Expand description
puressh — a pure-Rust SSH (Secure Shell) protocol library.
Built on purecrypto for all cryptographic primitives, with no
foreign code in the dependency tree.
The crate is split along the layers of RFC 4251–4254:
format— SSH wire format primitives (mpint,string,name-list).transport— binary packet protocol, version exchange, KEX state machine.kex— key-exchange algorithms (curve25519-sha256,ecdh-sha2-nistp*).cipher— symmetric ciphers (aes*-ctr,aes*-gcm,chacha20-poly1305).mac— message authentication codes (hmac-sha2-*,*-etm).hostkey— host-key/signature algorithms (ssh-ed25519,ecdsa-sha2-*,rsa-sha2-*).auth— userauth (RFC 4252).channel— channels (RFC 4254).key— OpenSSH key file parsing and serialisation.client— high-level blocking client API (featureclient).server— high-level blocking server API (featureserver).driver— sans-IO connection drivers (featuresclient/server).client_async— runtime-agnostic async client (featureasync).
§Sans-IO core and frontends
The protocol layers above (format, transport, channel,
auth) are sans-IO: they transform byte buffers and never touch a
socket. The driver module lifts the connection orchestration — the
state machine that sequences version exchange → key exchange →
authentication → application channels and drives re-key/keepalive timers —
into the same sans-IO style: a ClientDriver / ServerDriver takes inbound
bytes (handle_input), produces outbound frames (poll_transmit) and
events (poll_event), and ticks timers (handle_timeout), with the caller
supplying the I/O and the clock.
Two frontends drive that one core, sharing all protocol logic:
- the blocking
Client/Server(default), which pump the driver overstd::netsockets and threads; - the async
AsyncClient(featureasync), which pumps the sameClientDriverover anyfutures_io::AsyncRead+AsyncWritetransport (tokio via compat, smol, async-std, …) with no runtime dependency of its own.
Re-exports§
Modules§
- agent
- OpenSSH
ssh-agentclient. - auth
- User authentication — RFC 4252 (with RFC 4256 keyboard-interactive).
- cert
- OpenSSH certificate parsing and verification (
*-cert-v01@openssh.com). - channel
- Connection protocol — RFC 4254.
- cipher
- SSH cipher suite adapters over
purecrypto::cipher. - client
- High-level synchronous SSH client over
std::net::TcpStream. - compress
- SSH packet payload compression (RFC 4253 §6.2).
- config
- OpenSSH-compatible
ssh_config/sshd_configparser. - driver
- Sans-IO connection drivers.
- error
- Crate-wide error type.
- format
- SSH wire-format primitives (RFC 4251 §5).
- forwarding
- Port-forwarding building blocks used by
puressh::server(andclientin a follow-up commit). - hostkey
- Host-key / public-key signature algorithms (RFC 4253 §6.6, RFC 8332).
- kex
- Key-exchange algorithms.
- key
- OpenSSH key file parsing and serialisation.
- known_
hosts - OpenSSH
known_hostsformat: parse, store, lookup, and rewrite. - krl
- OpenSSH key-revocation-list (KRL) binary format reader.
- mac
- Message Authentication Codes over
purecrypto::hash(HMAC family). - mux
- Client connection multiplexing (
ControlMaster/ControlPath/ControlPersist) over a Unix-domain control socket. - proc_
transport ProxyCommandtransport: run the SSH session over a spawned helper process’s stdio instead of a direct socket.- scp
- SCP (Secure CoPy) protocol — the wire format spoken by
scp -t/scp -fbetween a local and a remote OpenSSHscpbinary. The protocol predates SFTP and is loosely specified (the closest thing to a reference is OpenSSH’s ownscp.c); the encoding is line-headers + raw payload + single-byte acks, transported over anyRead+Writestream — typically acrate::client::ClientChannelStreamdriving the remotescp -t/scp -fhelper. - server
- High-level blocking SSH server over
std::net::TcpListener. - sftp
- SFTP v3 protocol implementation (draft-ietf-secsh-filexfer-02).
- shared
- Owned-handle wrapper around
Clientthat supports multiple concurrent channel sessions of every type on a single SSH connection — SFTP, exec, interactive shells, and direct-tcpip forwards all coexisting on the same transport. - stream
- Cross-cutting bidirectional channel adapter used by server-side
crate::server::SubsystemHandler/crate::server::DirectTcpipHandlerplumbing AND by the client-side multi-channel event loop (crate::client::Client::serve). - transport
- SSH transport layer — RFC 4253.