v0.54.4

Fixes

• 1ed8ca7: pageant fixes

v0.54.2

Fixes

• 98b7e91: fixed #558 - zlib compression fails after key renegotiation
• f0881aa: fixed #500 - Including TTY_OP_END in terminal_modes triggers ‘Packet integrity error’ due to duplicate sentinel

v0.54.1

Security fixes

• 0eb5e40: fixed CVE-2025-54804 - missing overflow check in channel window adjust
  • This vulnerability has allowed a malicious authenticated client or server to trigger a Rust panic in the russh server/client via a checked integer overflow

Fixes

• 2d0a418: Fix channels being closed prematurely (#554) (Eric Rodrigues Pires) #554

v0.54.0

Features

• 75459ca: Graceful server shutdown (#539)
  • run_on_socket now returns RunningServer instead of an opaque Future.
  • Call RunningServer.handle() to obtain an asynchronous handle.
  • Use RunningServerHandle.shutdown() to request a graceful server shutdown which will send MSG_DISCONNECT to all clients and wait for the sessions to close.
• make Config Clone (#544) (Philippe Laflamme)
• add a feature toggle for rsa (#550) (Philippe Laflamme)
• 43a09c9: Add Config.nodelay option for client (#551) (Tom) #551

Bug Fixes

• allow Stream to connect to multiple addresses (#545) (Philippe Laflamme)
• 5c3ac6e: Fix off-by-one error for keepalive timer (#543) (Eric Rodrigues Pires) #543

v0.53.0

Major changes

• c41d4f6: Use aws-lc-rs/ring implementation for AEAD ciphers (#535) (Eric Rodrigues Pires) #535

This improves AES-GCM encryption/decryption performance by 10x and ChaCha20-Poly1305 by at least 2x on commonly used targets.

aws-lc-rs is the default implementation, but you can opt to use ring instead by enabling the ring crate feature. On WASM, you will have to use russh with default-features = false, features = ["ring"] as the default features cannot be controlled per target, and aws-lc-rs does not support WASM.

Fixes

• 1d7e52f: Fail when accept() returns an Error (#518) (Pascal Grange) #518
• Dead loop when client receives messages (#524) #524 (wyhaya)
• 052109c: fixed #531 - merge fix from RustCrypto/SSH#351 (Eugene)

Features

• 04e529e: added [email protected] cipher support (#526) (handewo) #526
• cfe45e5: Support sending "[email protected]" requests (#527) (handewo) #527
• 1d49e7d: #323 - direct-streamlocal support on server side (#529) (Eugene) #529

v0.53.0-beta.1

Major changes

• c41d4f6: Use aws-lc-rs/ring implementation for AEAD ciphers (#535) (Eric Rodrigues Pires) #535

This improves AES-GCM encryption/decryption performance by 10x and ChaCha20-Poly1305 by at least 2x on commonly used targets.

aws-lc-rs is the default implementation, but you can opt to use ring instead by enabling the ring crate feature. On WASM, you will have to use russh with default-features = false, features = ["ring"] as the default features cannot be controlled per target, and aws-lc-rs does not support WASM.

Fixes

• 1d7e52f: Fail when accept() returns an Error (#518) (Pascal Grange) #518
• Dead loop when client receives messages (#524) #524 (wyhaya)
• 052109c: fixed #531 - merge fix from RustCrypto/SSH#351 (Eugene)

Features

• 04e529e: added [email protected] cipher support (#526) (handewo) #526
• cfe45e5: Support sending "[email protected]" requests (#527) (handewo) #527
• 1d49e7d: #323 - direct-streamlocal support on server side (#529) (Eugene) #529

v0.52.1

Fixes

• 5e91396: fixed #515 - unexpected pre-kex message causing panic #516

v0.52.0

Features

• make ChannelWriteHalf::make_writer[_ext] public, fix #498 (#499) #499 (Mingwei Samuel)
• add ChannelReadHalf::make_reader[_ext], #498 (#502) #502 (Mingwei Samuel)
• ec273f8: Add Handle::send_keepalive (#511) (Uli Schlachter) #511
• fd9da16: Added client::Handle::debug (#510) (Pascal Grange) #510
• 3d09c20: Support of SSH 1.99 (#514) (Jacob Van Brunt) #514

Fixes

• 20ea6a0: Handle unexpected EOF as expected in session closure (#495) (lgmugnier) #495
• 6a6fa80: make ChannelCloseOnDrop async
• c2fa2df: fixed #506 - removed faulty server-sig-algs timeout on wasm (#508) #508

v0.52.0-beta.1

Features

• make ChannelWriteHalf::make_writer[_ext] public, fix #498 (#499) #499 (Mingwei Samuel)
• add ChannelReadHalf::make_reader[_ext], #498 (#502) #502 (Mingwei Samuel)
• ec273f8: Add Handle::send_keepalive (#511) (Uli Schlachter) #511
• fd9da16: Added client::Handle::debug (#510) (Pascal Grange) #510

Fixes

• 20ea6a0: Handle unexpected EOF as expected in session closure (#495) (lgmugnier) #495
• 6a6fa80: make ChannelCloseOnDrop async
• c2fa2df: fixed #506 - removed faulty server-sig-algs timeout on wasm (#508) #508

v0.51.1

Changes

• 71cd4ab: fixed #468 - allow RSA keys below 2048-bit length

russh has previously disallowed <2048-bit RSA keys - whether as private or as server host keys, both as server and client due to a security check in the ssh-key crate.

This behaviour has now been changed to allow these keys, and the decision to accept or reject them now lies on the library consumer. To recreate the old behaviour within your Handler, add the following check to your check_server_key implementation. You'll need to import the rsa crate.

async fn check_server_key(
    &mut self,
    server_public_key: &PublicKey,
) -> Result<bool, Self::Error> {
    use rsa::traits::PublicKeyParts;

    if let Some(ssh_pk) = server_public_key.key_data().rsa() {
        let rsa_pk: rsa::RsaPublicKey = ssh_pk.try_into()?;
        if rsa_pk.size() < 2048 {
            return Ok(false);
        }
    }
    
    ...
}

• 0c722b8: partial_success support (#478) #478
• 32a9ee1: Add a crate feature to enable DSA support (#473) (Francesco Degrassi) #473
• db5e5ba: wait for extension info from the server in the best_supported_rsa_hash method. Previously there was a race condition between calling best_supported_rsa_hash and the server sending the EXT_INFO message. Now russh will wait for up to one second to receive EXT_INFO when you call best_supported_rsa_hash.
• 92362fc: Introduce Channel::split() to allow splitting a channel into a read half and a write half (#482) (Uli Schlachter) #482
• 32667df: Added support for additional DH groups (#486) (Jacob Van Brunt) #486
• replaced libc dependency with nix (#483) #483 (iHsin)

Fixes

• 0665aac: Cryptovec/Windows: Add reference counting per Page, improve error-msg (#471) (Adrian Müller (DTT)) #471
• 0b4cf36: Optimize examples/client_open_direct_tcpip.rs (#477) (handewo) #477
• ffc5726: Remove unused dependencies (#488) (Uli Schlachter) #488