►
From YouTube: Pierre-Étienne Meunier - Building SSH servers in minutes
Description
Thrussh is an SSH library for writing both clients and servers. It grew out of the need for a specialised SSH server, with very limited default permissions.
Thrussh uses Tokio, which allows it to be combined with other protocols easily, and asynchronously. Current projects using it include nest.pijul.com (not yet fully public, sorry), where SSH is used to push and pull Pijul patches to repositories hosted there, and authentication is just a matter of checking a public key in an PostgreSQL database.
Now, why would anyone want to write such a library? Well, I’ll try to show why Rust convinced me that this was a good idea:
- easy code reviews and collaboration (newcomers are not very likely to break stuff when trying, as opposed to C).
- limited time required to build efficient stuff.
- forced pattern matching and types everywhere: it might walk like an encrypted connection and quack like an encrypted connection, yet be a standard one.
- forward-compatibility with the ecosystem: this code transitioned from one backend for asynchronous IO to another, more high-level one. The transition to a first working version took only a few hours.
Pierre-Étienne Meunier
https://twitter.com/pe_meunier
https://github.com/P-E-Meunier
https://users.rust-lang.org/users/pmeunier/activity
A
Hey
everyone
excited
to
be
here
also
as
tv8
I'm,
going
to
tell
you
how
to
build
an
entire
SSH
communication
pipelines
pipeline
in
a
matter
of
minutes
because
I,
that's
all
the
time
I
have
during
the
talk.
So
my
name
is
Tahl
Mooney
and
I
work
as
a
day
job
for
in
here
which
the
Research
Center,
where
I
do
nano
nano
technologies
dearly
nano
technologies
molecular
computing
in
the
wet
lab
and
also
in
a
in
theory,
because
there
seems
to
be
a
small
problem
in
with
us.
A
Ok,
that's
it's
working
all
right,
ok,
so,
but
I'm
not
going
to
talk
about
molecular
computing
today,
so
SSH
or
I
believe
many
people
here
know
about
this
really
cool
product
all
which
was
features
in
movies
such
as
the
matrix
and
also
it
is
something
we
use
on
a
day-to-day
basis
to
connect
to
remote
machines.
So
the
way
it
works
is
there's.
It
starts
by
exchanging
symmetric
keys
using
a
duty
man
pro
graphic
protocol.
This
is
really
a
solid
state
of
the
art.
A
Cryptography
messages
are
during
the
this
key
exchanges
are
signed
by
the
server
to
make
sure
there
can
be
new
man-in-the-middle
attack
and
then,
after
keys
are
if
they're
symmetric
keys
are
changed.
All
the
communications
are
encrypted
symmetrically,
which
means
it's
both
efficient
and
super
secure
and
then,
after
after
this
encrypted
phase
starts,
any
number
of
things
can
happen,
such
as
a
clients
can
indicate
themselves
that
helps
the
server.
A
By
signing
a
message
you
using
their
public
key,
it
has
a
number
of
benefits
and
drawbacks
trade-offs
compared
to
other
protocols
such
as
TLS,
so
there's
a
forward
secrecy,
which
means,
even
if
the
keys
are
compromised
in
the
future,
nothing
bad
can
happen.
You
cannot
recover
commute
path,
communications
with
compromised
future
keys
in
future,
it's
made
in
Finland,
which
is
a
benefit
I.
A
Guess
it's
a
proven,
rock-solid
product,
all
it
said
no
prodigal,
but
in
15
years
you
can
process,
although
most
users
use
tunnels
which
has
a
adds,
an
extra
layer
of
crypto,
but
the
main
drawback.
The
main
trade-off
compared
to
the
small
green
lock
in
TLS,
is
that
users
have
to
understand
what
keys
are.
They
have
to
keep
their
secret
keys
secret
and
understand
what
public
keys
and
understand
how
to
check
our
servers,
server,
fingerprints
so
as
part
of
a
project
that
was
involved
in
a
Google,
the
mathematically
sounds
distributed
version
control
system
of
basically
replacement.
A
A
The
main
reason
I
wrote
that
is
because
I
wanted
to
I
wanted
people
to
be
able
to
push
patches
to
our
hosting
platform.
We
wrote
called
the
Cobra
nest
and
so
I
needed
a
server,
an
SSH
server.
For
that
it's
it
has
no
unsafe
trust,
but
it
relies
on
ring,
which
is
a
data
crate
with
cryptographic,
primitives
written
in
the
mixture
of
rusts
assembly
and
C.
A
So
the
main
reasons
I
use
that
another
like
a
hack
around
OpenSSH,
is
because
people
is
maintained.
Mostly
very
small
team,
were
to
on
a
very
limited
budget.
It's
not
our
main
main
job.
It's
not
it's
not
were
basically
researchers,
and
so
we
just
a
little
time
to
tender
somehow
to
secure
the
insecure
parts
of
ominous
estate,
such
as
opening
sessions,
making,
sure
passwords
will
set
up
correctly
and
instead
of
trying
to
secure
them.
A
A
As
long
as
it
recognizes
just
the
comments
you
need
and
that's
exactly
what
we
need
for
the
nest.
Users
will
see
an
SSH
server
from
outside,
but
they
just
won't
be
able
to
open
session
or
to
fork
or
remote
process
the
they
would
basically
just
send
exact
commands,
which
will
then
be
parsed
by
regular
expression
matching
and,
and
that
says
and
that's
and
then
they
would.
We
can
just
call
to
our
true
libraries,
instead
of
just
for
king
or
exacting
reboot
remote
protesters.
A
So
my
challenge
today
is
to
build
a
secure
communication
channel
to
remote
server
in
front
of
you.
So
I
must
warn
you
it's
the
first
time
I
will
kill
in
front
of
someone
and
actually
it's
in
front
of
200
people.
So
let's
see
so
I'll
first.
So
this
is
this
big
enough
working
and
energetic,
as
always
so
I'll
start
with
this
template
after
you
can
find
that
in
the
fresh
documentation.
So
it's
a
template
for
a
server.
Basically,
what
we
need
is
just
to
import
the
fresh
Christ
and
the
future
is
Christ.
A
So
I'd
like
to
take
this
opportunity
to
thank
the
author
futures
for
all
the
amazing
work.
This
is
an
exciting
and
really
cool
library.
So
what
what
I
do
here
is.
I
first
start
here
these
two
lines
by
by
defining
a
my
server,
the
internals
of
my
server.
So
this
thing
needs
to
implement
the
clone
trace,
which
is
automatically
inferred
by
the
compiler
and
the
reason
it
needs
to
implement.
It
is
because
it
will
be
clones
every
time
a
client
connects
and
there
every
client
will
have
its
own
a
dedicated
version
of
this
structure.
A
So
at
the
moment
we
can
start
with
an
empty,
an
empty
server
containing
no
data,
so
nothing
nothing
interesting
and
happen,
but
that's
not
a
problem
we'll
fix
later.
Then
we
implement
the
trash
Trevor
handler
for
this.
This
server.
So
there's
a
bunch
of
types
types
to
declare
mostly
because
of
technical
details
and
the
rest
compiler
there's
no
well.
We
won't
tries
to
work
on
this
table
rust.
So
we
need
to
declare
this
bunch
of
types
here.
A
A
We
just
reply
with
the
handler
itself
itself
here
and
a
message
saying:
yeah:
we
accept
it:
oh
yeah,
okay,
then
my
main
is
just
four
lines:
long
I
start
with
a
default
configuration
servers,
need
public
keys
and
secret
keys
ship
and
get
themselves
to
clients,
so
I'm
loading,
my
own
personal
SSH
secret
key
as
the
service
key
that's
another
problem.
I
starts
first
instance
of
the
server
it
will
be
cloned
later
when
clients
start
connecting
as
Todd
the
server,
and
if
we
run
this.
A
So
what
it
says
here
is
I
connected
using
OpenSSH
using
the
open,
ssh
client.
So
it's
doing
a
number
of
things
here,
exchanging
keys
and
stuff
and
after
a
while
it
says
on
this
line
authenticated
to
localhost.
So
we
finally
we've
just
built
a
method
sure
it
doesn't
do
much
for
now.
For
instance,
when
I
try
to
tab
control,
see
here,
I'm
typing,
it
doesn't
recognize
it.
It
just
sent
the
ctrl
C
to
the
server,
but
it
seems
we've
not
written
any
handling,
killing
the
server.
A
The
server
receives
the
ctrl
C
and
it
doesn't
do
anything
with
it.
So,
in
order
to
cut
the
connection,
my
only
option
is
to
just
kill
the
server
civil.
What
start
improving
this
server.
So
what
I'm
going
to
do
is
I'm
going
to
write
a
database.
I
want
to
I
want
to
do
this
stage
as
a
data
database
server.
So
for
that
I'll
use
a
hash
map,
so
we
need
to
import
our.
A
Ui
I'll
just
write
a
hash
map
of
our
strings
to
strings
a
key
value
dictionary
when
issue
here
is,
as,
of
course,
this
will
implement
clone,
but,
as
I
told
you
every
time
a
client
connects
its
clones
or
a
closing
instance
of
that
so
they've
read
this
hash
mat
is
not
going
to
be
shared.
It's
actually
going
to
be
cloned
on
every
client
connected.
A
A
Initialize
the
server
all
right
now,
it's
compiling
okay,
so
far,
execute
sin
I'm
going
to
I'm,
going
to
define
a
message
type
between
the
clients
and
servers.
So
what
I
have
a
very
simple
interface?
One
is
a
bind
message
to
either
binding
to
the
server
and
another
one
is
requiring
the
sage
to
retrieve
a
string
from
the
server
and
I
I'm
going
to
to
SSH
only
knows
about
bytes
slices.
A
It
just
exchanged
exchanges
bytes
between
clients
and
servers,
so
I
need
to
I
need
to
be
able
to
encode
this
message
type
as
bytes
in
order
to
send
it
to
the
wire.
So
the
other
way
I'm
going
to
do
that
is
I'm
going
to
derive
the
serialize
and
deserialize
trades
for
it,
which
automatically
adds
a
serialization
code
for
for
this
n
m,
and
if
I
want
to
be
able
to
do
that,
I
just
need
to
import
a
number
of
crates,
so
I
need
to
import
the
surly
craze.
A
And
asserted,
derive
courage
and
also
I
need
to
choose
an
encoding,
so
I
choose
the
bin
code,
including
it's
a
fast
memory
efficient
in
space
editions,
including
the
things
and
so
I'm
I
should
be
good
to
go
here.
So
when
we
receive
messages
from
the
from
the
server,
so
the
the
server
try.
This
handler
tries
it's
actually
a
giant
trade
with
about
50
or
30
I,
don't
exactly
know
meters
there.
A
They
all
have
default
implementations
that
don't
do
a
thing,
so
they
basically
just
reject
requests
and
the
way
to
build
the
server
is
to
override
them.
So
I'm
overriding
this
thing
by
just
implementing
a
data
Handler
and
I.
Let
the
types
guide
me.
So
this
is
supposed
to
return
a
unit,
I
guess,
because
it's
not
supposed
to
return
anything
else.
A
A
A
All
right,
let's
compile
expected
for
parameters
m3,
so
I,
don't
remember
the
types
here
and
I'm
a
bit
too
lazy
to
check
the
documentation
so
I'm
just
telling
a
dummy
parameter
of
type
unit
and
let
the
types
guide
me
and
now
look
at
this
error
message
here.
The
compiler
tells
me
you
are:
you
gave
me
a
function
expecting
a
units
parameter
and
I
was
expecting
a
fresh
channel
IDs.
A
A
A
A
Or
if
it's
just
a
query?
Well,
if
it's
an
error,
I
won't
do
anything
for
now
it's
obviously
a
prototype.
So
if
it's
a
bind
all
right,
so
if
it's
a
ban,
what
should
I
do?
I
should
just
add
the
this
thing
at
this
a
be
dis
binding
to
the
to
the
database
and
if
it's
a
query
issues
and
then
well,
if
it's
a
bind,
I
won't
return.
Anything
and
if
it's
a
query,
I'll
return.
A
So
that's
the
serialization,
so
let's
and
I'm
sending
that
sterilize
clinging
to
the
wire
so
by
using
data
data,
I
think
that's.
It's
I
need
to
send
it
to
the
same
channel.
I
received
it
from
and
there's
probably
also
some
thing
I'm
forgetting,
maybe
there's
an
on
in
there
vaguely
remember
the
documentation,
but
the
cool
thing
is
I'm
just
going
to
let
the
compiler
guide
me
again.
Oh
this
was
a
and
Sarah
was
over,
so
bin
code
can
say:
I
just
need
to
invert
it
or
expect
it.
A
A
Okay,
it's
still
so
I've
made
it
mutable,
but
it
still
appears
if
the
compiler
still
see
it
as
immutable,
and
the
reason
is
because
this
is
an
atomic
reference
counted
value.
It
cannot
be
shared
mutable
between
between
different
threads
and
even
in
the
same
scope.
So
I
need
to
write
so
so
this
is
pretty
neat
here.
Instead
of
letting
me
into
race
conditions
and
concurrency
problems,
the
rust
automatically
tells
me
what
to
do.
What
doesn't
really
tell
me
what
to
do
here.
A
Just
lets
me
guess
that
I
need
to
add
a
lock
to
my
to
my
hash
map,
to
make
it
mutable
so
I'm
choosing
I
could
choose
different
kinds
of
locks,
I'm
choosing
a
readwrite
lock,
because
it's
mostly
what
I'm
doing
I'm
reading
and
writing
so
I'll
I'll
take
the
lock
right,
the
right,
lock
here,
and
it's
and
I'll
insert
stuff
into
it,
and
a
cool
feature
of
us
here
is
that
the
lock
will
be
automatically
released
when
this
value
lock
moves
out
of
scope
here.
So
let's
try
again:
oh
no
made
a
name.
A
A
So
it
seems
I
have
the
same
issue
here,
yeah,
obviously,
because
I've
changed
the
types
of
my
strikes
so,
instead
of
just
letting
me
do
things,
Russ
complains
that
it's
that
it's
not
going
to
work
for
it
ever
try
to
route
so
alright
and
now
I'm
still
not
in
the
initializing.
My
server
properly,
obviously
because
I'm
foreign
I
forgot
to
add
a
lock,
alright,
so
I'm,
adding
a
lock
here
and
finally,
my
session
is
not
mutable,
so
I
cannot
okay.
A
So
now
it
combines
I've
just
built
in
a
stage.
Server
that
takes
messages
and
returns
are
messages
from
the
database
takes
like
binding
messages
to
add
stuff
into
the
database
and
answers
to
queries
by
by
returning
the
values
all
right
so
now
on
to
Val
dinga
clients.
For
that
thing,
so,
in
order
to
build
a
client,
I
first
need
to
move
my
message
to
type
to
a
different
module
to
be
able
to
share
the
code
between
between
the
client
and
server
okay,
so
in
to
make
it
public
and.
A
Just
replace
my
of
previous
bindings
like
this
here,
okay,
so
from
a
client
I
start
from
a
similar
template
with
an
empty
empty,
our
client
handler
or
implementing
a
really
dummy,
useless
Association
player
like
SSS
client
implementation
with
similar
bunch
of
types
here
and
and
a
an
important
part
here,
is
to
check
the
server
key
to
avoid
mine
in
the
middle
attacks.
But
I
won't
insist
on
that
too
much.
That's
not
very
important.
A
A
A
A
A
Module
zip-
this
is
fixed
here
now.
It
says,
expecting
three
parameters
so
again:
I'm
going
to
pass
it
to
just
just
any
parameter,
so
it
forms
an
option,
a
few
thirty-two
that
so,
if
I
remember
correctly
so
I,
don't
I
don't
need
to
check
the
duck
all
the
time.
But
if
I've
checked
it
before
just
seeing
this
type
error
makes
me
realize
that
oh
yeah,
this
is
au
32.
So
what
was
what
was
that
needed
for
again?
A
Okay,
it
was
needed
for
distinguishing
between
STD
house
and
STD,
are
on
the
ssh
sessions
or
and
don't
care
about
that,
and
it
requires
an
option
so
I'm
just
trying
to
send
it
none
and
that
will
work,
hopefully
msg,
so
it
wants
it
want
to
borrow.
But
it
says,
then
the
borrow
is
not
going
to
live
for
long
enough,
so
I,
don't
yeah.
I
can
just
do
that.
Penance
I'm,
just
compiling
alright.
So
that
means
I've
sent
a
line
message.
There
is
not
there's
not
really
much.
I
can
do
with
this.
A
A
A
A
It's
not
it's
not
getting
the
right
thing.
A
session
unit
might
be
okay,
so
obviously
my
handling
code
is
not
going
to
be
the
same
as
this
I'm
going
to
store
messages
on
a
field
in
the
clients.
So
the
first
option
is
for
have
I
received
the
message
already,
and
the
second
option
is
for
is:
was
this?
Did
the
server
reply
some
or
non
okay.
A
A
Client,
oh
I'm,
not
initializing,
my
client
properly,
so
msg
non
because
I've
not
received
a
message
yet
and
and
now
this
is.
This
was
supposed
to
be
mutable
here
all
right,
so
let
me
just
make
it
mutable
and
now
it's
complaining
about
a
channel
ID,
not
living
long
enough.
Oh
yeah
I
need
to
move
it
into
the
closure.
Okay,
that's
compiling!
A
So
it's
compiling
it's
receiving
messages
and
it's
not
printing
out
any
message.
So
the
thing
I
need
to
do
so:
there's
a
there's,
the
handling
code,
taking
parts
of
receiving
message
and
reacting
to
that
and
then
there's
this
driving
code.
I'm,
writing
the
main
function,
sending
out
requests
and
queries
and
things
to
the
server.
So
now,
I
just
need
the
session
to
wait
until
until
it's
received
a
message.
A
A
By
just
printing
the
contents
of
the
message
I've
received
so
I'm
printing,
the
debugging
output
of
this
message
handler
msg
and
I-
know
it's
not
going
to
be
none
because
I've
waited
until
something
arrives.
Okay,
oh
yeah,
I
need
to
return.
I
need
to
tell
teachers
to
shut
up.
Okay,
it's
compiling.
So
now.
Let's
try
that
Oh.
A
And
that's
it!
That's
it's
a
so
just
I've
just
sent
a
message
to
the
server
saying
bind
a
so.
If
you
just
look
at
what
I
did
I
just
sent
a
message
to
the
server
saying,
bind
a
to
B
and
then
I've
sent
a
messaging
okay.
What's
the
value
of
B
for
you
and
it's
replies,
what's
the
value
of
a
for
you
and
it
replies
at
B,
so
I'm
done
I've
done
it.
A
So
if
you,
if
you're
interested
in
contributing
our
first
way
to
contribute
to
thrush,
is
pretty
secure
already
from
a
cryptography
perspective,
it's
not
doing
its
own
crypto.
It's
based
on
ring,
which
is
a
mixture
of
a
smc
wall,
assembly,
C
and
rust,
derived
from
boring
SSL
from
Google.
So
and
pressure
is
already
itself
pretty
secure.
It
implements
the
the
the
IETF
RFC,
pretty
strictly,
with
annotations
of
links
to
the
relevant
portion
of
the
our
RFC
in
most
places.
A
So
a
really
good
way
to
contributing
is
simply
to
use
it
and
report
issues
and
other
ways
to
review
it
from
a
security
perspective,
because
I'm,
no
security
expert,
some
new
security
researcher,
one
issue
we're
having
is
that
we're
not
yet
supporting
agents
encrypted
keys
of
PGP
or
whatnot
people
are
used
to
using
many
things
with
to
deal
with
their
public
keys
and
we're
not
supporting
compression.
Yes,
the
repository
is
on
the
nest
itself,
so
you
can
push.
Fetch
is
using
fresh
keyhole.