Crate thrussh_keys

This crate contains methods to deal with SSH keys, as defined in crate Thrussh. This includes in particular various functions for opening key files, deciphering encrypted keys, and dealing with agents.

The following example (which uses the openssl feature) shows how to do all these in a single example: start and SSH agent server, connect to it with a client, decipher an encrypted private key (the password is b"blabla"), send it to the agent, and ask the agent to sign a piece of data (`b“Please sign this“, below).

 use thrussh_keys::*;
 use futures::Future;

 #[derive(Clone)]
 struct X{}
 impl agent::server::Agent for X {
     fn confirm(self, _: std::sync::Arc<key::KeyPair>) -> Box<dyn Future<Output = (Self, bool)> + Send + Unpin> {
         Box::new(futures::future::ready((self, true)))
     }
 }

 const PKCS8_ENCRYPTED: &'static str = "-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQITo1O0b8YrS0CAggA\nMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBBtLH4T1KOfo1GGr7salhR8BIIE\n0KN9ednYwcTGSX3hg7fROhTw7JAJ1D4IdT1fsoGeNu2BFuIgF3cthGHe6S5zceI2\nMpkfwvHbsOlDFWMUIAb/VY8/iYxhNmd5J6NStMYRC9NC0fVzOmrJqE1wITqxtORx\nIkzqkgFUbaaiFFQPepsh5CvQfAgGEWV329SsTOKIgyTj97RxfZIKA+TR5J5g2dJY\nj346SvHhSxJ4Jc0asccgMb0HGh9UUDzDSql0OIdbnZW5KzYJPOx+aDqnpbz7UzY/\nP8N0w/pEiGmkdkNyvGsdttcjFpOWlLnLDhtLx8dDwi/sbEYHtpMzsYC9jPn3hnds\nTcotqjoSZ31O6rJD4z18FOQb4iZs3MohwEdDd9XKblTfYKM62aQJWH6cVQcg+1C7\njX9l2wmyK26Tkkl5Qg/qSfzrCveke5muZgZkFwL0GCcgPJ8RixSB4GOdSMa/hAMU\nkvFAtoV2GluIgmSe1pG5cNMhurxM1dPPf4WnD+9hkFFSsMkTAuxDZIdDk3FA8zof\nYhv0ZTfvT6V+vgH3Hv7Tqcxomy5Qr3tj5vvAqqDU6k7fC4FvkxDh2mG5ovWvc4Nb\nXv8sed0LGpYitIOMldu6650LoZAqJVv5N4cAA2Edqldf7S2Iz1QnA/usXkQd4tLa\nZ80+sDNv9eCVkfaJ6kOVLk/ghLdXWJYRLenfQZtVUXrPkaPpNXgD0dlaTN8KuvML\nUw/UGa+4ybnPsdVflI0YkJKbxouhp4iB4S5ACAwqHVmsH5GRnujf10qLoS7RjDAl\no/wSHxdT9BECp7TT8ID65u2mlJvH13iJbktPczGXt07nBiBse6OxsClfBtHkRLzE\nQF6UMEXsJnIIMRfrZQnduC8FUOkfPOSXc8r9SeZ3GhfbV/DmWZvFPCpjzKYPsM5+\nN8Bw/iZ7NIH4xzNOgwdp5BzjH9hRtCt4sUKVVlWfEDtTnkHNOusQGKu7HkBF87YZ\nRN/Nd3gvHob668JOcGchcOzcsqsgzhGMD8+G9T9oZkFCYtwUXQU2XjMN0R4VtQgZ\nrAxWyQau9xXMGyDC67gQ5xSn+oqMK0HmoW8jh2LG/cUowHFAkUxdzGadnjGhMOI2\nzwNJPIjF93eDF/+zW5E1l0iGdiYyHkJbWSvcCuvTwma9FIDB45vOh5mSR+YjjSM5\nnq3THSWNi7Cxqz12Q1+i9pz92T2myYKBBtu1WDh+2KOn5DUkfEadY5SsIu/Rb7ub\n5FBihk2RN3y/iZk+36I69HgGg1OElYjps3D+A9AjVby10zxxLAz8U28YqJZm4wA/\nT0HLxBiVw+rsHmLP79KvsT2+b4Diqih+VTXouPWC/W+lELYKSlqnJCat77IxgM9e\nYIhzD47OgWl33GJ/R10+RDoDvY4koYE+V5NLglEhbwjloo9Ryv5ywBJNS7mfXMsK\n/uf+l2AscZTZ1mhtL38efTQCIRjyFHc3V31DI0UdETADi+/Omz+bXu0D5VvX+7c6\nb1iVZKpJw8KUjzeUV8yOZhvGu3LrQbhkTPVYL555iP1KN0Eya88ra+FUKMwLgjYr\nJkUx4iad4dTsGPodwEP/Y9oX/Qk3ZQr+REZ8lg6IBoKKqqrQeBJ9gkm1jfKE6Xkc\nCog3JMeTrb3LiPHgN6gU2P30MRp6L1j1J/MtlOAr5rux\n-----END ENCRYPTED PRIVATE KEY-----\n";

 fn main() {
    env_logger::try_init().unwrap_or(());
    let dir = tempdir::TempDir::new("thrussh").unwrap();
    let agent_path = dir.path().join("agent");

    let mut core = tokio::runtime::Runtime::new().unwrap();
    let agent_path_ = agent_path.clone();
    // Starting a server
    core.spawn(async move {
        let mut listener = tokio::net::UnixListener::bind(&agent_path_)
            .unwrap();
        thrussh_keys::agent::server::serve(tokio_stream::wrappers::UnixListenerStream::new(listener), X {}).await
    });
    let key = decode_secret_key(PKCS8_ENCRYPTED, Some("blabla")).unwrap();
    let public = key.clone_public_key();
    core.block_on(async move {
        let stream = tokio::net::UnixStream::connect(&agent_path).await?;
        let mut client = agent::client::AgentClient::connect(stream);
        client.add_identity(&key, &[agent::Constraint::KeyLifetime { seconds: 60 }]).await?;
        client.request_identities().await?;
        let buf = b"signed message";
        let sig = client.sign_request(&public, cryptovec::CryptoVec::from_slice(&buf[..])).await.1.unwrap();
        // Here, `sig` is encoded in a format usable internally by the SSH protocol.
        Ok::<(), Error>(())
    }).unwrap()
 }

Modules

agent

A module to write SSH agent.

encoding

key

openssh

pkcs8

signature

Enums

Encryption

AES encryption key.

Error

Traits

PublicKeyBase64

Functions

check_known_hosts

Check whether the host is known, from its standard location.

check_known_hosts_path

Check that a server key matches the one recorded in file path.

decode_openssh

Decode a secret key given in the OpenSSH format, deciphering it if needed using the supplied password.

decode_secret_key

Decode a secret key, possibly deciphering it with the supplied password.

encode_pkcs8_pem

encode_pkcs8_pem_encrypted

learn_known_hosts

Record a host’s public key into the user’s known_hosts file.

learn_known_hosts_path

Record a host’s public key into a nonstandard location.

load_public_key

Load a public key from a file. Ed25519 and RSA keys are supported.

load_secret_key

Load a secret key, deciphering it with the supplied password if necessary.

parse_public_key_base64

Reads a public key from the standard encoding. In some cases, the encoding is prefixed with a key type identifier and a space (such as ssh-ed25519 AAAAC3N...).

write_public_key_base64

Write a public key onto the provided Write, encoded in base-64.