./security/py-paramiko, SSH2 protocol library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 2.7.1, Package name: py37-paramiko-2.7.1, Maintainer: pkgsrc-users

paramiko is a module for python 2.2 (or higher) that implements the SSH2
protocol for secure (encrypted and authenticated) connections to remote
machines. unlike SSL (aka TLS), SSH2 protocol does not require hierarchical
certificates signed by a powerful central authority. you may know SSH2 as
the protocol that replaced telnet and rsh for secure access to remote shells,
but the protocol also includes the ability to open arbitrary channels to
remote services across the encrypted tunnel (this is how sftp works,
for example).

Required to run:
[devel/py-setuptools] [security/py-cryptography] [security/py-bcrypt] [security/py-nacl] [lang/python37]

Required to build:

Master sites:

SHA1: a52fc133b817dc4d8b036bec71173c376e9dc38d
RMD160: 04207a10ce1810a510af3a7dfc1b3b7581fa687e
Filesize: 1109.797 KB

Version history: (Expand)

CVS history: (Expand)

   2020-01-26 18:32:28 by Roland Illig | Files touched by this commit (981)
Log message:
all: migrate homepages from http to https

pkglint -r --network --only "migrate"

As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
   2019-12-11 11:43:53 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-paramiko: updated to 2.7.1

[Bug] Fix a bug in support for ECDSA keys under the newly supported OpenSSH key \ 
format. Thanks to Pierce Lopez for the patch.
[Bug] The new-style private key format (added in 2.7) suffered from an unpadding \ 
bug which had been fixed earlier for Ed25519 (as that key type has always used \ 
the newer format). That fix has been refactored and applied to the base key \ 
class, courtesy of Pierce Lopez.

[Feature]: Add new convenience classmethod constructors to SSHConfig: from_text, \ 
from_file, and from_path. No more annoying two-step process!
[Feature] Implement most ‘canonical hostname’ ssh_config functionality \ 
(CanonicalizeHostname, CanonicalDomains, CanonicalizeFallbackLocal, and \ 
CanonicalizeMaxDots; CanonicalizePermittedCNAMEs has not yet been implemented). \ 
All were previously silently ignored. Reported by Michael Leinartas.
[Feature] Implement support for the Match keyword in ssh_config files. \ 
Previously, this keyword was simply ignored & keywords inside such blocks \ 
were treated as if they were part of the previous block. Thanks to Michael \ 
Leinartas for the initial patchset.

This feature adds a new optional install dependency, Invoke, for managing Match \ 
exec subprocesses.

[Feature]: A couple of outright SSHConfig parse errors were previously \ 
represented as vanilla Exception instances; as part of recent feature work a \ 
more specific exception class, ConfigParseError, has been created. It is now \ 
also used in those older spots, which is naturally backwards compatible.
[Feature] Implement support for OpenSSH 6.5-style private key files (typically \ 
denoted as having BEGIN OPENSSH PRIVATE KEY headers instead of PEM format’s \ 
BEGIN RSA PRIVATE KEY or similar). If you were getting any sort of weird auth \ 
error from “modern” keys generated on newer operating system releases (such \ 
as macOS Mojave), this is the first update to try.

Major thanks to everyone who contributed or tested versions of the patch, \ 
including but not limited to: Kevin Abel, Michiel Tiller, Pierce Lopez, and \ 
Jared Hobbs.

[Bug]: Perform deduplication of IdentityFile contents during ssh_config parsing; \ 
previously, if your config would result in the same value being encountered more \ 
than once, IdentityFile would contain that many copies of the same string.
[Bug]: Paramiko’s use of subprocess for ProxyCommand support is conditionally \ 
imported to prevent issues on limited interpreter platforms like Google Compute \ 
Engine. However, any resulting ImportError was lost instead of preserved for \ 
raising (in the rare cases where a user tried leveraging ProxyCommand in such an \ 
environment). This has been fixed.
[Bug]: ssh_config token expansion used a different method of determining the \ 
local username ($USER env var), compared to what the (much older) client \ 
connection code does (getpass.getuser, which includes $USER but may check other \ 
variables first, and is generally much more comprehensive). Both modules now use \ 
[Support]: Explicitly document which ssh_config features we currently support. \ 
Previously users just had to guess, which is simply no good.
[Support]: Additional installation extras_require “flavors” (ed25519, \ 
invoke, and all) have been added to our packaging metadata; see the install docs \ 
for details.
   2019-07-02 06:31:13 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-paramiko: updated to 2.6.0

Add a new keyword argument to SSHClient.connect and Transport, \ 
disabled_algorithms, which allows selectively disabling one or more \ 
kex/key/cipher/etc algorithms. This can be useful when disabling algorithms your \ 
target server (or client) does not support cleanly, or to work around unpatched \ 
bugs in Paramiko’s own implementation thereof.

SSHClient.exec_command previously returned a naive ChannelFile object for its \ 
stdin value; such objects don’t know to properly shut down the remote end’s \ 
stdin when they .close(). This lead to issues (such as hangs) when running \ 
remote commands that read from stdin.

Add backwards-compatible support for the gssapi GSSAPI library, as the previous \ 
backend (python-gssapi) has since become defunct. This change also includes \ 
tests for the GSSAPI functionality.

Tweak many exception classes so their string representations are more \ 
human-friendly; this also includes incidental changes to some super() calls.
   2019-06-10 10:42:58 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-paramiko: updated to 2.5.0

[Feature] Updated SSHConfig.lookup so it returns a new, type-casting-friendly \ 
dict subclass (SSHConfigDict) in lieu of dict literals. This ought to be \ 
backwards compatible, and allows an easier way to check boolean or int type \ 
ssh_config values.

[Feature] Add support for Curve25519 key exchange (aka curve25519-sha256@libssh.org).

[Feature] Add support for encrypt-then-MAC (ETM) schemes \ 
(hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com) and two newer \ 
Diffie-Hellman group key exchange algorithms (group14, using SHA256; and \ 
group16, using SHA512). Patch courtesy of Edgar Sousa.

[Support] Update our install docs with (somewhat) recently added additional \ 
dependencies; we previously only required Cryptography, but the docs never got \ 
updated after we incurred bcrypt and pynacl requirements for Ed25519 key \ 

Additionally, pyasn1 was never actually hard-required; it was necessary during a \ 
development branch, and is used by the optional GSSAPI support, but is not \ 
required for regular installation. Thus, it has been removed from our setup.py \ 
and its imports in the GSSAPI code made optional.

[Support] Add *.pub files to the MANIFEST so distributed source packages contain \ 
some necessary test assets. Credit: Alexander Kapshuna.

[Support] Add support for the modern (as of Python 3.3) import location of \ 
MutableMapping (used in host key management) to avoid the old location becoming \ 
deprecated in Python 3.8.
[Support] Raise Cryptography dependency requirement to version 2.5 (from 1.5) \ 
and update some deprecated uses of its API.
   2018-09-21 13:04:16 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
py-paramiko: updated to 2.4.2

Fix exploit (CVE pending) in Paramiko’s server mode (not client mode) where \ 
hostile clients could trick the server into thinking they were authenticated \ 
without actually submitting valid authentication.

Specifically, steps have been taken to start separating client and server \ 
related message types in the message handling tables within Transport and \ 
AuthHandler; this work is not complete but enough has been performed to close \ 
off this particular exploit (which was the only obvious such exploit for this \ 
particular channel).

Modify protocol message handling such that Transport does not respond to \ 
MSG_UNIMPLEMENTED with its own MSG_UNIMPLEMENTED. This behavior probably \ 
didn’t cause any outright errors, but it doesn’t seem to conform to the RFCs \ 
and could cause (non-infinite) feedback loops in some scenarios (usually those \ 
involving Paramiko on both ends).
Add *.pub files to the MANIFEST so distributed source packages contain some \ 
necessary test assets. Credit: Alexander Kapshuna.
Backport pytest support and application of the black code formatter (both of \ 
which previously only existed in the 2.4 branch and above) to everything 2.0 and \ 
newer. This makes back/forward porting bugfixes significantly easier.
Backport changes from 979 (added in Paramiko 2.3) to Paramiko 2.0-2.2, using \ 
duck-typing to preserve backwards compatibility. This allows these older \ 
versions to use newer Cryptography sign/verify APIs when available, without \ 
requiring them (as is the case with Paramiko 2.3+).
   2018-09-06 15:28:00 by Adam Ciarcinski | Files touched by this commit (1)
Log message:
   2018-03-29 17:35:32 by Adam Ciarcinski | Files touched by this commit (1)
Log message:
Added missing patch
   2018-03-13 19:35:29 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-paramiko: updated to 2.4.1

[Bug] Ed25519 auth key decryption raised an unexpected exception when given a \ 
unicode password string (typical in python 3). Report by Theodor van Nahl and \ 
fix by Pierce Lopez.
[Bug] Add newer key classes for Ed25519 and ECDSA to paramiko.__all__ so that \ 
code introspecting that attribute, or using from paramiko import * (such as some \ 
IDEs) sees them. Thanks to @patriksevallius for the patch.
[Bug] Fix a security flaw (CVE-2018-7750) in Paramiko’s server mode (emphasis \ 
on server mode; this does not impact client use!) where authentication status \ 
was not checked before processing channel-open and other requests typically only \ 
sent after authenticating. Big thanks to Matthijs Kooijman for the report.