2021-10-07 16:54:50 by Nia Alarie | Files touched by this commit (606) |
Log message:
security: Remove SHA1 hashes for distfiles
|
2021-09-16 12:35:27 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-asyncssh: updated to 2.7.2
Release 2.7.2
* Fixed a regression related to server host key selection when attempting
to use a leading '+' to add algorithms to the front of the default list.
* Fixed logging to properly handle SFTPName objects with string filenames.
* Fixed SSH_EXT_INFO to only be sent after the first key exchange.
|
2021-09-13 10:39:47 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-asyncssh: updated to 2.7.1
Release 2.7.1 (6 Sep 2021)
--------------------------
* Added an option to allow encrypted keys to be ignored when no passphrase
is set. This behavior previously happened by default when loading keys
from default locations, but now this option to load_keypairs() can be
specified when loading any set of keys.
* Changed loading of default keys to automatically skip key types which
aren't supported due to missing dependencies.
* Added the ability to specify "default" for server_host_key_algs, as
a way for a client to request that its full set of default algorithms
be advertised to the server, rather than just the algorithms matching
keys in the client's known hosts list. Thanks go to Manfred Kaiser
for suggesting this improvement.
* Added support for tilde-expansion in the config file "include"
directive. Thanks go to Zack Cerza for reporting this and suggesting
a fix.
* Improved interoperatbility of AsyncSSH SOCKS listener by sending a zero
address rather than an empty hostname in the SOCKS CONNECT response.
Thanks go to Github user juouy for reporting this and suggesting a fix.
* Fixed a couple of issues related to sending SSH_EXT_INFO messages.
* Fixed an issue with using SSHAcceptor as an async context manager.
Thanks go to Paulo Costa for reporing this.
* Fixed an issue where a tunnel wasn't always cleaned up properly when
creating a remote listener.
* Improved handling of connection drops, avoiding exceptions from being
raised in some cases when the transport is abruptly closed.
* Made AsyncSSH SFTP support more tolerant of file permission values with
undefined bits set. Thanks go to GitHub user ccwufu for reporting this.
* Added some missing key exchange algorithms in the AsyncSSH documentation.
Thanks go to Jeremy Norris for noticing and reporting this.
* Added support for running AsyncSSH unit tests on systems with OpenSSL
3.0 installed. Thanks go to Ken Dreyer for raising this issue and
pointing out the new OpenSSL "provider" support for legacy algorithms.
|
2021-06-29 15:36:26 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-asyncssh: updated to 2.7.0
Release 2.7.0 (19 Jun 2021)
Added support for the ProxyCommand config file option and a corresponding \
proxy_command argument in the SSH connection options, allowing a subprocess to \
be used to make the connection to the SSH server. When the config option is \
used, it should be fully compatible with OpenSSH percent expansion in the \
command to run.
Added support for accessing terminal information as properties in the \
SSHServerProcess class. As part of this change, both the environment and \
terminal modes are now available as read-only mappings. Thanks again to velavokr \
for suggesitng this and submitting a PR with a proposed version of the change.
Fixed terminal information passed to pty_requested() callback to properly \
reflect requested terminal type, size, and modes. Thanks go to velavokr for \
reporting this issue and proposing a fix.
Fixed an edge case where a connection object might not be cleaned up properly if \
the connection request was cancelled before it was fully established.
Fixed an issue where some unit tests weren’t properly closing connection \
objects before exiting.
|
2021-05-13 19:46:51 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-asyncssh: updated to 2.6.0
Release 2.6.0 (1 May 2021)
Added support for the HostKeyAlias client config option and a corresponding \
host_key_alias option, allowing known_hosts lookups and host certificate \
validation to be done against a different hoetname than what is used to make the \
connection. Thanks go to Pritam Baral for contributing this feature!
Added the capability to specify client channel options as connection options, \
allowing them to be set in a connect() call or as values in \
SSHClientConnectionOptions. These values will act as defaults for any sessions \
opened on the connection but can still be overridden via arguments in the \
create_session() call.
Added support for dynamically updating SSH options set up in a listen() or \
listen_reverse() call. A new SSHAcceptor class is now returned by these calls \
which has an update() method which takes the same keyword arguments as \
SSHClientConnectionOptions or SSHServerConnectionOptions, allowing you to update \
any of the options on an existing listener except those involved in setting up \
the listening sockets themselves. Updates will apply to future connections \
accepted by that listener.
Added support for a number of algorithms supported by the ssh.com Tectia SSH \
client/server:
Key exchange:
diffie-hellman-group14-sha256@ssh.com (enabled by default)
diffie-hellman-group14-sha224@ssh.com (available but not default)
diffie-hellman-group15-sha256@ssh.com
diffie-hellman-group15-sha384@ssh.com
diffie-hellman-group16-sha384@ssh.com
diffie-hellman-group16-sha512@ssh.com
diffie-hellman-group18-sha512@ssh.com
HMAC:
hmac-sha256-2@ssh.com (all enabled by default)
hmac-sha224@ssh.com
hmac-sha256@ssh.com
hmac-sha384@ssh.com
hmac-sha512@ssh.com
RSA public key algorithms:
ssh-rsa-sha224@ssh.com (all enabled by default)
ssh-rsa-sha256@ssh.com
ssh-rsa-sha384@ssh.com
ssh-rsa-sha512@ssh.com
Encryption:
seed-cbc@ssh.com (available but not default)
Added a new ‘ignore-failure’ value to the x11_forwarding argument in \
create_session(). When specified, AsyncSSH will attempt to set up X11 forwarding \
but ignore failures, behaving as if forwarding was never requested instead of \
raising a ConnectionOpenError.
Extended support for replacing certificates in an SSHKeyPair, allowing alternate \
certificates to be used with SSH agent and PKCS11 keys. This provides a way to \
use X.509 certificates with an SSH agent key or OpenSSH certificates with a \
PKCS11 key.
Extended the config file parser to support ‘=’ as a delimiter between \
keywords and arguments. While this syntax appears to be rarely used, it is \
supported by OpenSSH.
Updated Fido2 support to use version 0.9.1 of the fido2 package, which included \
some changes that were not backward compatible with 0.8.1.
Fixed problem with setting config options with percent substitutions to \
‘none’. Percent subsitution should not be performed in this case. Thanks go \
to Yuqing Miao for finding and reporting this issue!
Fixed return type of filenames in SFTPClient scandir() and readlink() when the \
argument passed in is a Path value. Previously, the return value in this case \
was bytes, but that was only meant to apply when the input argument was passed \
as bytes.
Fixed a race condition related to closing a channel before it is fully open, \
preventing a client from potentially hanging forever if a session was closed \
while the client was still attempting to request a PTY or make other requests as \
part of opening the session.
Fixed a potential race condition related to making parallel calls to SFTPClient \
makedirs() which try to create the same directory or a common parent directory.
Fixed RFC 4716 parser to allow colons in header values.
Improved error message when AsyncSSH is unable to get the local username on a \
client. Thanks go to Matthew Plachter for reporting this issue.
|
2021-01-03 11:30:04 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-asyncssh: updated to 2.5.0
Release 2.5.0
Added support for limiting which identities in an SSH agent will be used when \
making a connection, via a new “agent_identities” config option. This change \
also adds compatibility with the OpenSSL config file option \
“IdentitiesOnly”.
Added support for including Subject Key Identifier and Authority Key Identifier \
extensions in generated X.509 certificates to better comply with RFC 5280.
Added support for makedirs() and rmtree() methods in the AsyncSSH SFTP client, \
as well as a new scandir() method which returns an async iterator to more \
efficiently process very large directories. Thanks go to Joseph Ernest for \
suggesting these improvements.
Significantly reworked AsyncSSH line editor support to improve its performance \
by several orders of magnitude on long input lines, and added a configurable \
maximum line length when the editor is in use to avoid potential \
denial-of-service attacks. This limit defaults to 1024 bytes, but with the \
improvements it can reasonably handle lines which are megabytes in size if \
needed.
Changed AsyncSSH to allow SSH agent identities to still be used when an explicit \
list of client keys is specified, for better compatibility with OpenSSH. The \
previous behavior can still be achieved by explicitly setting the agent_path \
option to None when setting client_keys.
Changed AsyncSSH to enforce a limit of 1024 characters on usernames when acting \
as a server to avoid a potential denial-of-service issue related to SASLprep \
username normalization.
Changed SCP implementation to explicitly yield to other coroutines when sending \
a large file to better share an event loop.
Fixed a few potential race conditions related to cleanup of objects during \
connection close. Thanks go to Thomas Léveil for reporting one of these places \
and suggesting a fix.
Re-applied a previous fix which was unintentionally lost to allow Pageant to be \
used by default on Windows.
|
2020-09-14 09:40:08 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
py-asyncssh: updated to 2.4.2
Release 2.4.2
Fixed a potential race condition when receiving EOF right after a channel is opened.
Fixed a couple of issues related to the error_handler and progress_handler \
callbacks in AsyncSSH SFTP/SCP.
Fixed a couple of issues related to using pathlib objects with AsyncSSH SCP.
Release 2.4.1
Fixed SCP server to send back an exit status when closing the SSH channel, since \
the OpenSSH scp client returns this status to the shell which executed it.
Fixed listeners created by forward_local_port(), forward_local_path(), and \
forward_socks() to automatically close when the SSH connection closes, \
unblocking any wait_closed() calls which are in progress.
Fixed a potential exception that could trigger when the SSH connection is closed \
while authentication is in progress.
Fixed tunnel connect code to properly clean up an implicitly created tunnel when \
a failure occurs in trying to open a connection over that tunnel.
Release 2.4.0
Added support for accessing keys through a PKCS#11 provider, allowing keys on \
PIV security tokens to be used directly by AsyncSSH without the need to run an \
SSH agent. X.509 certificates can also be retrieved from the security token and \
used with SSH servers which support that.
Added support for using Ed25519 and Ed448 keys in X.509 certificates, and the \
corresponding SSH certificate and signature algorithms. Certificates can use \
these keys as either subject keys or signing keys, and certificates can be \
generated by either AsyncSSH or by OpenSSL version 1.1.1 or later.
Added support for feed_data() and feed_eof() methods in SSHReader, mirroring \
methods of the same name in asyncio’s StreamReader to improve interoperability \
between the two APIs.
Updated unit tests to test interoperability with OpenSSL 1.1.1 when reading and \
writing Ed25519 and Ed448 public and private key files. Previously, due to lack \
of support in OpenSSL, AsyncSSH could only test against OpenSSH, and only in \
OpenSSH key formats. With OpenSSL 1.1.1, testing is now also done using PKCS#8 \
format.
Fixed config file parser to properly ignore all comment lines, even if the lines \
contain unbalanced quotes.
Removed a note about the lack of a timeout parameter in the AsyncSSH connect() \
method, now that it supports a login_timeout argument.
|
2020-07-27 19:32:51 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
py-asyncssh: updated to 2.3.0
Release 2.3.0
Added initial support for reading configuration from OpenSSH-compatible config \
files, when present. Both client and server configuration files are supported, \
but not all config options are supported. See the AsyncSSH documentation for the \
latest list of what client and server options are supported, as well as what \
match conditions and percent substitutions are understood.
Added support for the concept of only a subset of supported algorithms being \
enabled by default, and for the ability to use wildcards when specifying \
algorithm names. Also, OpenSSH’s syntax of prefixing the list with ‘^’, \
‘+’, or ‘-‘ is supported for incrementally adjusting the list of \
algorithms starting from the default set.
Added support for specifying a preferred list of client authentication methods, \
in order of preference. Previously, the order of preference was hard-coded into \
AsyncSSH.
Added the ability to use AsyncSSH’s “password” argument on servers which \
are using keyboard-interactive authentication to prompt for a “passcode”. \
Previously, this was only supported when the prompt was for a “password”.
Added support for providing separate lists of private keys and certificates, \
rather than requiring them to be specifying together as a tuple. When this new \
option is used, AsyncSSH will automatically associate the private keys with \
their corresponding certificates if matching certificates are present in the \
list.
Added support for the “known_hosts” argument to accept a list of known host \
files, rather than just a single file. Known hosts can also be specified using \
the GlobalKnownHostFile and UserKnownHostFile config file options, each of which \
can take multiple filenames.
Added new “request_tty” option to provide finer grained control over whether \
AsyncSSH will request a TTY when opening new sessions. The default is to still \
tie this to whether a “term_type” is specified, but now that can be \
overridden. Supported options of “yes”, “no”, “force”, and \
“auto” match the values supported by OpenSSH.
Added new “rdns_lookup” option to control whether the server does a reverse \
DNS of client addresses to allow matching of clients based on hostname in \
authorized keys and config files. When this option is disabled (the default), \
matches can only be based on client IP.
Added new “send_env” argument when opening a session to forward local \
environment variables using their existing values, augmenting the “env” \
argument that lets you specify remote environment variables to set and their \
corresponding values.
Added new “tcp_keepalive” option to control whether TCP-level keepalives are \
enabled or not on SSH connections. Previously, TCP keepalives were enabled \
unconditionally and this is still the default, but the new option provides a way \
to disable them.
Added support for sending and parsing client EXT_INFO messages, and for sending \
the “global-requests-ok” option in these messages when AsyncSSH is acting as \
a client.
Added support for expansion of ‘~’ home directory expansion when specifying \
arguments which contain filenames.
Added support for time intervals and byte counts to optionally be specified as \
string values with units, allowing for values such as “1.5h” or “1h30m” \
instead of having to specify that as 5400 seconds. Similarly, a byte count of \
“1g” can be passed to indicate 1 gigabyte, rather than specifying 1073741824 \
bytes.
Enhanced logging to report lists of sent and received algorithms when no \
matching algorithm is found. Thanks go to Jeremy Schulman for suggesting this.
Fixed an interoperability issue with PKIXSSH when attempting to use X.509 \
certificates with a signature algorithm of “x509v3-rsa2048-sha256”.
Fixed an issue with some links not working in the ReadTheDocs sidebar. Thanks go \
to Christoph Giese for reporting this issue.
Fixed keepalive handler to avoid leaking a timer object in some cases. Thanks go \
to Tom van Neerijnen for reporting this issue.
|
2020-04-23 08:10:29 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
py-asyncssh: updated to 2.2.1
Release 2.2.1:
Added optional timeout parameter to SSHClientProcess.wait() and \
SSHClientConnection.run() methods.
Created subclasses for SFTPError exceptions, allowing applications to more \
easily have distinct exception handling for different errors.
Fixed an issue in SFTP parallel I/O related to handling low-level connection \
failures. Thanks go to Mikhail Terekhov for reporting this issue.
Fixed an issue with SFTP file copy where a local file could sometimes be left \
open if an attempt to close a remote file failed.
Fixed an issue in the handling of boolean return values when \
SSHServer.server_requested() returns a coroutine. Thanks go to Tom van Neerijnen \
for contributing this fix.
Fixed an issue with passing tuples to the SFTP copy functions. Thanks go to Marc \
Gagné for reporting this and doing the initial analysis.
|
2020-03-12 17:36:31 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
py-asyncssh: updated to 2.2.0
Release 2.2.0
Added support for U2F/FIDO2 security keys, with the following capabilities:
ECDSA (NISTP256) and Ed25519 key algorithms
Key generation, including control over the application and user the key is \
associated with and whether touch is required when using the key
Certificate generation, both as a key being signed and a CA key
Resident keys, allowing security keys to be used on multiple machines without \
any information being stored outside of the key
Access to and management of keys loaded in an OpenSSH ssh-agent
Support for both user and host keys and certificates
Support for “no-touch-required” option in authorized_keys files
Support for “no-touch-required” option in OpenSSH certificates
Compatibility with security key support added in OpenSSH version 8.2
Added login timeout client option and limits on the length and number of banner \
lines AsyncSSH will accept prior to the SSH version header.
Improved load_keypairs() to read public key files, confirming that they are \
consistent with their associated private key when they are present.
Fixed issues in the SCP server related to handling filenames with spaces.
Fixed an issue with resuming reading after readuntil() returns an incomplete read.
Fixed a potential issue related to asyncio not reporting sockname/peername when \
a connection is closed immediately after it is opened.
Made SSHConnection a subclass of asyncio.Protocol to please type checkers.
|