Skip to content

Releases: Eugeny/russh

v0.39.0

27 Sep 18:55
Compare
Choose a tag to compare

Breaking changes

  • The behaviour or server::Handler::auth_publickey method has been changed.
    • Previously, this method was called before the public key's signature was verified and if you didn't pay attention to the documentation, your application might interpret this call as a successful public key authentication. In reality, it's only meant to decide whether to accept the public key offer from the client or not.
    • Now, the method is called after the signature is verified and the return value is used to decide whether to accept the authentication or not.
    • The old method has been renamed to auth_publickey_offer and will accept all offers by default.
    • If you have not relied on the incorrect interpretation of auth_publickey method, no action is needed.
    • If you explicitly want to control whether public key offers are accepted or not, additionally implement auth_publickey_offer.
    • N.B.: In OpenSSH, the difference in user experience between rejecting a public key offer and rejecting a public key authentication is whether the key passphrase prompt has been shown.

v0.38.0

17 Aug 18:48
Compare
Choose a tag to compare

Breaking changes

  • d97cfcc: #158 - removed unsafe key exchanges from default algorithm list when the openssl feature is disabled
  • ae95df8: #171 - removed unsafe none HMAC from the default algorithm list
  • 6606e28: #141 - renamed Config::connection_timeout to Config::inactivity_timeout to better reflect its purpose
  • eb6fee2: support RFC8731 name of curve25519-sha256 kex (Jan Christian Grünhage) #158
  • CURVE25519 is now curve25519-sha256 instead of curve25519-sha256@libssh.org
  • curve25519-sha256@libssh.org is still available as CURVE25519_PRE_RFC_8731
  • 531fe30: Error::UnsupportedKeyType now holds a String (Lucas Kent) #161

Changes

  • 359fa3c: fixed #100 - allow overriding Handler methods without losing Channel functionality
  • 87245b5: Support ssh clients without RFC 8308 extension negotation mechanism (Mateusz Kondej) #153
  • 576c691: Trait method to add conditions for SSH agent server when accepting requests for operations (Saksham Mittal) #166
  • 84264b3: Use negotiated kex instead of prefered (Raphael Druon) #174
  • 973dee5: only send enabled key algos in server-sig-algs
  • 5d82dcb: Update dependencies (Lucas Kent) #169
  • 8c8b064: removed EXTENSION_SUPPORT_AS_x from explicit kex list
  • 43edc32: fixed #172 - update ed25519-dalek #173

v0.37.1

16 Mar 18:43
190374b
Compare
Choose a tag to compare

Security fixes

CVE-2023-28113 [45d2d82]

A malicious client/server could negotiate insecure Diffie-Hellman key exchange parameters in way that leads to an insecure shared secret and breaks confidentiality of the connection traffic.

v0.37.0

16 Mar 18:41
90d283c
Compare
Choose a tag to compare

Breaking changes

  • 2ce4334: removed the Session::id method
  • bd4113d: unsafe Diffie-Hellman key exchange algorithms are now disabled by default - you can reenable them in your Config struct.

Changes

  • 6748879: Keyboard-interactive auth support as client (Joshua Benz) #147
  • 56c8ff6: initial client support for UNIX socket forwarding (direct-streamlocal) (mllken)

Fixes

  • 424e88e: fix #143: handle CHANNEL_OPEN_FAILURE on server side (Swelio) #144

v0.36.2

16 Mar 18:37
6ecb45d
Compare
Choose a tag to compare

Security fixes

CVE-2023-28113 [d831a37]

A malicious client/server could negotiate insecure Diffie-Hellman key exchange parameters in way that leads to an insecure shared secret and breaks confidentiality of the connection traffic.

v0.36.1

07 Feb 08:10
1fbba50
Compare
Choose a tag to compare

Minor changes

Fixes

  • 3611ab1: [russh-keys v0.24.1] don't panic when passphrase is not supplied to openssh private key (Mariotaku) #115
  • f35fbff: fix channel close issue (z0017k9m) #118

v0.36.0

29 Jan 19:07
267a241
Compare
Choose a tag to compare

Major changes

  • Migrated to async-trait - you'll need to simplify & clean up your Handler impelementations to use #[async_trait] and async methods (see new examples in the docs).
  • Server-side Channel objects - Handler::channel_open_* methods now take a Channel<> instead of ChannelId.

Fixes

  • fixed #111 - closed channel sender leak in client
  • fixed #114 - ignore sig hash algo in PartialEq for PublicKey
  • client: correctly return error for channel open failures
  • fixed missing CHANNEL_CLOSE messages
  • Use client generated channel id when creating server initiated channel

Changes

  • Added Key::with_signature_hash
  • fixed #86 - support for dynamic port assignment in tcpip_forward
  • server: added OpenSSH server-sig-algs protocol extension support
  • reworked ChannelStream API
  • fixed #111 - added Channel::close