Traversio
Reference

Implemented Features

A concrete feature matrix for the Traversio library.

Overview

This page summarizes the current Traversio feature surface. It focuses on public library behavior rather than implementation history.

AreaSupportedNot Currently Included
Transport and wireIdentification exchange, binary framing, encrypted packets, strict-kex handling, remote rekey, automatic local rekey, optional idle keepalive, optional RFC zlib, optional delayed OpenSSH zlib, parser state across partial reads, and runtime transport/listener backend selectionAutomatic reconnect, broader legacy algorithm support, and additional long-session validation across more deployment environments
Key exchange and packet protectionCurve25519, ECDH P-256/P-384/P-521, AES-128/256 CTR with HMAC-SHA-2 or OpenSSH UMAC, AES-128/256 GCM, and Chacha20-Poly1305MODP DH, group exchange, ML-KEM hybrids, AES-192, CBC/older ciphers, SHA-1-class MACs, DSS, and none packet protection
Host keys and public-key signaturesEd25519, ECDSA, RSA SHA-2, Ed25519 host certificates, ECDSA P-256 host certificates, and explicit opt-in legacy ssh-rsaBroader host-certificate variants and additional legacy key families
AuthenticationPassword, password-change callback, keyboard-interactive, pre-auth auth-method discovery, built-in public keys, callback-backed signing, SSH agent-backed signing, OpenSSH private-key metadata inspection/loading, OpenSSL-style PEM loading, and OpenSSH key generationHostbased auth, security-key auth, encrypted PKCS#8 / encrypted EC PEM loading, and product-owned credential stores
Host trustExact key pinning, trusted key sets, app-owned first-seen trust, changed-key helpers, async callbacks, and OpenSSH known_hosts with exact, wildcard, negated, hashed, CIDR, @revoked, and @cert-authority entriesMandatory built-in trust-store persistence and mandatory Keychain-backed trust storage
Session channelsExec, streamed exec, named subsystem startup, PTY shell startup, environment requests, standard input writes, standard-error writes, PTY resize, signal delivery, exit status, exit-signal reporting, event streams, transcript collection, channel window snapshots, receive-window adjustment, and concurrent session-channel use on one connectionAutomatic session restoration, broader terminal-control convenience APIs, and application-specific transcript retention policy
SFTPVersion exchange, extension advertisement parsing, metadata, file handles, directory listing, reads, writes, bounded whole-file helpers, local-file helpers, recursive-directory helpers, resumable helpers, progress callbacks, continuation callbacks, filesystem queries, rename, remove, mkdir/rmdir, symlink, readlink, and selected OpenSSH extensionsAutomatic transfer-window tuning, segmented multi-session transfer helpers, richer app-facing transfer policy, and broader extension coverage
SCPSingle-file receive/send helpers, in-memory and local file URL variants, path and filename validation, buffered receive limits, remote status/error handling, and round-trip validation on the documented server familiesRecursive SCP, timestamp preservation, and broader legacy SCP compatibility knobs
Forwarding and routingRaw direct-tcpip, raw [email protected], raw forwarded-tcpip, raw [email protected], local forwarding, dynamic SOCKS forwarding, remote TCP listeners, remote TCP bridge helpers, remote streamlocal listeners, SOCKS5 and HTTP CONNECT connection proxies, and ProxyJumpX11 forwarding, auth-agent forwarding, broader enterprise proxy auth, and wider non-OpenSSH streamlocal coverage
Diagnostics and loggingTyped connection and operation failures, negotiated transport snapshots, typed SFTP status details, remote disconnect/debug context, structured log handlers, bounded log recorder, OSLog helpers, redacted support reports, setup/reply timeout mapping, live connection latency snapshots, and route-aware SSH port latency diagnosticsStronger long-term compatibility promises for exact diagnostic prose and additional app-specific retention guidance

Transport Algorithm Snapshot

CategoryImplementedNotes
KexAlgorithmscurve25519-sha256, [email protected], ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521Initial proposals also advertise OpenSSH extension markers such as ext-info-c and [email protected]; those are not standalone KEX methods.
HostKeyAlgorithmsEd25519, Ed25519 host certificates, ECDSA P-256, ECDSA P-256 host certificates, RSA SHA-2, and explicit opt-in ssh-rsaLegacy ssh-rsa is disabled unless SSHLegacyAlgorithmOptions.sshRSA is enabled.
Ciphersaes128-ctr, aes256-ctr, [email protected], [email protected], [email protected]AES-CTR uses a separate MAC. AES-GCM and Chacha20-Poly1305 are AEAD paths.
MACs[email protected], [email protected], [email protected], [email protected], hmac-sha2-256, hmac-sha2-512, [email protected], [email protected]MAC negotiation matters only on the AES-CTR path.
Compressionnone, zlib, [email protected]zlib and delayed OpenSSH zlib are both caller opt-in.

SSHSupportedAlgorithms.currentProfile, SSHSupportedAlgorithms(compressionPreference:legacyAlgorithmOptions:), SSHClientConfiguration.supportedAlgorithms, and SSHProxyJumpHost.supportedAlgorithms expose the effective algorithm names for tools and capability displays.

Authentication

Supported:

  • .password(String)
  • .passwordWithChangeResponse(password:responseProvider:)
  • .keyboardInteractive(submethods:responseProvider:)
  • .ed25519PrivateKey(rawRepresentation:)
  • .rsaPrivateKey(pkcs1DERRepresentation:)
  • .ecdsaP256PrivateKey(rawRepresentation:)
  • .ecdsaP384PrivateKey(rawRepresentation:)
  • .ecdsaP521PrivateKey(rawRepresentation:)
  • OpenSSH Ed25519, RSA, and ECDSA private-key loading helpers
  • privateKeyPEM(...) for OpenSSH private keys plus unencrypted PKCS#8 Ed25519/RSA/ECDSA, traditional RSA, encrypted traditional RSA, and traditional EC PEM containers
  • .publicKey(algorithmNames:publicKey:signatureProvider:)
  • SSHAgentClient.authenticationMethod(for:)
  • SSHClient.discoverAuthenticationMethods(...)
  • SSHOpenSSHPrivateKeyInfo.parse(...)
  • SSHOpenSSHKeyPair.generate(...)

Legacy RSA compatibility is explicit:

  • SSHLegacyAlgorithmOptions.sshRSA appends ssh-rsa host-key negotiation.
  • It allows callback-backed and agent-backed public-key auth to select ssh-rsa.
  • It allows built-in RSA auth to retry the SHA-1 ssh-rsa signature path when an older server still offers publickey.

When SSHLegacyAlgorithmOptions.disabled is in effect, Traversio removes ssh-rsa from callback-backed and agent-backed candidate lists before selecting the public-key signature algorithm.

Not currently supported:

  • Encrypted PKCS#8 ENCRYPTED PRIVATE KEY and encrypted traditional EC PEM containers.
  • Keychain-backed credential loading.
  • Hostbased authentication.
  • Security-key authentication.
  • Product-owned credential stores.

Host Trust

Supported:

  • explicit trust-any for disposable test environments and controlled tooling
  • exact single-key pinning
  • exact trusted key sets
  • trust-on-first-use helper with caller-owned load/store closures
  • changed-key resolution hooks on top of first-seen trust
  • async callback-based trust evaluation
  • OpenSSH known_hosts import for exact, wildcard, negated, hashed, CIDR, @revoked, and @cert-authority entries
  • optional additional lookup names for host/IP-aware matching
  • Ed25519 and ECDSA P-256 host-certificate verification on the documented paths

Not currently supported:

  • mandatory built-in trust-store persistence
  • mandatory Keychain-backed trust storage
  • broader host-certificate algorithm coverage

Shell And Exec

Supported:

  • collected command execution through SSHConnection.execute(...)
  • streamed command execution through SSHConnection.openExec(...)
  • PTY-backed shell startup through SSHConnection.openShell(...)
  • named subsystem startup through SSHConnection.openSubsystem(...)
  • pre-start environment requests through SSHSessionEnvironmentVariable
  • stdin writes, stderr writes, EOF, close, PTY resize, and signal requests
  • SSHSession.events / nextEvent() for stdout, stderr, EOF, exit status, and exit signal
  • readStandardOutputChunk() for stdout chunk reads
  • collectOutputUntilClose() for transcript collection
  • channel-window snapshots and manual receive-window adjustment
  • multiple concurrent session channels on one SSHConnection

Practical limits:

  • one SSHSession maps to one SSH session channel, so one channel is dedicated to one purpose
  • automatic session restoration belongs above Traversio
  • large-output retention policy belongs to the application
  • terminal emulation is not part of Traversio; Traversio provides the PTY-backed SSH channel

SFTP

Supported public methods include:

  • close
  • realPath
  • lstat
  • stat
  • setAttributes
  • fileSystemAttributes
  • openFile
  • listDirectory
  • readFile
  • writeFile
  • makeDirectory
  • removeFile
  • removeDirectory
  • rename
  • readLink
  • createSymbolicLink

Behavior notes:

  • One SFTPClient routes replies by request ID, so path and handle calls can overlap on the same subsystem channel.
  • openFile returns a public SFTPFileHandle, and that handle shares the same request router and channel window as the parent SFTPClient.
  • readFile(..., maxConcurrentReads:progress:), writeFile(..., maxConcurrentWrites:progress:), and SFTPFileHandle.readAll(...) can keep a bounded number of SFTP requests in flight on one handle.
  • SFTPFileHandle.tell(), seek(to:), rewind(), read(length:), and write(_:) provide file-cursor-style handle access.
  • SFTPFileHandle.readChunks(...) exposes handle-level streamed reads as an AsyncSequence.
  • SFTPFileHandle.write(contentsOf:startingAt:progress:) consumes caller-provided chunk streams for offset-based uploads.
  • downloadFile(...) and uploadFile(...) stream one remote file directly to or from a local file URL.
  • downloadDirectory(...) and uploadDirectory(...) recurse through regular files and directories and return SSHSFTPDirectoryTransferSummary.
  • resumeUploadFile(...) and resumeDownloadFile(...) resume whole-file transfers from server-reported size metadata.
  • Transfer helpers can emit SSHSFTPTransferProgress and can call SSHSFTPTransferContinuationHandler.
  • writeFile(syncAfterWrite: true) requires OpenSSH [email protected].
  • Local file URL helpers leave security-scoped resource ownership to the caller.
  • Rename prefers [email protected] when the server advertises it.

Use SFTP for directory transfers, resumable transfers, progress callbacks, request-window control, metadata workflows, symlinks, and richer status diagnostics.

SCP

Supported public surface:

  • SSHConnection.receiveSCPFile(_:maximumFileSize:)
  • SSHConnection.sendSCPFile(_:remotePath:fileName:permissions:)
  • SSHConnection.downloadSCPFile(_:to:maximumFileSize:)
  • SSHConnection.uploadSCPFile(from:to:fileName:permissions:)

Behavior notes:

  • The helpers run the remote scp command through one exec session per transfer.
  • Receive/download helpers enforce SSHSCPTransferDefaults.maximumBufferedFileByteCount by default.
  • Remote paths reject empty strings, NUL bytes, and line breaks before shell quoting.
  • SCP filenames reject path separators, NUL bytes, and line breaks.
  • Send/upload permissions are limited to the SCP mode range.

Use SCP for single-file compatibility with servers or workflows that require the legacy remote scp command. Use SFTP for richer file-transfer workflows.

Forwarding And Routing

Supported public surface:

  • SSHConnection.openDirectTCPIPChannel(...)
  • SSHConnection.openDirectStreamLocalChannel(...)
  • SSHConnection.withLocalPortForwarding(...)
  • SSHConnection.withDynamicPortForwarding(...)
  • SSHConnection.withRemotePortForwardListener(...)
  • SSHConnection.withRemoteStreamLocalForwardListener(...)
  • SSHConnection.withRemotePortForwarding(...)
  • SSHClientConfiguration.connectionProxy
  • SSHClientConfiguration.proxyJumpHosts
  • raw forwarding events / nextEvent() APIs for incremental data plus EOF delivery
  • channel-window snapshots and manual receive-window adjustment on raw channel wrappers

Limits:

  • Dynamic forwarding supports SOCKS5 with no-auth or username/password auth, plus SOCKS4 and SOCKS4a when SOCKS5 auth is not configured.
  • connectionProxy covers SOCKS5 and HTTP CONNECT on the outermost TCP route only.
  • Remote forwarding targets one fixed local endpoint per helper scope.
  • Accepted remote bridge connections stay isolated per connection.
  • Local listener shutdown is best-effort: Traversio stops bridging data and closes late accepted local connections, but it does not promise the bound port becomes unconnectable at the exact instant the closure returns.
  • Remote listener shutdown sends the matching cancel request before scope exit. If a server rejects cancellation, Traversio closes the parent SSHConnection so the remote listener does not remain active on the server.
  • Streamlocal forwarding is OpenSSH-extension scope in the current release line.

Diagnostics And Logging

Supported:

  • SSHClientError wrappers for connection and post-auth operation failures.
  • SSHConnectionFailure and SSHOperationFailure diagnostic payloads.
  • Negotiated transport algorithm snapshots.
  • Typed SFTP status details.
  • Remote disconnect/debug context.
  • Structured SSHClientLogHandler sinks.
  • Bounded SSHClientLogRecorder.
  • OSLog helpers.
  • Redacted diagnosticReport support text.
  • Opt-in callback failure diagnostic codes and safe summaries for app-owned callback semantics.
  • Setup timeout and reply-timeout mapping.
  • Live SSHConnection.latency snapshots for connected-machine UI and route-aware SSHClient.measurePortLatency(...) diagnostics for pre-auth route inspection.

Compatibility note:

  • Public enum cases, structured fields, and typed diagnostics are the stable branching surface.
  • Exact English failure prose and report line ordering should be treated as support text, not parser input.

Validation Summary

The current release line has deterministic tests and live validation for the documented feature set across OpenSSH, Dropbear, AsyncSSH, proxy routes, ProxyJump, rekey, compression, OpenSSL-style private-key PEM login, adverse connection paths, repeated long-running workloads, and performance/resource checks.

Notable remaining validation gaps:

  • SOCKS4 and SOCKS4a dynamic-forwarding paths have deterministic coverage but still need broader live deployment evidence.
  • Enterprise-style connection proxies beyond SOCKS5 and HTTP CONNECT are not part of the current API.
  • Non-OpenSSH streamlocal compatibility is not currently documented as supported.
  • Applications should still validate their own servers, network routes, credential stores, and long-running workload patterns before critical rollout.

SCP Transfers

Use Traversio's single-file SCP compatibility helpers.

Releases

API versions and release notes for Traversio.

On this page

OverviewTransport Algorithm SnapshotAuthenticationHost TrustShell And ExecSFTPSCPForwarding And RoutingDiagnostics And LoggingValidation Summary