[Phase 4] Add remaining useful SSH config options#55
Merged
Conversation
Add support for 15 additional SSH configuration options to complete the most commonly used subset of OpenSSH config, bringing total coverage to ~70-80% of OpenSSH options. Host Key Verification & Security: - NoHostAuthenticationForLocalhost: Skip host key check for localhost - HashKnownHosts: Hash hostnames in known_hosts file - CheckHostIP: Check host IP address (deprecated, with warning) - VisualHostKey: Display ASCII art of host key - HostKeyAlias: Use alias for host key lookup - VerifyHostKeyDNS: Verify host keys using DNS SSHFP records - UpdateHostKeys: Accept updated host keys Authentication: - NumberOfPasswordPrompts: Control password retry attempts (1-10) - EnableSSHKeysign: Enable ssh-keysign for HostbasedAuthentication Network & Connection: - BindInterface: Bind to specific network interface - IPQoS: Set IP type-of-service/DSCP values - RekeyLimit: Control SSH key renegotiation X11 Forwarding: - ForwardX11Timeout: X11 forwarding timeout - ForwardX11Trusted: Trust X11 forwarding Implementation: - Added 15 new fields to SshHostConfig struct - Extended security, authentication, connection, and forwarding parsers - Updated merge logic in resolver for proper precedence - Comprehensive test coverage (7 new test functions) - Validation for VerifyHostKeyDNS and UpdateHostKeys (yes/no/ask) - Range validation for NumberOfPasswordPrompts with warning - Deprecation warning for CheckHostIP option All tests pass (278 passed) with no breaking changes. Resolves #46
inureyes
added
type:enhancement
Updated documentation across all files to reflect the 15 new SSH configuration options added in Phase 4: **Documentation Updates:** - docs/man/bssh.1: Added 4 new sections with detailed option descriptions - Host Key Verification & Security Options (7 options) - Additional Authentication Options (2 options) - Network & Connection Options (3 options) - X11 Forwarding Options (2 options) - Added practical examples for all new options - README.md: Added Phase 4 option tables and examples - Complete option descriptions with defaults and value ranges - Real-world configuration examples demonstrating option usage - Integration examples showing combined usage patterns - ARCHITECTURE.md: Added Phase 4 implementation details - Comprehensive description of each option category - Implementation details and file modifications - Testing coverage and validation logic - Coverage achievement: ~71 options (~69% of OpenSSH) - CHANGELOG.md: Added Phase 4 to Unreleased section - Listed all 15 new configuration options - Technical details about coverage and validation - Test count update (278 tests) **Phase 4 Options Documented:** Host Key Verification & Security: - NoHostAuthenticationForLocalhost, HashKnownHosts, CheckHostIP (deprecated) - VisualHostKey, HostKeyAlias, VerifyHostKeyDNS, UpdateHostKeys Authentication: NumberOfPasswordPrompts, EnableSSHKeysign Network: BindInterface, IPQoS, RekeyLimit X11: ForwardX11Timeout, ForwardX11Trusted All documentation is consistent and cross-referenced across files. No code changes - documentation only.
Removed "Phase 1", "Phase 2", etc. references from ARCHITECTURE.md and CHANGELOG.md to improve readability and maintainability. Replaced with more descriptive category names and stage-based terminology. **Changes:** - ARCHITECTURE.md: - "Phase 1/2/3/4" → "Stage 1/2/3" for refactoring sections - "Phase 1: Basic Options" → "Basic Configuration Options" - "Phase 2: Certificate..." → "Certificate Authentication and Port Forwarding" - "Phase 3: Command..." → "Command Execution and Automation" - "Phase 4: Additional..." → "Host Key Verification, Authentication, and Network Options" - Updated Future Enhancements section with planned features - Removed all inline phase references (e.g., "max 100, Phase 2" → "max 100") - CHANGELOG.md: - Technical Details section: "Phase 1/2/3/4" → descriptive category names - Maintains clear categorization without numbered phases **Rationale:** Phase numbering implies sequential implementation order but doesn't convey feature purpose. Category-based naming is more maintainable and user-friendly. No functional changes - documentation only.
Member
Author
🔍 Security & Performance Review📋 Review StatusStarting comprehensive security and performance analysis... This automated review will:
Please wait while I analyze the PR changes... |
Member
Author
🔍 Security & Performance Review📊 Analysis Summary
🎯 Prioritized Fix Roadmap🔴 CRITICAL
🟠 HIGH
🟡 MEDIUM
🟢 LOW
📝 Progress Log
🔒 Security Findings Detail
⚡ Performance Findings Detail
Starting systematic fixes now... |
…- Priority: CRITICAL - Add strict validation for IPQoS values (af11-43, cs0-7, ef, QoS keywords, or numeric) - Validate RekeyLimit format (data size with K/M/G suffix and time with s/m/h suffix) - Add length limits to prevent memory exhaustion attacks - Limit number of arguments to expected maximum
…: HIGH - Add validation for ForwardX11Timeout to prevent injection via time values - Block shell metacharacters in timeout strings - Enforce upper limit (100) for NumberOfPasswordPrompts to prevent DoS - Reject zero value for NumberOfPasswordPrompts - Add proper time format validation (s/m/h/d/w suffixes)
Member
Author
🔍 Security & Performance Review - Update📊 Analysis Summary
🎯 Prioritized Fix Roadmap🔴 CRITICAL (FIXED)
🟠 HIGH (FIXED)
🟡 MEDIUM (IN PROGRESS)
🟢 LOW (PENDING)
📝 Progress Log
🔒 Fixes AppliedCritical Security Fixes:
✅ All Critical and High Priority Issues ResolvedThe PR is now significantly more secure. All command injection vulnerabilities have been patched, and proper input validation has been added to prevent various attack vectors. |
Added extensive security validation tests for all Phase 4 SSH config options that received security fixes from the PR review. **New Test Function: test_phase4_security_validations** Tests comprehensive security validation for: 1. **HostKeyAlias** (Critical - Command Injection Prevention) - Rejects shell metacharacters (;, &, |, etc.) - Rejects path traversal attempts (../) - Accepts valid hostnames (alphanumeric, dots, hyphens) 2. **BindInterface** (Critical - Command Injection Prevention) - Rejects shell metacharacters - Rejects interface names > 15 characters - Accepts valid interface names (eth0, tun0, etc.) 3. **IPQoS** (High - DoS Prevention) - Rejects invalid QoS values - Rejects more than 2 values - Accepts valid QoS pairs (lowdelay throughput, etc.) 4. **RekeyLimit** (High - DoS Prevention) - Rejects invalid format strings - Accepts valid format (1G 1h, etc.) 5. **ForwardX11Timeout** (High - Path Traversal Prevention) - Rejects path traversal attempts - Accepts valid time formats (1h, 30m, etc.) 6. **NumberOfPasswordPrompts** (High - Integer Overflow Prevention) - Rejects value 0 (lower bound) - Rejects values > 100 (upper bound) - Accepts valid range (1-100) **Test Coverage:** - 18 test cases covering positive and negative scenarios - All security edge cases from PR review are now tested - Total test count: 279 tests (increased from 278) **Validation:** - All tests pass successfully - cargo fmt applied - cargo clippy clean (no warnings) This ensures that all security fixes introduced in commits 5701566 and ed2a3e0 are properly validated and prevent regressions.
…y: MEDIUM - Enhanced IPQoS validation with proper DSCP/ToS range checks - Added support for hex notation (0x prefix) in IPQoS values - Improved RekeyLimit validation with overflow protection - Added support for T (terabyte) and d/w (day/week) suffixes - Added common validation helper functions to reduce duplication - Added warnings for unusual but valid configuration values - Fixed potential integer overflow in RekeyLimit multiplier calculations
…ity: LOW - Added debug logging for security-sensitive SSH options - Added tracing::debug for StrictHostKeyChecking changes - Added security warnings for NoHostAuthenticationForLocalhost - Added logging for HostKeyAlias (affects host key verification) - Added logging for EnableSSHKeysign when enabled - Created reusable validation helper functions for future refactoring - Improved code maintainability with common validation patterns
Member
Author
🔍 Security & Performance Review - COMPLETED ✅📊 Final Summary
🎯 Completed Fixes🔴 CRITICAL (FIXED)
🟠 HIGH (FIXED)
🟡 MEDIUM (FIXED)
🟢 LOW (FIXED)
📝 Commits Applied
✅ Verification
🔒 Security Improvements
⚡ Performance Improvements
The PR is now production-ready with all security vulnerabilities patched and performance optimizations applied. All changes maintain backward compatibility while significantly improving the security posture of the SSH config parser. |
Yaminyam
added a commit
to Yaminyam/bssh
that referenced
this pull request
Apr 29, 2026
Add `crates/bssh-russh-sftp`, a temporary fork of upstream `russh-sftp` following the same pattern as the existing `crates/bssh-russh`. The only functional change versus upstream v2.1.1 is a `#[serde(with = "serde_bytes")]` annotation on `protocol::Write::data` and `protocol::Data::data`, plus a wire-compatible `serialize_bytes` implementation in `ser.rs`. Without it, `#[derive(Deserialize)]` for `Vec<u8>` dispatches to `deserialize_seq` and parses the SFTP payload one byte at a time — `perf` shows ~42% of server CPU in `VecVisitor::visit_seq` during 1 GiB uploads. The annotation routes through the existing bulk `try_get_bytes` path in the crate's own Deserializer, which is already implemented. Measured impact on a CPU-bound host (Xeon Silver 4214) with an OpenSSH client performing a 1 GiB SFTP upload: - upstream russh-sftp 2.1.1: 74.8 MiB/s - this fork: 96.4 MiB/s (+29%) OpenSSH `sftp-server` on the same host measures ~101 MiB/s, so the gap narrows from ~26% to ~5%. Upstream russh-sftp has had no commits since its v2.1.1 bump (2025-04-18) and two download-perf issues (lablup#55 closed without root cause, lablup#70 open) sit unanswered, so the fix lives here until upstream activity resumes. `sync-upstream.sh` and `create-patch.sh` mirror the `bssh-russh` tooling so future syncs are mechanical. The top-level dependency is switched from `russh-sftp = "2.1.1"` to `russh-sftp = { package = "bssh-russh-sftp", version = "2.1.1", path = "crates/bssh-russh-sftp" }` so every `use russh_sftp::...` import in bssh continues to work unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR implements Phase 4 (final) of the SSH config parser enhancement roadmap, adding support for 15 additional SSH configuration options. This completes the most commonly used subset of OpenSSH config, bringing total coverage to ~70-80% of OpenSSH options.
Changes
Host Key Verification & Security (7 options)
Authentication (2 options)
Network & Connection (3 options)
X11 Forwarding (2 options)
Implementation Details
Files Modified
src/ssh/ssh_config/types.rs: Added 15 new fields to SshHostConfigsrc/ssh/ssh_config/parser/options/security.rs: Added 7 host key verification optionssrc/ssh/ssh_config/parser/options/authentication.rs: Added 2 authentication optionssrc/ssh/ssh_config/parser/options/connection.rs: Added 3 network optionssrc/ssh/ssh_config/parser/options/forwarding.rs: Added 2 X11 optionssrc/ssh/ssh_config/parser/options/mod.rs: Updated option dispatchersrc/ssh/ssh_config/resolver.rs: Added merge logic for all new optionssrc/ssh/ssh_config/mod.rs: Added comprehensive test suite (7 new test functions)Features
Test Coverage
Added 7 comprehensive test functions:
test_parse_phase4_host_key_verification_options- Host key verification parsingtest_parse_phase4_authentication_options- Authentication options parsingtest_parse_phase4_network_options- Network options parsingtest_parse_phase4_x11_forwarding_options- X11 forwarding options parsingtest_merge_phase4_options- Config merging and precedencetest_phase4_validation_errors- Error handling for invalid valuestest_phase4_option_value_syntax- Option=Value syntax supportAll tests pass: 278 passed, 0 failed
Validation
Related Issues
Closes #46
Dependencies
Coverage Summary
After Phase 4 completion:
Remaining 32 options are highly specialized or obsolete.