2020-01-26 18:32:28 by Roland Illig | Files touched by this commit (981) |
Log message:
all: migrate homepages from http to https
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
|
2019-12-11 11:43:53 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-paramiko: updated to 2.7.1
2.7.1:
[Bug] Fix a bug in support for ECDSA keys under the newly supported OpenSSH key \
format. Thanks to Pierce Lopez for the patch.
[Bug] The new-style private key format (added in 2.7) suffered from an unpadding \
bug which had been fixed earlier for Ed25519 (as that key type has always used \
the newer format). That fix has been refactored and applied to the base key \
class, courtesy of Pierce Lopez.
2.7.0:
[Feature]: Add new convenience classmethod constructors to SSHConfig: from_text, \
from_file, and from_path. No more annoying two-step process!
[Feature] Implement most ‘canonical hostname’ ssh_config functionality \
(CanonicalizeHostname, CanonicalDomains, CanonicalizeFallbackLocal, and \
CanonicalizeMaxDots; CanonicalizePermittedCNAMEs has not yet been implemented). \
All were previously silently ignored. Reported by Michael Leinartas.
[Feature] Implement support for the Match keyword in ssh_config files. \
Previously, this keyword was simply ignored & keywords inside such blocks \
were treated as if they were part of the previous block. Thanks to Michael \
Leinartas for the initial patchset.
Note
This feature adds a new optional install dependency, Invoke, for managing Match \
exec subprocesses.
[Feature]: A couple of outright SSHConfig parse errors were previously \
represented as vanilla Exception instances; as part of recent feature work a \
more specific exception class, ConfigParseError, has been created. It is now \
also used in those older spots, which is naturally backwards compatible.
[Feature] Implement support for OpenSSH 6.5-style private key files (typically \
denoted as having BEGIN OPENSSH PRIVATE KEY headers instead of PEM format’s \
BEGIN RSA PRIVATE KEY or similar). If you were getting any sort of weird auth \
error from “modern” keys generated on newer operating system releases (such \
as macOS Mojave), this is the first update to try.
Major thanks to everyone who contributed or tested versions of the patch, \
including but not limited to: Kevin Abel, Michiel Tiller, Pierce Lopez, and \
Jared Hobbs.
[Bug]: Perform deduplication of IdentityFile contents during ssh_config parsing; \
previously, if your config would result in the same value being encountered more \
than once, IdentityFile would contain that many copies of the same string.
[Bug]: Paramiko’s use of subprocess for ProxyCommand support is conditionally \
imported to prevent issues on limited interpreter platforms like Google Compute \
Engine. However, any resulting ImportError was lost instead of preserved for \
raising (in the rare cases where a user tried leveraging ProxyCommand in such an \
environment). This has been fixed.
[Bug]: ssh_config token expansion used a different method of determining the \
local username ($USER env var), compared to what the (much older) client \
connection code does (getpass.getuser, which includes $USER but may check other \
variables first, and is generally much more comprehensive). Both modules now use \
getpass.getuser.
[Support]: Explicitly document which ssh_config features we currently support. \
Previously users just had to guess, which is simply no good.
[Support]: Additional installation extras_require “flavors” (ed25519, \
invoke, and all) have been added to our packaging metadata; see the install docs \
for details.
|
2019-07-02 06:31:13 by Adam Ciarcinski | Files touched by this commit (3) |  |
Log message:
py-paramiko: updated to 2.6.0
2.6.0:
Add a new keyword argument to SSHClient.connect and Transport, \
disabled_algorithms, which allows selectively disabling one or more \
kex/key/cipher/etc algorithms. This can be useful when disabling algorithms your \
target server (or client) does not support cleanly, or to work around unpatched \
bugs in Paramiko’s own implementation thereof.
SSHClient.exec_command previously returned a naive ChannelFile object for its \
stdin value; such objects don’t know to properly shut down the remote end’s \
stdin when they .close(). This lead to issues (such as hangs) when running \
remote commands that read from stdin.
Add backwards-compatible support for the gssapi GSSAPI library, as the previous \
backend (python-gssapi) has since become defunct. This change also includes \
tests for the GSSAPI functionality.
Tweak many exception classes so their string representations are more \
human-friendly; this also includes incidental changes to some super() calls.
|
2019-06-10 10:42:58 by Adam Ciarcinski | Files touched by this commit (3) |  |
Log message:
py-paramiko: updated to 2.5.0
2.5.0:
[Feature] Updated SSHConfig.lookup so it returns a new, type-casting-friendly \
dict subclass (SSHConfigDict) in lieu of dict literals. This ought to be \
backwards compatible, and allows an easier way to check boolean or int type \
ssh_config values.
[Feature] Add support for Curve25519 key exchange (aka curve25519-sha256@libssh.org).
[Feature] Add support for encrypt-then-MAC (ETM) schemes \
(hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com) and two newer \
Diffie-Hellman group key exchange algorithms (group14, using SHA256; and \
group16, using SHA512). Patch courtesy of Edgar Sousa.
[Support] Update our install docs with (somewhat) recently added additional \
dependencies; we previously only required Cryptography, but the docs never got \
updated after we incurred bcrypt and pynacl requirements for Ed25519 key \
support.
Additionally, pyasn1 was never actually hard-required; it was necessary during a \
development branch, and is used by the optional GSSAPI support, but is not \
required for regular installation. Thus, it has been removed from our setup.py \
and its imports in the GSSAPI code made optional.
[Support] Add *.pub files to the MANIFEST so distributed source packages contain \
some necessary test assets. Credit: Alexander Kapshuna.
[Support] Add support for the modern (as of Python 3.3) import location of \
MutableMapping (used in host key management) to avoid the old location becoming \
deprecated in Python 3.8.
[Support] Raise Cryptography dependency requirement to version 2.5 (from 1.5) \
and update some deprecated uses of its API.
|
2018-09-21 13:04:16 by Adam Ciarcinski | Files touched by this commit (4) |  |
Log message:
py-paramiko: updated to 2.4.2
2.4.2:
Fix exploit (CVE pending) in Paramiko’s server mode (not client mode) where \
hostile clients could trick the server into thinking they were authenticated \
without actually submitting valid authentication.
Specifically, steps have been taken to start separating client and server \
related message types in the message handling tables within Transport and \
AuthHandler; this work is not complete but enough has been performed to close \
off this particular exploit (which was the only obvious such exploit for this \
particular channel).
Modify protocol message handling such that Transport does not respond to \
MSG_UNIMPLEMENTED with its own MSG_UNIMPLEMENTED. This behavior probably \
didn’t cause any outright errors, but it doesn’t seem to conform to the RFCs \
and could cause (non-infinite) feedback loops in some scenarios (usually those \
involving Paramiko on both ends).
Add *.pub files to the MANIFEST so distributed source packages contain some \
necessary test assets. Credit: Alexander Kapshuna.
Backport pytest support and application of the black code formatter (both of \
which previously only existed in the 2.4 branch and above) to everything 2.0 and \
newer. This makes back/forward porting bugfixes significantly easier.
Backport changes from 979 (added in Paramiko 2.3) to Paramiko 2.0-2.2, using \
duck-typing to preserve backwards compatibility. This allows these older \
versions to use newer Cryptography sign/verify APIs when available, without \
requiring them (as is the case with Paramiko 2.3+).
|
2018-09-06 15:28:00 by Adam Ciarcinski | Files touched by this commit (1) |
Log message:
py-paramiko: BUILD_DEPENDS -> TEST_DEPENDS
|
2018-03-29 17:35:32 by Adam Ciarcinski | Files touched by this commit (1) |
Log message:
Added missing patch
|
2018-03-13 19:35:29 by Adam Ciarcinski | Files touched by this commit (3) |  |
Log message:
py-paramiko: updated to 2.4.1
2.4.1:
[Bug] Ed25519 auth key decryption raised an unexpected exception when given a \
unicode password string (typical in python 3). Report by Theodor van Nahl and \
fix by Pierce Lopez.
[Bug] Add newer key classes for Ed25519 and ECDSA to paramiko.__all__ so that \
code introspecting that attribute, or using from paramiko import * (such as some \
IDEs) sees them. Thanks to @patriksevallius for the patch.
[Bug] Fix a security flaw (CVE-2018-7750) in Paramiko’s server mode (emphasis \
on server mode; this does not impact client use!) where authentication status \
was not checked before processing channel-open and other requests typically only \
sent after authenticating. Big thanks to Matthijs Kooijman for the report.
|
2017-11-15 10:24:14 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
py-paramiko: updated to 2.4.0
2.4.0:
[Feature]: Add a new passphrase kwarg to SSHClient.connect so users may \
disambiguate key-decryption passphrases from password-auth passwords. (This is a \
backwards compatible change; password will still pull double duty as a \
passphrase when passphrase is not given.)
[Support]: Drop Python 2.6 and Python 3.3 support; now only 2.7 and 3.4+ are \
supported. If you’re unable to upgrade from 2.6 or 3.3, please stick to the \
Paramiko 2.3.x (or below) release lines.
[Support]: Include LICENSE file in wheel archives.
[Support]: Updated the test suite & related docs/metadata/config to be \
compatible with pytest instead of using the old, custom, crufty unittest-based \
test.py.
This includes marking known-slow tests (mostly the SFTP ones) so they can be \
filtered out by inv test‘s default behavior; as well as other minor tweaks to \
test collection and/or display (for example, GSSAPI tests are collected, but \
skipped, instead of not even being collected by default as in test.py.)
[Support]: Update tearDown of client test suite to avoid hangs due to eternally \
blocking accept() calls on the internal server thread (which can occur when test \
code raises an exception before actually connecting to the server.)
|
2017-10-25 08:38:53 by Adam Ciarcinski | Files touched by this commit (1) |
Log message:
Updated HOMEPAGE
|