Skip to content

Releases: Eugeny/russh

v0.44.0-beta.3

09 Jul 20:25
Compare
Choose a tag to compare
v0.44.0-beta.3 Pre-release
Pre-release

Preferred algorithms config changes

  • 77cc2f7: algorithm names QoL changes

  • The fields specifying cipher algorithms in Preferred are now Cow<&'static, [Name]> instead of &'static [Name], allowing you to dynamically construct the lists. If you're using custom algorithm lists, you'll need to update your code:

  config.preferred = Preferred {
-   kex: &[CURVE25519],
+   kex: Cow::Borrowed(&[CURVE25519]),
    ..<_>::default()   
  }
  • The type of Preferred::compression items is now russh::compression::Name instead of String.
  • All Name structs now implement TryFrom<&'static str> which will validate that the named algorithm is actually implemented in the library.
  • There are now companion algorithm lists to choose from dynamically: russh_keys::key::ALL_KEY_TYPES, russh::kex::ALL_KEX_ALGORITHMS, russh::cipher::ALL_CIPHERS, russh::compression::ALL_COMPRESSION_ALGORITHMS and russh::mac::ALL_MAC_ALGORITHMS.

Changes

  • 3bfd99f: ecdh-sha2-nistp{256,384,521} kex support (#282) (Michael Gleason) #282
  • 800969b: Implement -cbc ciphers. (#297) (Pierre Barre) #297
  • 1eaadfb: Add support for glob pattern matching in Host directives (#306) (Adam Chappell) #306
  • 88196a7: allow converting ChannelId into u32

Fixes

v0.44.0-beta.1

04 May 19:40
Compare
Choose a tag to compare
v0.44.0-beta.1 Pre-release
Pre-release

Notes

  • This release adds a default pure-Rust RSA implementation, meaning that you can disable the openssl feature to reduce your app size and improve portability and build speed.

Changes

  • c850dbd: Add pure-rust RSA implementation (#273) (Robert Wang) #273
  • 3041b0c: Implement ecdsa-sha2-nistp{256,384,521} (#267) (Robert Wang) #267
  • b20504d: Implements client support for OpenSSH Certificates (#278) (Shoaib Merchant) #278
  • 4f749f4: Replace custom PKCS #8 parsing with der crate and others (#274) (Robert Wang) #274
  • 194430b: Use ssh-key crate to decode OpenSSH public/private keys (#279) (Robert Wang) #279
  • 4b40f51: Zeroize RSA private key data on drop (#275) (Robert Wang) #275

Fixes

  • 58d9274: Fix compilation error when using without the flate2 feature (#263) (citorva) #263
  • 0915744: fixed #270 - decode_pkcs5 does not remove padding
  • e745827: Updated curve25519-dalek to 4.1.2 (#269) (Chander) #269
  • 8d582f6: Fix ed25519 key format in pkcs8 (#272) (Robert Wang) #272

v0.43.0

21 Mar 09:47
Compare
Choose a tag to compare

Breaking changes

Changes in the Handler traits

859e685: refactor Handler trait to use mutable reference instead of owned variables (Alessandro Ricottone) #247

The Handler traits no longer take ownership of both self and Session or have to return them. These have been replaced with normal &mut references.

You will need to update your Handler impls to match the new method signatures, for example:

     async fn channel_open_session(
-        self,
+        &mut self,
         channel: Channel<Msg>,
-        session: Session,
+        session: &mut Session,
-    ) -> Result<(Self, bool, Session), Self::Error> {
+    ) -> Result<bool, Self::Error> {
         ...
-        Ok((self, true, session))
+        Ok(true)
     }
 
     async fn auth_publickey(
-        self,
+        &mut self,
         _: &str,
         _: &key::PublicKey,
-    ) -> Result<(Self, server::Auth), Self::Error> {
+    ) -> Result<server::Auth, Self::Error> {
         ...
-        Ok((self, server::Auth::Accept))
+        Ok(server::Auth::Accept)
     }

russh::server::run moved into the Server trait

a592366: Move run and run_on_socket to Server trait (Alessandro Ricottone) #247

You'll need to replace the call to run with a call to Server::run_on_address, for example:

-    russh::server::run(config, ("0.0.0.0", 2222), &mut server).await?;
+    server.run_on_address(config, ("0.0.0.0", 2222)).await?;
 }
 

Changes

  • 1d7dab8: Better disconnect event handling (Adrian Müller) #255 - added Handler::disconnected
  • 45edb29: added specific error types for keepalive and inactivity timeouts
  • 0fcb1ec: Allow retrieving peer SSH Protocol Version String (#260) (Adrian Müller (DTT)) #260
  • 5c60d30: Actually process global request results (Adrian Müller) #250
  • dcbe4ba: update examples to new APIs (Alessandro Ricottone) #249

Fixes

  • 62366e9: #259, #245, ref #227 - fixed host key algo selection when Preferred::key and the available host keys don't match (#262) #262

v0.43.0-beta.1

10 Feb 13:18
Compare
Choose a tag to compare
v0.43.0-beta.1 Pre-release
Pre-release

Breaking changes

Changes in the Handler traits

859e685: refactor Handler trait to use mutable reference instead of owned variables (Alessandro Ricottone) #247

The Handler traits no longer take ownership of both self and Session or have to return them. These have been replaced with normal &mut references.

You will need to update your Handler impls to match the new method signatures, for example:

     async fn channel_open_session(
-        self,
+        &mut self,
         channel: Channel<Msg>,
-        session: Session,
+        session: &mut Session,
-    ) -> Result<(Self, bool, Session), Self::Error> {
+    ) -> Result<bool, Self::Error> {
         ...
-        Ok((self, true, session))
+        Ok(true)
     }
 
     async fn auth_publickey(
-        self,
+        &mut self,
         _: &str,
         _: &key::PublicKey,
-    ) -> Result<(Self, server::Auth), Self::Error> {
+    ) -> Result<server::Auth, Self::Error> {
         ...
-        Ok((self, server::Auth::Accept))
+        Ok(server::Auth::Accept)
     }

russh::server::run moved into the Server trait

a592366: Move run and run_on_socket to Server trait (Alessandro Ricottone) #247

You'll need to replace the call to run with a call to Server::run_on_address, for example:

-    russh::server::run(config, ("0.0.0.0", 2222), &mut server).await?;
+    server.run_on_address(config, ("0.0.0.0", 2222)).await?;
 }
 

v0.42.0

10 Feb 11:51
Compare
Choose a tag to compare

Changes

  • 2ce82f2: Support for NIST P-521 public keys (akeamc) #230
  • 8f6af5e: Support for diffie-hellman-group16-sha512 hex (Brendon Ho) #233
  • 273fd88: Add russh::server::run_on_socket to facilitate dropping privileges immediately after socket binding (Samuel Ainsworth) #231
  • be6f5be: implement Ord, PartialOrd for ChannelId (Sherlock Holo) #238

Fixes

  • b9dce87: Improve keepalive and inactivity timers (Milo Mirate) #214
  • 1541fe5: Analogous keepalive fixes to the client module (Samuel Ainsworth) #243
  • bd13e95: Avert the race between sending data and sending EOF (Milo Mirate) #222
  • 44a2392: server/encrypted.rs: respect proceed_with_methods in "none" and "password" authentication methods (Samuel Ainsworth) #241
  • 42c98a6: fixed #227 - only advertise host key algos for host keys present in server::Config

v0.40.2

18 Dec 15:14
Compare
Choose a tag to compare

Security fixes

CVE-2023-48795 - Terrapin Attack [a355c62]

A flaw in the SSH protocol itself allows an active MitM attacker to prevent the client & server from negotiating OpenSSH security extensions, or, with AsyncSSH, take control of the user's session.

This release adds the support for the kex-strict-*-v00@openssh.com extensions designed by OpenSSH specifically to prevent this attack.

More info: https://terrapin-attack.com

v0.40.1

12 Dec 20:36
Compare
Choose a tag to compare

Changes

  • Explicitly set minimum supported Rust version (1.65)

v0.40.0

02 Dec 23:11
Compare
Choose a tag to compare

Breaking changes

  • acd744a: ChannelStream rebuild (Maya the bee) #181
    • ChannelStream is now generic over the same type as the parent Channel
    • You can now obtain separate AsyncRead and AsyncWrite handles for a channel, as well as its extended streams with make_reader(_ext) and make_writer(_ext).

Changes

  • 92660ef: Support for NIST P-256 public keys (George Hopkins) #208
  • 4a683d2: Add client-sent keepalives (Milo Mirate) #196
  • c4a0688: Add method to read known host key (George Hopkins) #205
  • 7c03dd9: add sftp client example (Roman) #184
  • 3463ed0: Fix ChannelMsg::Close docs (Lucas Kent) #212
  • cd59590: Added client-side inactivity timeout (Adrian Müller) #211
  • c0f3458: added Server::handle_session_error and session closure logging

Fixes

  • d0908de: fixed #218 - fixed padding calculation, AES-GCM rekey and hmac-sha2-256(-etm) MAC
  • 52e5eaa: Use ChannelMsg::WindowAdjusted during data transfer (Joe Grund) #180
  • e81db83: Make winapi dep windows only (Lucas Kent) #195
  • a904a08: Fix handling of key constraints (George Hopkins) #203
  • 72afa2b: Reduce busywaiting in ChannelStream components (Milo Mirate) #197
  • 9c25fa2: Support hashed hostnames in known_hosts file (George Hopkins) #200
  • c66f4b0: fixed #198 - agent server - ed25519 key parsing

v0.39.0

27 Sep 18:55
Compare
Choose a tag to compare

Breaking changes

  • The behaviour or server::Handler::auth_publickey method has been changed.
    • Previously, this method was called before the public key's signature was verified and if you didn't pay attention to the documentation, your application might interpret this call as a successful public key authentication. In reality, it's only meant to decide whether to accept the public key offer from the client or not.
    • Now, the method is called after the signature is verified and the return value is used to decide whether to accept the authentication or not.
    • The old method has been renamed to auth_publickey_offer and will accept all offers by default.
    • If you have not relied on the incorrect interpretation of auth_publickey method, no action is needed.
    • If you explicitly want to control whether public key offers are accepted or not, additionally implement auth_publickey_offer.
    • N.B.: In OpenSSH, the difference in user experience between rejecting a public key offer and rejecting a public key authentication is whether the key passphrase prompt has been shown.

v0.38.0

17 Aug 18:48
Compare
Choose a tag to compare

Breaking changes

  • d97cfcc: #158 - removed unsafe key exchanges from default algorithm list when the openssl feature is disabled
  • ae95df8: #171 - removed unsafe none HMAC from the default algorithm list
  • 6606e28: #141 - renamed Config::connection_timeout to Config::inactivity_timeout to better reflect its purpose
  • eb6fee2: support RFC8731 name of curve25519-sha256 kex (Jan Christian Grünhage) #158
  • CURVE25519 is now curve25519-sha256 instead of curve25519-sha256@libssh.org
  • curve25519-sha256@libssh.org is still available as CURVE25519_PRE_RFC_8731
  • 531fe30: Error::UnsupportedKeyType now holds a String (Lucas Kent) #161

Changes

  • 359fa3c: fixed #100 - allow overriding Handler methods without losing Channel functionality
  • 87245b5: Support ssh clients without RFC 8308 extension negotation mechanism (Mateusz Kondej) #153
  • 576c691: Trait method to add conditions for SSH agent server when accepting requests for operations (Saksham Mittal) #166
  • 84264b3: Use negotiated kex instead of prefered (Raphael Druon) #174
  • 973dee5: only send enabled key algos in server-sig-algs
  • 5d82dcb: Update dependencies (Lucas Kent) #169
  • 8c8b064: removed EXTENSION_SUPPORT_AS_x from explicit kex list
  • 43edc32: fixed #172 - update ed25519-dalek #173