Announcing ssh-key v0.4: now with pure Rust keygen, certificate validation, and SSH CA support

Announcing the latest v0.4.0 release of ssh-key, the pure Rust SSH key format crate developed by RustCrypto organization:

Notably this crate provides a constant-time encoder/decoder for SSH private keys, as well as supporting a zero-allocation "heapless" profile for no_std targets.

This release adds pure Rust key generation support, FIDO/U2F key support, and also comprehensive support for the OpenSSH certificate format, including certificate validation and certificate authority (CA) support, all implemented in pure Rust including cryptographic algorithm implementations from the ed25519-dalek, p256, and rsa crates.

We hope to leverage the SSH certificate authority support soon in the pure Rust yubikey and yubihsm crates to provide an easy-to-use hardware-backed SSH CA implementation.



How does this compare to thrussh?

Unlike thrussh, which is a full implementation of the client/server SSH protocol, this crate is only a key/certificate format library.

We would invite SSH protocol implementations like thrussh to consider using ssh-key for key/certificate decoding/encoding.

1 Like

Does this handle interaction with OS facilities like ssh-agent, or is this purely a serialization/deserialization library?

No, it does not, but that would be some interesting future work

1 Like