Skip to content

v1.1.0

Choose a tag to compare

View all tags
@inureyes inureyes released this 24 Oct 08:34
· 152 commits to main since this release
v1.1.0
8dcfec0

New Features

macOS Keychain Integration (Issue #59, PR #61)

  • Automatic passphrase storage in macOS Keychain after successful SSH key authentication
  • Automatic passphrase retrieval before prompting user, providing seamless authentication experience
  • Secure memory handling with Zeroizing for all sensitive data (passphrases never logged)
  • SSH config integration via UseKeychain option with per-host configuration support
  • New module src/ssh/keychain_macos.rs (498 lines) with complete Security Framework wrapper
  • Cross-platform compatible: All macOS-specific code isolated with conditional compilation

ProxyUseFdpass SSH Option (Issue #58, PR #60)

  • Added ProxyUseFdpass SSH configuration option support (OpenSSH 6.5+)
  • Performance optimization: ProxyCommand passes connected file descriptors back to ssh
  • Reduced overhead: Eliminates lingering processes and extra read/write operations
  • Comprehensive test coverage (11 new tests)

Password Authentication Fallback

  • Automatic password retry when publickey authentication fails
  • OpenSSH-compatible behavior for seamless user experience
  • Interactive terminal detection using TTY checks to prevent unexpected prompts
  • Works for both exec and interactive modes

Improvements

Security Enhancements (PR #61)

  • SSH key file ownership validation: Prevents storing passphrases for keys owned by other users (macOS user ID checks via libc)
  • User consent for password fallback: Explicit consent prompt with 30-second timeout before attempting password authentication
  • Rate limiting: 100ms delay before connections, 1 second before password fallback (prevents brute-force and fail2ban triggers)
  • Permission warnings: Alert users about world-readable SSH key files

Code Quality (PR #61)

  • Eliminated 251 lines of duplication in connection logic
  • Created establish_connection() helper function for DRY code
  • Centralized authentication logic in auth module
  • 60% reduction in connection.rs complexity
  • Better separation of concerns and maintainability

Cross-Platform Support

  • All macOS-specific code properly isolated with #[cfg(target_os = "macos")]
  • Conditional imports prevent unused code warnings on non-macOS platforms
  • Stub functions maintain API consistency across platforms

Bug Fixes

  • Fixed clippy warnings on non-macOS platforms (unused_mut, unused_imports, dead_code)
  • Fixed interactive mode missing use_keychain field causing authentication failures
  • Fixed password prompt not appearing when connecting to new servers in interactive mode
  • Variable shadowing used for platform-specific code paths

CI/CD Improvements

None

Technical Details

Implementation

  • Keychain API Integration: Uses macOS Security Framework's GenericPassword API
    • Service name: "bssh-ssh-key-passphrase"
    • Account name: Canonical path of SSH key file
    • User authentication required when Keychain is locked (macOS managed)
  • Security Measures:
    • Passphrase length validation (max 8KB) prevents DoS attacks
    • Path canonicalization prevents path traversal attacks
    • All passphrases zeroized in memory after use
    • No sensitive data ever logged or exposed in errors

Test Coverage

  • 357 tests pass (including 7 new keychain tests + 11 ProxyUseFdpass tests)
  • Keychain-specific tests cover: store/retrieve, delete, nonexistent, update, zeroization, validation, invalid paths
  • Integration with existing auth tests verified
  • Cross-compilation verified for Linux/macOS

Authentication Priority (6 steps)

  1. Password (explicit via --password flag)
  2. SSH Agent (explicit via --use-agent flag)
  3. Key file (specified via -i flag or SSH config)
  4. SSH Agent auto-detect (SSH_AUTH_SOCK environment)
  5. Default SSH keys (~/.ssh/id_rsa, ~/.ssh/id_ed25519, etc.)
  6. Password fallback (with user consent in interactive terminals)

Dependencies

  • Added security-framework = "2.12.1" for macOS Keychain API integration
  • Added libc for macOS user ID checks (conditional on macOS platform)

Breaking Changes

None

Known Issues

None

Full Changelog: v1.0.0...v1.1.0

Related Issues: #58, #59
Related PRs: #60, #61

What's Changed

  • feat: Add ProxyUseFdpass SSH configuration option support by @inureyes in #60
  • feat: Complete Phase 2 macOS Keychain integration for UseKeychain (#59) by @inureyes in #61

Full Changelog: v1.0.0...v1.1.0

Contributors

inureyes
Assets 18
Loading