Update russh monorepo

[oxide-renovate]

This PR contains the following updates:

Package	Type	Update	Change
russh	dependencies	minor	0.45.0 -> 0.56.0
russh-keys	dependencies	minor	0.45.0 -> 0.49.2

---

Release Notes

warp-tech/russh (russh)

v0.56.0

Compare Source

Changes

• f1e1e1a: Add server side ping (#​610) (Mark Bundschuh) #​610

Fixes

• de9a452: fixed #​337, fixed #​597 - upgrade rsa crate to mitigate Marvin attack (#​613) (Eugene) #​613
• 70cce56: fixed #​611 - prevent extension algos from being selected as a real kex (#​612) (Eugene) #​612
• 372f387: Fix comments handling of russh_config::parse_ssh_config. (#​609) (tayu0110) #​609
• bbaf489: Clean up of known_hosts_path() (#​605) (Roger Knecht) #​605

v0.55.0

Compare Source

Changes

• kex: add shared secret retrieval and kex_done callback (#​604) #​604 (stevenparkerco3)
• 08e1007: Bump Rust edition (#​587) #​587
• Implement NamedPipes-based stream (#​472) #​472 (Adrian Müller (DTT))
• 63f779c: Error on unsupported authentication method instead of panicking (#​600) (lgmugnier) #​600
• 1332a31: Update generic-array from 0.14 to 1.x (#​586) (Kenny Root) #​586
• 4bf0a0d: Implement better error messages for invalid configs during ssh connection setup. (#​589) (Lucy) #​589

Fixes

• upgrade libcrux-ml-kem since 0.0.3 was yanked (#​606) #​606 (Gaëtan) / (#​608) (Kenny Root) #​608
• 5b0c70f: Fix clippy lints to fix CI (#​596) (Lucas Kent) #​596
• 79e76af: Remove unneeded deps (#​595) (Lucas Kent) #​595
• 7acf9c5: Resolve warning: macro-expanded 'macro_export' macros from the current crate cannot be referred to by absolute paths (#​592) (iamjpotts) #​592

v0.54.6

Compare Source

Commits

• 140e482: Add ML-KEM post-quantum hybrid key exchange support (#​585) (Kenny Root)

v0.54.5

Compare Source

Changes

• 6878bf1: A send_ping method for measuring latency (#​576) (Môshe van der Sterre) #​576
• adhere to ssh_config more strictly (#​570) #​570 (Philippe Laflamme)

Fixes

• strict kex sequence number check should only apply to initial exchange (#​577) #​577 (Kenny Root)
• add compile_error! when no crypto backend is enabled (#​569) #​569 (DCjanus)
• use sha256 as the default hashing algorithm when running agent tests (#​573) #​573 (Simon THOBY)
• handle empty ssh config files (#​578) #​578 (Philippe Laflamme)
• b6a446d: Update globset in russh-config to 0.4 (#​568) (Pierce Bartine) #​568
• e491140: [FIX] Ignore window adjustment after channel EOF (#​580) (Eric Rodrigues Pires) #​580
• 00b80b5: Addresses race condition from #​226 (#​579) (Lucy) #​579

v0.54.4

Compare Source

Fixes

• 1ed8ca7: pageant fixes

v0.54.3

Compare Source

v0.54.2

Compare Source

Fixes

• 98b7e91: fixed #​558 - zlib compression fails after key renegotiation
• f0881aa: fixed #​500 - Including TTY_OP_END in terminal_modes triggers ‘Packet integrity error’ due to duplicate sentinel

v0.54.1

Compare Source

Security fixes

• 0eb5e40: fixed CVE-2025-54804 - missing overflow check in channel window adjust
  • This vulnerability has allowed a malicious authenticated client or server to trigger a Rust panic in the russh server/client via a checked integer overflow

Fixes

• 2d0a418: Fix channels being closed prematurely (#​554) (Eric Rodrigues Pires) #​554

v0.54.0

Compare Source

Features

• 75459ca: Graceful server shutdown (#​539)
  • run_on_socket now returns RunningServer instead of an opaque Future.
  • Call RunningServer.handle() to obtain an asynchronous handle.
  • Use RunningServerHandle.shutdown() to request a graceful server shutdown which will send MSG_DISCONNECT to all clients and wait for the sessions to close.
• make Config Clone (#​544) (Philippe Laflamme)
• add a feature toggle for rsa (#​550) (Philippe Laflamme)
• 43a09c9: Add Config.nodelay option for client (#​551) (Tom) #​551

Bug Fixes

• allow Stream to connect to multiple addresses (#​545) (Philippe Laflamme)
• 5c3ac6e: Fix off-by-one error for keepalive timer (#​543) (Eric Rodrigues Pires) #​543

v0.53.0

Compare Source

Major changes

• c41d4f6: Use aws-lc-rs/ring implementation for AEAD ciphers (#​535) (Eric Rodrigues Pires) #​535

This improves AES-GCM encryption/decryption performance by 10x and ChaCha20-Poly1305 by at least 2x on commonly used targets.

aws-lc-rs is the default implementation, but you can opt to use ring instead by enabling the ring crate feature. On WASM, you will have to use russh with default-features = false, features = ["ring"] as the default features cannot be controlled per target, and aws-lc-rs does not support WASM.

Fixes

• 1d7e52f: Fail when accept() returns an Error (#​518) (Pascal Grange) #​518
• Dead loop when client receives messages (#​524) #​524 (wyhaya)
• 052109c: fixed #​531 - merge fix from RustCrypto/SSH#351 (Eugene)

Features

• 04e529e: added aes128-gcm@openssh.com cipher support (#​526) (handewo) #​526
• cfe45e5: Support sending "no-more-sessions@openssh.com" requests (#​527) (handewo) #​527
• 1d49e7d: #​323 - direct-streamlocal support on server side (#​529) (Eugene) #​529

v0.52.1

Compare Source

Fixes

• 5e91396: fixed #​515 - unexpected pre-kex message causing panic #​516

v0.52.0

Compare Source

Features

• make ChannelWriteHalf::make_writer[_ext] public, fix #​498 (#​499) #​499 (Mingwei Samuel)
• add ChannelReadHalf::make_reader[_ext], #​498 (#​502) #​502 (Mingwei Samuel)
• ec273f8: Add Handle::send_keepalive (#​511) (Uli Schlachter) #​511
• fd9da16: Added client::Handle::debug (#​510) (Pascal Grange) #​510
• 3d09c20: Support of SSH 1.99 (#​514) (Jacob Van Brunt) #​514

Fixes

• 20ea6a0: Handle unexpected EOF as expected in session closure (#​495) (lgmugnier) #​495
• 6a6fa80: make ChannelCloseOnDrop async
• c2fa2df: fixed #​506 - removed faulty server-sig-algs timeout on wasm (#​508) #​508

v0.51.1

Compare Source

Changes

• 71cd4ab: fixed #​468 - allow RSA keys below 2048-bit length

russh has previously disallowed <2048-bit RSA keys - whether as private or as server host keys, both as server and client due to a security check in the ssh-key crate.

This behaviour has now been changed to allow these keys, and the decision to accept or reject them now lies on the library consumer. To recreate the old behaviour within your Handler, add the following check to your check_server_key implementation. You'll need to import the rsa crate.

async fn check_server_key(
    &mut self,
    server_public_key: &PublicKey,
) -> Result<bool, Self::Error> {
    use rsa::traits::PublicKeyParts;

    if let Some(ssh_pk) = server_public_key.key_data().rsa() {
        let rsa_pk: rsa::RsaPublicKey = ssh_pk.try_into()?;
        if rsa_pk.size() < 2048 {
            return Ok(false);
        }
    }
    
    ...
}

• 0c722b8: partial_success support (#​478) #​478
• 32a9ee1: Add a crate feature to enable DSA support (#​473) (Francesco Degrassi) #​473
• db5e5ba: wait for extension info from the server in the best_supported_rsa_hash method. Previously there was a race condition between calling best_supported_rsa_hash and the server sending the EXT_INFO message. Now russh will wait for up to one second to receive EXT_INFO when you call best_supported_rsa_hash.
• 92362fc: Introduce Channel::split() to allow splitting a channel into a read half and a write half (#​482) (Uli Schlachter) #​482
• 32667df: Added support for additional DH groups (#​486) (Jacob Van Brunt) #​486
• replaced libc dependency with nix (#​483) #​483 (iHsin)

Fixes

• 0665aac: Cryptovec/Windows: Add reference counting per Page, improve error-msg (#​471) (Adrian Müller (DTT)) #​471
• 0b4cf36: Optimize examples/client_open_direct_tcpip.rs (#​477) (handewo) #​477
• ffc5726: Remove unused dependencies (#​488) (Uli Schlachter) #​488

v0.51.0

Compare Source

v0.50.4

Compare Source

Fixes

• 83aacd1: re-fixed #​470 - correctly ignore hash_alg argument when signing with non-RSA keys via agent
• bf235bc: fixed #​470 - incorrect hash passed for an RSA key offer in agent authentication

v0.50.3

Compare Source

Changes

• b5e244b: populate comments for agent identities (#​466) (Chris) #​466
• 07d6243: Add a function to send ExitStatus message to Channel (#​465) (procr1337) #​465

Fixes

• 16a18bc: fixed #​470 - broken agent auth with rsa-sha2-* algos

v0.50.2

Compare Source

russh-cryptovec@0.50.2

Changes

• e574068: fixed #​460 - do not panic on mlock failures (#​464) (Eugene) #​464

Reverted a change from 0.50.0 that made cryptovec panic when the OS fails to mlock() the memory.

Instead, russh-cryptovec will log a one-time log warning about this.

A common cause for these errors is running on Linux under a low RLIMIT_MEMLOCK limit

Docs

• 6a59d0e: Add client demo that implement open direct tcpip. (Eugeny#454) (handewo) Eugeny#454

v0.50.1

Compare Source

v0.50.0

Compare Source

Significant changes

russh_keys merged into russh

• 23cc724: (#​450) - the russh_keys crate has been fully merged into russh. If you have been importing from russh::keys, no changes are needed, otherwise remove the russh_keys dependency and replace all use russh_keys imports with use russh::keys.

Native async traits

• 3e04597: (#​455) - client::Handler, server::Handler and other traits are now native Rust async traits. In most cases, you can simply remove the #[async_trait] macro from your trait impl. Alternatively, you can enable the async_trait feature, which will turn the traits into #[async_trait]s again. Note that the old async_trait support will be removed soon.

RSA hash negotiation

• 72847a7 / d4d3605: support automatic RSA key hash detection using server-sig-algs extension (#​452 / #​453)

Russh client now supports the server-sig-algs OpenSSH extension and can automatically select the strongest hash for RSA keys.

You can use russh::client::Handle::best_supported_rsa_hash() to choose the hash.

PrivateKeyWithHashAlg::new is now infallible and will ignore hash_alg for non-RSA keys, so you don't have to build separate logic just for RSA keys:

session.authenticate_publickey(
    user, 
    PrivateKeyWithHashAlg::new(
        Arc::new(key_pair),
        session.best_supported_rsa_hash().await?.unwrap_or(...), // some fallback Option<HashAlg>
    ),
).await?;

If you just want to fall back to SHA1 / ssh-rsa in case the server does not support server-sig-algs:

session.authenticate_publickey(
    user, 
    PrivateKeyWithHashAlg::new(
        Arc::new(key_pair),
        session.best_supported_rsa_hash().await?.flatten(),
    ),
).await?;

Channel backpressure

• f89c19c: added backpressure to channel buffers (#​412) (Eric Rodrigues Pires) #​412 - set Config::channel_buffer_size to control how many channel messages can be buffered before backpressure propagates over the network. Previously russh would simply buffer unread channel messages infinitely, eventually causing an out-of-RAM situation, and now it will block the connection until you consume them. Even if the server does not write data to the channel (e.g. it's a write-only channel for you as a client), it is still writing flow control messages, which you must consume.

So, any time you open a channel, make sure you have a loop somewhere that is either polling .wait() or reads from the AsyncRead side of its ChannelStream.

ssh-key traits

• ab8aca8: russh has migrated to its own fork of the ssh-key crate, removed bundled workarounds - if you were relying on traits directly imported from ssh_key, you might need to import them from russh::keys::ssh_key instead.

New features

• c9baadf: DH GEX support (#​440) - diffie-hellman-group-exchange-sha256 KEX is now on the default kex list. To take advantage of dynamic DH groups, pre-generate some safe primes and implement dynamic group lookup in the server::Handler::lookup_dh_gex_group method - see this method's docs for more info.
• 66f9416: Add an option to enable TCP_NODELAY (#​435) (Patryk Wychowaniec)
• 571dbe3: added support for loading PPK v2 and v3 private keys
• 030468a: added authentication_banner method to server::Handler (#​415) (Eric Rodrigues Pires) #​415 - you can now send a dynamic SSH banner to clients.
• 4c7b27a: expose the "remaining methods" field in auth failure responses #​441
• 77f53ed: support for parsing X9.62 EC private keys
• 902010f: Allow setting hash algorithm to use for signing requests of SSH agent (#​449) (Wiktor Kwapisiewicz) #​449

MSRV

MSRV for the russh crate is now 1.75

Changes

• 7c7cb1b: feature-gate des dependency (#​424) (Eric Seppanen) #​424
• d9fb484: Include error-reason when failining in CryptoVec unix (#​443) (Adrian Müller (DTT)) #​443

Fixes

• 7c1060f: fixed client keyboard-interactive auth not working as second auth method
• ad56a8e: fixed #​418 - client - incorrect kex signature verification for RSA-SHA2
• 85c45cb: Remove calls to dbg!() (#​414) (Eric Rodrigues Pires) #​414
• 65bc5e2: remove unused bcrypt-pbkdf dependency (#​421) (Eric Seppanen) #​421
• cb22369: src/platform/unix.rs:cfg detect macos (#​447) (@​RandyMcMillan) #​447
• 039054b: bump dependency versions to the minimum version that compiles. (#​428) (Eric Seppanen) #​428
• 242b1e1: replace unmaintained tempdir dependency with tempfile (#​423) (Eric Seppanen) #​423
• 49ab949: Enforce MSRV (#​430) #​430
• 290bdbe: fixed unwrap panic in pageant
• 4fe938e: Send proper algorithm for certificates (#​451) (Jerome Gravel-Niquet) #​451

v0.49.2

Compare Source

Fixes

• cb5d3ba: fixed #​418 - client - incorrect kex signature verification for RSA-SHA2
• 97ec468: Remove calls to dbg!() (#​414) (Eric Rodrigues Pires)

v0.49.1

Compare Source

v0.49.0

Compare Source

Changes

This release fixes the regression in v0.48 which made it impossible to choose the hash algorithm when using RSA keys for authentication. Unfortunately, the fix is a breaking API change, hence the version bump.

client::Handle::authenticate_publickey now takes a russh_keys::key::PrivateKeyWithHashAlg which you can construct from an Arc<russh_keys::PrivateKey> + Option<russh_keys::HashAlg>.

The latter lets you choose between SHA1, SHA256 and SHA512 for RSA keys, and must be None for all other key types.

Example:

let key_pair = load_secret_key(key_path, None)?;

let auth_res = session
    .authenticate_publickey(
        user, 
        PrivateKeyWithHashAlg::new(Arc::new(key_pair), Some(HashAlg::Sha512))?
    )
    .await?;

v0.48.2

Compare Source

Fixes

• 044da62: fixed handling of rsa-sha2-* key algorithms

v0.48.1

Compare Source

Breaking changes

russh v0.48 drops its own data parsing and key handling code in favor of the RustCrypto project's ssh-key (#​368) and ssh-encoding (#​371) crates. This means there are some breaking changes, which are listed here:

Important for library users

• russh_keys::key::PublicKey is replaced with russh_keys::PublicKey (ssh_key::PublicKey)

• russh_keys::key::KeyPair is replaced with russh_keys::PrivateKey (ssh_key::PrivateKey)

• russh_keys::key::parse_public_key no longer takes a hash algorithm argument as RSA keys are no longer locked down to a specific algorithm internally. RSA key specific hash algorithms are only used in Preferred::key.

• Key type constants in russh_keys::key and russh_keys::key::Name are removed - use the russh_keys::Algorithm enum instead. Config::preferred::key now also takes russh_keys::Algorithms instead of russh_key::key::Names.

• russh::client::Handle::authenticate_future is renamed to russh::client::Handle::authenticate_publickey_with

Less important

• new russh::Error enum variants:

  • Error:Signature
  • Error:SshKey
  • Error:SshEncoding

• new russh_keys::Error enum variants:

  • Error::Rsa
  • Error::Utf8

• russh::auth::Signer is now an async_trait

• russh_keys::ec is removed

• russh_keys::encoding is removed (use russh_keys::ssh_encoding)

• russh_keys::signature is removed

• russh_keys::protocol is removed

• russh_keys::key::SignatureHash is replaced with russh_keys::HashAlg (ssh_key::HashAlg)

• russh_keys::key::SignatureBytes is removed

• russh_keys::key::RsaPrivate is removed (use russh_keys::ssh_key::private::RsaPrivateKey)

• russh_keys::key::RsaPublic is removed (use russh_keys::ssh_key::public::RsaPublicKey)

• russh_keys::key::RsaCrtExtra is removed

• russh_keys::key::Signature is replaced with russh_keys::signature::Signature (signature::Signature)

Features

• aa9bdb4: added support for <sk-ecdsa-sha2-nistp256-cert-v01@​openssh.com> and <sk-ssh-ed25519-cert-v01@​openssh.com> keys in client
• 68fff93: Add support for StrictHostKeyChecking and UserKnownHostsFile (#​386) (Mattias Eriksson) #​386
• 981cf7b: Derive Debug where possible (#​374) (Quentin Santos) #​374
• c328558: Implement From<&str> and From<&[u8]> for CryptoVec (#​391) (Josh McKinney) #​391

Fixes

• 47ca41d: Send proper algorithm for certificates (#​378) (Jerome Gravel-Niquet) #​378
• 2d8c08a: ratatui examples fixed. (#​388) (André Almeida) #​388
• bd6dc3a: impl Drop for server examples (#​376) (Eric Rodrigues Pires) #​376
• ac441a6: fix:remove unused memcpy function (#​406) (irvingouj @​ Devolutions) #​406
• a5c4adc: #​401 - removing TX busywait (#​408) #​408

Docs

• 2dca3c6: Document how to reply to channel requests (#​381) (Quentin Santos) #​381

v0.48.0

Compare Source

v0.46.0

Compare Source

Changes

• wasm-support: add wasm support (#​351) #​351 (irvingouj @​ Devolutions)
• 97dc08b: Support Pageant as agent (#​326) #​326
• 26aae26: added named pipe support for AgentClient and AgentClient::dynamic()
• 8b88465: added AgentClient::into_inner
• 67a6ba8: Implement streamlocal-forward for remote => local UDS forwarding (#​312) (kanpov) #​312
• b9759d4: client channel handling changes - server_channel_open_direct_tcpip, server_channel_open_agent_forward and server_channel_open_session now receive a Channel instead of a ChannelId. Also added should_accept_unknown_server_channel and server_channel_open_unknown callbacks.
• d6ee97a: new rich NoCommonAlgo error
• cb8d9e9: fixed #​338 - make KeyPair::generate_ed25519 infallible
• 9444608: Add a way to open an agent forwarding channel (#​344) (Thomas Rampelberg) #​344
• ee59e07: Add ed25519 to ALL_KEY_TYPES (#​360) (Toni Peter) #​360
• 3f7271b: fixed #​358 - relax strict kex checks to match OpenSSH
• 72aa097: Update deps (#​363) (Lucas Kent) #​363

Fixes

• process multiple host entries (#​331) #​331 (Yaroslav Bolyukin)
• b704f4c: Remove leftover extraneous debugging in host globbing function (#​328) (Adam Chappell) #​328
• c99f49c: fixed Error::Disconnect getting returned from connect instead of the more specific error type when connection fails during kex phase
• 73fa3e5: Improve echoserver example, bump Rust toolchain to 1.81 (#​339) (Julian) #​339
• fix typo: add a missing word. (#​342) #​342 (Pipelight)
• f587d13: Reject unsupported key types instead of failing (#​352) (Gary Guo) #​352
• 6df962d: Minor accuracy improvements to server documentation (#​346) (Kaleb Elwert) #​346
• add adopters to readme (#​356) #​356 (Thomas Rampelberg)
• cd84f4d: Update sftp examples (#​357) (Roman) #​357

---

Configuration

📅 Schedule: Branch creation - "after 8pm,before 6am" in timezone America/Los_Angeles, Automerge - "after 8pm,before 6am" in timezone America/Los_Angeles.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.