Skip to main content

Crate puressh

Crate puressh 

Source
Expand description

puressh — a pure-Rust SSH (Secure Shell) protocol library.

Built on purecrypto for all cryptographic primitives, with no foreign code in the dependency tree.

The crate is split along the layers of RFC 4251–4254:

  • format — SSH wire format primitives (mpint, string, name-list).
  • transport — binary packet protocol, version exchange, KEX state machine.
  • kex — key-exchange algorithms (curve25519-sha256, ecdh-sha2-nistp*).
  • cipher — symmetric ciphers (aes*-ctr, aes*-gcm, chacha20-poly1305).
  • mac — message authentication codes (hmac-sha2-*, *-etm).
  • hostkey — host-key/signature algorithms (ssh-ed25519, ecdsa-sha2-*, rsa-sha2-*).
  • auth — userauth (RFC 4252).
  • channel — channels (RFC 4254).
  • key — OpenSSH key file parsing and serialisation.
  • client — high-level blocking client API (feature client).
  • server — high-level blocking server API (feature server).
  • driver — sans-IO connection drivers (features client / server).
  • client_async — runtime-agnostic async client (feature async).

§Sans-IO core and frontends

The protocol layers above (format, transport, channel, auth) are sans-IO: they transform byte buffers and never touch a socket. The driver module lifts the connection orchestration — the state machine that sequences version exchange → key exchange → authentication → application channels and drives re-key/keepalive timers — into the same sans-IO style: a ClientDriver / ServerDriver takes inbound bytes (handle_input), produces outbound frames (poll_transmit) and events (poll_event), and ticks timers (handle_timeout), with the caller supplying the I/O and the clock.

Two frontends drive that one core, sharing all protocol logic:

  • the blocking Client / Server (default), which pump the driver over std::net sockets and threads;
  • the async AsyncClient (feature async), which pumps the same ClientDriver over any futures_io::AsyncRead + AsyncWrite transport (tokio via compat, smol, async-std, …) with no runtime dependency of its own.

Re-exports§

pub use error::Error;
pub use error::Result;

Modules§

agent
OpenSSH ssh-agent client.
auth
User authentication — RFC 4252 (with RFC 4256 keyboard-interactive).
cert
OpenSSH certificate parsing and verification (*-cert-v01@openssh.com).
channel
Connection protocol — RFC 4254.
cipher
SSH cipher suite adapters over purecrypto::cipher.
client
High-level synchronous SSH client over std::net::TcpStream.
compress
SSH packet payload compression (RFC 4253 §6.2).
config
OpenSSH-compatible ssh_config / sshd_config parser.
driver
Sans-IO connection drivers.
error
Crate-wide error type.
format
SSH wire-format primitives (RFC 4251 §5).
forwarding
Port-forwarding building blocks used by puressh::server (and client in a follow-up commit).
hostkey
Host-key / public-key signature algorithms (RFC 4253 §6.6, RFC 8332).
kex
Key-exchange algorithms.
key
OpenSSH key file parsing and serialisation.
known_hosts
OpenSSH known_hosts format: parse, store, lookup, and rewrite.
krl
OpenSSH key-revocation-list (KRL) binary format reader.
mac
Message Authentication Codes over purecrypto::hash (HMAC family).
mux
Client connection multiplexing (ControlMaster / ControlPath / ControlPersist) over a Unix-domain control socket.
proc_transport
ProxyCommand transport: run the SSH session over a spawned helper process’s stdio instead of a direct socket.
scp
SCP (Secure CoPy) protocol — the wire format spoken by scp -t / scp -f between a local and a remote OpenSSH scp binary. The protocol predates SFTP and is loosely specified (the closest thing to a reference is OpenSSH’s own scp.c); the encoding is line-headers + raw payload + single-byte acks, transported over any Read+Write stream — typically a crate::client::ClientChannelStream driving the remote scp -t/scp -f helper.
server
High-level blocking SSH server over std::net::TcpListener.
sftp
SFTP v3 protocol implementation (draft-ietf-secsh-filexfer-02).
shared
Owned-handle wrapper around Client that supports multiple concurrent channel sessions of every type on a single SSH connection — SFTP, exec, interactive shells, and direct-tcpip forwards all coexisting on the same transport.
stream
Cross-cutting bidirectional channel adapter used by server-side crate::server::SubsystemHandler / crate::server::DirectTcpipHandler plumbing AND by the client-side multi-channel event loop (crate::client::Client::serve).
transport
SSH transport layer — RFC 4253.