-
new
russh::Error
enum variants:Error:Signature
Error:SshKey
Error:SshEncoding
-
new
russh_keys::Error
enum variants:Error::Rsa
Error::Utf8
-
russh::auth::Signer
is now anasync_trait
-
russh_keys::ec
is removed -
russh_keys::encoding
is removed (userussh_keys::ssh_encoding
) -
russh_keys::signature
is removed -
russh_keys::protocol
is removed -
russh_keys::key::SignatureHash
is replaced withrussh_keys::HashAlg
(ssh_key::HashAlg
) -
russh_keys::key::SignatureBytes
is removed -
russh_keys::key::RsaPrivate
is removed (userussh_keys::ssh_key::private::RsaPrivateKey
) -
russh_keys::key::RsaPublic
is removed (userussh_keys::ssh_key::public::RsaPublicKey
) -
russh_keys::key::RsaCrtExtra
is removed -
russh_keys::key::Signature
is replaced withrussh_keys::signature::Signature
(signature::Signature
)
Features
- aa9bdb4: added support for sk-ecdsa-sha2-nistp256-cert-v01@openssh.com and sk-ssh-ed25519-cert-v01@openssh.com keys in client
- 68fff93: Add support for StrictHostKeyChecking and UserKnownHostsFile (#386) (Mattias Eriksson) #386
- 981cf7b: Derive Debug where possible (#374) (Quentin Santos) #374
- c328558: Implement From<&str> and From<&[u8]> for CryptoVec (#391) (Josh McKinney) #391
Fixes
- 47ca41d: Send proper algorithm for certificates (#378) (Jerome Gravel-Niquet) #378
- 2d8c08a: ratatui examples fixed. (#388) (André Almeida) #388
- bd6dc3a: impl Drop for server examples (#376) (Eric Rodrigues Pires) #376
- ac441a6: fix:remove unused memcpy function (#406) (irvingouj @ Devolutions) #406
- a5c4adc: #401 - removing TX busywait (#408) #408
Docs
v0.47.0-beta.3
Breaking changes
russh
v0.47 will drop its own data parsing and key handling code in favor of the RustCrypto project's ssh-key
(#368) and ssh-encoding
(#371) crates. This means there are some breaking changes, which are listed here:
Important for library users
-
russh_keys::key::PublicKey
is replaced withrussh_keys::PublicKey
(ssh_key::PublicKey
) -
russh_keys::key::KeyPair
is replaced withrussh_keys::PrivateKey
(ssh_key::PrivateKey
) -
russh_keys::key::parse_public_key
no longer takes a hash algorithm argument as RSA keys are no longer locked down to a specific algorithm internally. RSA key specific hash algorithms are only used inPreferred::key
. -
Key type constants in
russh_keys::key
andrussh_keys::key::Name
are removed - use therussh_keys::Algorithm
enum instead.Config::preferred::key
now also takesrussh_keys::Algorithm
s instead ofrussh_key::key::Name
s. -
russh::client::Handle::authenticate_future
is renamed torussh::client::Handle::authenticate_publickey_with
Less important
-
new
russh::Error
enum variants:Error:Signature
Error:SshKey
Error:SshEncoding
-
new
russh_keys::Error
enum variants:Error::Rsa
Error::Utf8
-
russh::auth::Signer
is now anasync_trait
-
russh_keys::ec
is removed -
russh_keys::encoding
is removed (userussh_keys::ssh_encoding
) -
russh_keys::signature
is removed -
russh_keys::protocol
is removed -
russh_keys::key::SignatureHash
is replaced withrussh_keys::HashAlg
(ssh_key::HashAlg
) -
russh_keys::key::SignatureBytes
is removed -
russh_keys::key::RsaPrivate
is removed (userussh_keys::ssh_key::private::RsaPrivateKey
) -
russh_keys::key::RsaPublic
is removed (userussh_keys::ssh_key::public::RsaPublicKey
) -
russh_keys::key::RsaCrtExtra
is removed -
russh_keys::key::Signature
is replaced withrussh_keys::signature::Signature
(signature::Signature
)
Features
- aa9bdb4: added support for sk-ecdsa-sha2-nistp256-cert-v01@openssh.com and sk-ssh-ed25519-cert-v01@openssh.com keys in client
- 68fff93: Add support for StrictHostKeyChecking and UserKnownHostsFile (#386) (Mattias Eriksson) #386
- 981cf7b: Derive Debug where possible (#374) (Quentin Santos) #374
- c328558: Implement From<&str> and From<&[u8]> for CryptoVec (#391) (Josh McKinney) #391
Fixes
- 47ca41d: Send proper algorithm for certificates (#378) (Jerome Gravel-Niquet) #378
- 2d8c08a: ratatui examples fixed. (#388) (André Almeida) #388
- bd6dc3a: impl Drop for server examples (#376) (Eric Rodrigues Pires) #376
Docs
v0.46.0
Changes
- wasm-support: add wasm support (#351) #351 (irvingouj @ Devolutions)
- 97dc08b: Support Pageant as agent (#326) #326
- 26aae26: added named pipe support for
AgentClient
andAgentClient::dynamic()
- 8b88465: added
AgentClient::into_inner
- 67a6ba8: Implement
streamlocal-forward
for remote => local UDS forwarding (#312) (kanpov) #312 - b9759d4: client channel handling changes -
server_channel_open_direct_tcpip
,server_channel_open_agent_forward
andserver_channel_open_session
now receive aChannel
instead of aChannelId
. Also addedshould_accept_unknown_server_channel
andserver_channel_open_unknown
callbacks. - d6ee97a: new rich
NoCommonAlgo
error - cb8d9e9: fixed #338 - make
KeyPair::generate_ed25519
infallible - 9444608: Add a way to open an agent forwarding channel (#344) (Thomas Rampelberg) #344
- ee59e07: Add ed25519 to ALL_KEY_TYPES (#360) (Toni Peter) #360
- 3f7271b: fixed #358 - relax strict kex checks to match OpenSSH
- 72aa097: Update deps (#363) (Lucas Kent) #363
Fixes
- process multiple host entries (#331) #331 (Yaroslav Bolyukin)
- b704f4c: Remove leftover extraneous debugging in host globbing function (#328) (Adam Chappell) #328
- c99f49c: fixed
Error::Disconnect
getting returned fromconnect
instead of the more specific error type when connection fails during kex phase - 73fa3e5: Improve echoserver example, bump Rust toolchain to 1.81 (#339) (Julian) #339
- fix typo: add a missing word. (#342) #342 (Pipelight)
- f587d13: Reject unsupported key types instead of failing (#352) (Gary Guo) #352
- 6df962d: Minor accuracy improvements to server documentation (#346) (Kaleb Elwert) #346
- add adopters to readme (#356) #356 (Thomas Rampelberg)
- cd84f4d: Update sftp examples (#357) (Roman) #357
v0.45.0
v0.44.1
Security fixes
CVE-2024-43410 - SSH OOM DoS through malicious packet length
It was possible for an attacker to cause Warpgate to allocate an arbitrary amount of memory by sending a packet with a malformed length field, potentially causing the application to get killed due to excessive RAM usage.
v0.44.0
Breaking changes
OpenSSL-free RSA
- This release adds a default pure-Rust RSA implementation, meaning that you can disable the
openssl
feature to reduce your app size and improve portability and build speed. - RSA is now enabled by default in
Preferred::DEFAULT
when theopenssl
feature is disabled.
Preferred algorithms config changes - 77cc2f7
- The fields specifying cipher algorithms in
Preferred
are nowCow<&'static, [Name]>
instead of&'static [Name]
, allowing you to dynamically construct the lists. If you're using custom algorithm lists, you'll need to update your code:
config.preferred = Preferred {
- kex: &[CURVE25519],
+ kex: Cow::Borrowed(&[CURVE25519]),
..<_>::default()
}
- The type of
Preferred::compression
items is nowrussh::compression::Name
instead ofString
. - All
Name
structs now implementTryFrom<&'static str>
which will validate that the named algorithm is actually implemented in the library. - There are now companion algorithm lists to choose from dynamically:
russh_keys::key::ALL_KEY_TYPES
,russh::kex::ALL_KEX_ALGORITHMS
,russh::cipher::ALL_CIPHERS
,russh::compression::ALL_COMPRESSION_ALGORITHMS
andrussh::mac::ALL_MAC_ALGORITHMS
.
Incorrect Ed25519 PKCS#8 key saving
- Up to
v0.43
,russh-keys
has generated incorrect key format when saving Ed25519 keys in PKCS#8 format. This is fixed inv0.44
but by default,v0.44
will fail to parse keys generated inv0.43
. - To allow
v0.44
to parse these keys, enable thelegacy-ed25519-pkcs8-parser
feature of therussh-keys
crate.
Other changes
- 3bfd99f:
ecdh-sha2-nistp{256,384,521}
kex support (#282) (Michael Gleason) #282 - 800969b: Implement
-cbc
ciphers. (#297) (Pierre Barre) #297 - 1eaadfb: Add support for glob pattern matching in Host directives (#306) (Adam Chappell) #306
- 88196a7: allow converting
ChannelId
intou32
Fixes
- 643be05: Fix block ciphers + HMAC_SHA1_ETM (#298) (Pierre Barre) #298
- 2bfe426: Fix hardcoded public key auth negotiation (#294) (Tom König) #294
- 9cce48c: Allow ssh-rsa keys to be used for rsa-sha2-* auth (#290) (Ana Gelez) #290
- Fix a segmentation fault (#288) #288 (Ana Gelez)
- 9e1ed09: Overachiever host key checking (#302) (Jean-Baptiste Skutnik) #302
- 3f4646a: removed use of unstable Option::inspect
- f2d94c0: fixed warp-tech/warpgate#996 - prevent offering of unparseable public keys from ending the session
v0.44.0-beta.4
Changes
Incorrect Ed25519 PKCS#8 key saving
- Up to
v0.43
,russh-keys
has generated incorrect key format when saving Ed25519 keys in PKCS#8 format. This is fixed inv0.44
but by default,v0.44
will fail to parse keys generated inv0.43
. - To allow
v0.44
to parse these keys, enable thelegacy-ed25519-pkcs8-parser
feature of therussh-keys
crate.