Skip to content

Releases: Eugeny/russh

v0.49.2

20 Dec 14:57
Compare
Choose a tag to compare

Fixes

  • cb5d3ba: fixed #418 - client - incorrect kex signature verification for RSA-SHA2
  • 97ec468: Remove calls to dbg!() (#414) (Eric Rodrigues Pires)

v0.49.0

10 Dec 23:15
Compare
Choose a tag to compare

Changes

This release fixes the regression in v0.48 which made it impossible to choose the hash algorithm when using RSA keys for authentication. Unfortunately, the fix is a breaking API change, hence the version bump.

client::Handle::authenticate_publickey now takes a russh_keys::key::PrivateKeyWithHashAlg which you can construct from an Arc<russh_keys::PrivateKey> + Option<russh_keys::HashAlg>.

The latter lets you choose between SHA1, SHA256 and SHA512 for RSA keys, and must be None for all other key types.

Example:

let key_pair = load_secret_key(key_path, None)?;

let auth_res = session
    .authenticate_publickey(
        user, 
        PrivateKeyWithHashAlg::new(Arc::new(key_pair), Some(HashAlg::Sha512))?
    )
    .await?;

v0.48.2

09 Dec 20:52
Compare
Choose a tag to compare

Fixes

  • 044da62: fixed handling of rsa-sha2-* key algorithms

v0.48.1

07 Dec 19:08
Compare
Choose a tag to compare

Breaking changes

russh v0.48 drops its own data parsing and key handling code in favor of the RustCrypto project's ssh-key (#368) and ssh-encoding (#371) crates. This means there are some breaking changes, which are listed here:

Important for library users

  • russh_keys::key::PublicKey is replaced with russh_keys::PublicKey (ssh_key::PublicKey)

  • russh_keys::key::KeyPair is replaced with russh_keys::PrivateKey (ssh_key::PrivateKey)

  • russh_keys::key::parse_public_key no longer takes a hash algorithm argument as RSA keys are no longer locked down to a specific algorithm internally. RSA key specific hash algorithms are only used in Preferred::key.

  • Key type constants in russh_keys::key and russh_keys::key::Name are removed - use the russh_keys::Algorithm enum instead. Config::preferred::key now also takes russh_keys::Algorithms instead of russh_key::key::Names.

  • russh::client::Handle::authenticate_future is renamed to russh::client::Handle::authenticate_publickey_with

Less important

  • new russh::Error enum variants:

    • Error:Signature
    • Error:SshKey
    • Error:SshEncoding
  • new russh_keys::Error enum variants:

    • Error::Rsa
    • Error::Utf8
  • russh::auth::Signer is now an async_trait

  • russh_keys::ec is removed

  • russh_keys::encoding is removed (use russh_keys::ssh_encoding)

  • russh_keys::signature is removed

  • russh_keys::protocol is removed

  • russh_keys::key::SignatureHash is replaced with russh_keys::HashAlg (ssh_key::HashAlg)

  • russh_keys::key::SignatureBytes is removed

  • russh_keys::key::RsaPrivate is removed (use russh_keys::ssh_key::private::RsaPrivateKey)

  • russh_keys::key::RsaPublic is removed (use russh_keys::ssh_key::public::RsaPublicKey)

  • russh_keys::key::RsaCrtExtra is removed

  • russh_keys::key::Signature is replaced with russh_keys::signature::Signature (signature::Signature)

Features

Fixes

Docs

  • 2dca3c6: Document how to reply to channel requests (#381) (Quentin Santos) #381

v0.47.0-beta.3

24 Nov 17:27
Compare
Choose a tag to compare

Breaking changes

russh v0.47 will drop its own data parsing and key handling code in favor of the RustCrypto project's ssh-key (#368) and ssh-encoding (#371) crates. This means there are some breaking changes, which are listed here:

Important for library users

  • russh_keys::key::PublicKey is replaced with russh_keys::PublicKey (ssh_key::PublicKey)

  • russh_keys::key::KeyPair is replaced with russh_keys::PrivateKey (ssh_key::PrivateKey)

  • russh_keys::key::parse_public_key no longer takes a hash algorithm argument as RSA keys are no longer locked down to a specific algorithm internally. RSA key specific hash algorithms are only used in Preferred::key.

  • Key type constants in russh_keys::key and russh_keys::key::Name are removed - use the russh_keys::Algorithm enum instead. Config::preferred::key now also takes russh_keys::Algorithms instead of russh_key::key::Names.

  • russh::client::Handle::authenticate_future is renamed to russh::client::Handle::authenticate_publickey_with

Less important

  • new russh::Error enum variants:

    • Error:Signature
    • Error:SshKey
    • Error:SshEncoding
  • new russh_keys::Error enum variants:

    • Error::Rsa
    • Error::Utf8
  • russh::auth::Signer is now an async_trait

  • russh_keys::ec is removed

  • russh_keys::encoding is removed (use russh_keys::ssh_encoding)

  • russh_keys::signature is removed

  • russh_keys::protocol is removed

  • russh_keys::key::SignatureHash is replaced with russh_keys::HashAlg (ssh_key::HashAlg)

  • russh_keys::key::SignatureBytes is removed

  • russh_keys::key::RsaPrivate is removed (use russh_keys::ssh_key::private::RsaPrivateKey)

  • russh_keys::key::RsaPublic is removed (use russh_keys::ssh_key::public::RsaPublicKey)

  • russh_keys::key::RsaCrtExtra is removed

  • russh_keys::key::Signature is replaced with russh_keys::signature::Signature (signature::Signature)

Features

Fixes

Docs

  • 2dca3c6: Document how to reply to channel requests (#381) (Quentin Santos) #381

v0.46.0

03 Nov 19:52
Compare
Choose a tag to compare

Changes

  • wasm-support: add wasm support (#351) #351 (irvingouj @ Devolutions)
  • 97dc08b: Support Pageant as agent (#326) #326
  • 26aae26: added named pipe support for AgentClient and AgentClient::dynamic()
  • 8b88465: added AgentClient::into_inner
  • 67a6ba8: Implement streamlocal-forward for remote => local UDS forwarding (#312) (kanpov) #312
  • b9759d4: client channel handling changes - server_channel_open_direct_tcpip, server_channel_open_agent_forward and server_channel_open_session now receive a Channel instead of a ChannelId. Also added should_accept_unknown_server_channel and server_channel_open_unknown callbacks.
  • d6ee97a: new rich NoCommonAlgo error
  • cb8d9e9: fixed #338 - make KeyPair::generate_ed25519 infallible
  • 9444608: Add a way to open an agent forwarding channel (#344) (Thomas Rampelberg) #344
  • ee59e07: Add ed25519 to ALL_KEY_TYPES (#360) (Toni Peter) #360
  • 3f7271b: fixed #358 - relax strict kex checks to match OpenSSH
  • 72aa097: Update deps (#363) (Lucas Kent) #363

Fixes

v0.45.0

14 Aug 22:07
Compare
Choose a tag to compare

Changes

  • 4eaa080: added support for the 3des-cbc cipher. As an outdated cipher, it's not included in the defaults list and has to be explicitly enabled.

Improvements

v0.44.1

14 Aug 21:10
Compare
Choose a tag to compare

Security fixes

CVE-2024-43410 - SSH OOM DoS through malicious packet length

It was possible for an attacker to cause Warpgate to allocate an arbitrary amount of memory by sending a packet with a malformed length field, potentially causing the application to get killed due to excessive RAM usage.

v0.44.0

18 Jul 07:39
Compare
Choose a tag to compare

Breaking changes

OpenSSL-free RSA

  • This release adds a default pure-Rust RSA implementation, meaning that you can disable the openssl feature to reduce your app size and improve portability and build speed.
  • RSA is now enabled by default in Preferred::DEFAULT when the openssl feature is disabled.

Preferred algorithms config changes - 77cc2f7

  • The fields specifying cipher algorithms in Preferred are now Cow<&'static, [Name]> instead of &'static [Name], allowing you to dynamically construct the lists. If you're using custom algorithm lists, you'll need to update your code:
  config.preferred = Preferred {
-   kex: &[CURVE25519],
+   kex: Cow::Borrowed(&[CURVE25519]),
    ..<_>::default()
  }
  • The type of Preferred::compression items is now russh::compression::Name instead of String.
  • All Name structs now implement TryFrom<&'static str> which will validate that the named algorithm is actually implemented in the library.
  • There are now companion algorithm lists to choose from dynamically: russh_keys::key::ALL_KEY_TYPES, russh::kex::ALL_KEX_ALGORITHMS, russh::cipher::ALL_CIPHERS, russh::compression::ALL_COMPRESSION_ALGORITHMS and russh::mac::ALL_MAC_ALGORITHMS.

Incorrect Ed25519 PKCS#8 key saving

  • Up to v0.43, russh-keys has generated incorrect key format when saving Ed25519 keys in PKCS#8 format. This is fixed in v0.44 but by default, v0.44 will fail to parse keys generated in v0.43.
  • To allow v0.44 to parse these keys, enable the legacy-ed25519-pkcs8-parser feature of the russh-keys crate.

Other changes

  • 3bfd99f: ecdh-sha2-nistp{256,384,521} kex support (#282) (Michael Gleason) #282
  • 800969b: Implement -cbc ciphers. (#297) (Pierre Barre) #297
  • 1eaadfb: Add support for glob pattern matching in Host directives (#306) (Adam Chappell) #306
  • 88196a7: allow converting ChannelId into u32

Fixes

v0.44.0-beta.4

16 Jul 19:08
Compare
Choose a tag to compare
v0.44.0-beta.4 Pre-release
Pre-release

Changes

Incorrect Ed25519 PKCS#8 key saving

  • Up to v0.43, russh-keys has generated incorrect key format when saving Ed25519 keys in PKCS#8 format. This is fixed in v0.44 but by default, v0.44 will fail to parse keys generated in v0.43.
  • To allow v0.44 to parse these keys, enable the legacy-ed25519-pkcs8-parser feature of the russh-keys crate.