| Changelog |
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Dec 19 2023 Gwyn Ciesla <gwync@protonmail.com> - 3.4.0-1
- 3.4.0
- 'Transport' grew a new 'packetizer_class' kwarg for overriding the
packet-handler class used internally (mostly for testing, but advanced
users may find this useful when doing deep hacks)
- Address CVE 2023-48795 (https://terrapin-attack.com/) a.k.a. the "Terrapin
Attack", a vulnerability found in the SSH protocol re: treatment of packet
sequence numbers) as follows:
- The vulnerability only impacts encrypt-then-MAC digest algorithms in
tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko
currently only implements 'hmac-sha2-(256|512)-etm' in tandem with
'AES-CBC'; if you are unable to upgrade to Paramiko versions containing
the below fixes right away, you may instead use the 'disabled_algorithms'
connection option to disable the ETM MACs and/or the CBC ciphers (this
option is present in Paramiko ≥ 2.6)
- As the fix for the vulnerability requires both ends of the connection to
cooperate, the below changes will only take effect when the remote end is
OpenSSH ≥ 9.6 (or equivalent, such as Paramiko in server mode, as of this
patch version) and configured to use the new "strict kex" mode (Paramiko
will always attempt to use "strict kex" mode if offered by the server,
unless you override this by specifying 'strict_kex=False' in
'Transport.__init__')
- Paramiko will now raise an 'SSHException' subclass ('MessageOrderError')
when protocol messages are received in unexpected order; this includes
situations like receiving 'MSG_DEBUG' or 'MSG_IGNORE' during initial key
exchange, which are no longer allowed during strict mode
- Key (re)negotiation -- i.e. 'MSG_NEWKEYS', whenever it is encountered --
now resets packet sequence numbers (this should be invisible to users
during normal operation, only causing exceptions if the exploit is
encountered, which will usually result in, again, 'MessageOrderError')
- Sequence number rollover will now raise 'SSHException' if it occurs
during initial key exchange (regardless of strict mode status)
- Tweak 'ext-info-(c|s)' detection during KEXINIT protocol phase; the
original implementation made assumptions based on an OpenSSH implementation
detail
* Sun Jul 30 2023 Paul Howarth <paul@city-fan.org> - 3.3.1-1
- Update to 3.3.1 (rhbz#2227478)
- Cleaned up some very old root level files, mostly just to exercise some of
our doc build and release machinery
* Fri Jul 28 2023 Gwyn Ciesla <gwync@protonmail.com> - 3.3.0-1
- 3.3.0
- Add support and tests for 'Match final ..' (frequently used in ProxyJump
configurations to exclude the jump host) to our SSH config parser (GH#1907,
GH#1992)
- Add an explicit 'max_concurrent_prefetch_requests' argument to
'paramiko.client.SSHClient.get' and 'paramiko.client.SSHClient.getfo',
allowing users to limit the number of concurrent requests used during
prefetch (GH#1587, GH#2058)
* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.2.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jun 15 2023 Python Maint <python-maint@redhat.com> - 3.2.0-2
- Rebuilt for Python 3.12
* Sat May 27 2023 Paul Howarth <paul@city-fan.org> - 3.2.0-1
- Update to 3.2.0 (rhbz#2210398)
- Fixed a very sneaky bug found at the apparently rarely-traveled
intersection of RSA-SHA2 keys, certificates, SSH agents, and
stricter-than-OpenSSH server targets, which manifested as yet another
"well, if we turn off SHA2 at one end or another, everything works again"
problem, for example with version 12 of the Teleport server endpoint
- The 'server-sig-algs' and 'RSA-SHA2' features added around Paramiko 2.9 or
so, had the annoying side effect of not working with servers that don't
support *either* of those feature sets, requiring use of
'disabled_algorithms' to forcibly disable the SHA2 algorithms on Paramiko's
end (GH#1961, GH#2012 and countless others)
- The *experimental* '~paramiko.transport.ServiceRequestingTransport' (noted
in its own entry in this changelog) includes a fix for this issue,
specifically by falling back to the same algorithm as the in-use pubkey if
it's in the algorithm list (leaving the "first algorithm in said list" as
an absolute final fallback)
- Implement '_fields()' on '~paramiko.agent.AgentKey' so that it may be
compared (via '==') with other '~paramiko.pkey.PKey' instances
- Since its inception, Paramiko has (for reasons lost to time) implemented
authentication as a side effect of handling affirmative replies to
'MSG_SERVICE_REQUEST' protocol messages; what this means is Paramiko makes
one such request before every 'MSG_USERAUTH_REQUEST', i.e. every auth
attempt (GH#23)
- OpenSSH doesn't care if clients send multiple service requests, but other
server implementations are often stricter in what they accept after an
initial service request (due to the RFCs not being clear), which can
result in odd behavior when a user doesn't authenticate successfully on
the very first try (for example, when the right key for a target host is
the third in one's ssh-agent)
- This version of Paramiko now contains an opt-in
'~paramiko.transport.Transport' subclass,
'~paramiko.transport.ServiceRequestingTransport', which more-correctly
implements service request handling in the Transport, and uses an
auth-handler subclass internally that has been similarly adapted; users
wanting to try this new experimental code path may hand this class to
'SSHClient.connect` as its 'transport_factory' kwarg
- This feature is *EXPERIMENTAL* and its code may be subject to change
- Minor backwards incompatible changes exist in the new code paths, most
notably the removal of the (inconsistently applied and rarely used)
'event' arguments to the 'auth_xxx' methods
- GSSAPI support has only been partially implemented, and is untested
- Some minor backwards-*compatible* changes were made to the *existing*
Transport and AuthHandler classes to facilitate the new code; for
example, 'Transport._handler_table' and
'AuthHandler._client_handler_table' are now properties instead of raw
attributes
- Users of '~paramiko.client.SSHClient' can now configure the authentication
logic Paramiko uses when connecting to servers; this functionality is
intended for advanced users and higher-level libraries such as 'Fabric'
(https://fabfile.org/); see '~paramiko.auth_strategy' for details (GH#387)
- Fabric's co-temporal release includes a proof-of-concept use of this
feature, implementing an auth flow much closer to that of the OpenSSH
client (versus Paramiko's legacy behavior); it is *strongly recommended*
that if this interests you, investigate replacing any direct use of
'SSHClient' with Fabric's 'Connection'
- This feature is **EXPERIMENTAL**; please see its docs for details
- Enhanced '~paramiko.agent.AgentKey' with new attributes, such as:
- Added a 'comment' attribute (and constructor argument);
'Agent.get_keys()' now uses this kwarg to store any comment field sent
over by the agent; the original version of the agent feature inexplicably
did not store the comment anywhere
- Agent-derived keys now attempt to instantiate a copy of the appropriate
key class for access to other algorithm-specific members (e.g. key size);
this is available as the '.inner_key' attribute
- This functionality is now in use in Fabric's new '--list-agent-keys'
feature, as well as in Paramiko's debug logging
- '~paramiko.pkey.PKey' now offers convenience "meta-constructors", static
methods that simplify the process of instantiating the correct subclass for
a given key input
- For example, 'PKey.from_path' can load a file path without knowing
*a priori* what type of key it is (thanks to some handy methods within
our cryptography dependency); going forwards, we expect this to be the
primary method of loading keys by user code that runs on "human time"
(i.e. where some minor efficiencies are worth the convenience)
- In addition, 'PKey.from_type_string' now exists, and is being used in
some internals to load ssh-agent keys
- As part of these changes, '~paramiko.pkey.PKey' and friends grew a
'~paramiko.pkey.PKey.identifiers' classmethod; this is inspired by the
'~paramiko.ecdsakey.ECDSAKey.supported_key_format_identifiers' classmethod
(which now refers to the new method); this also includes adding a '.name'
attribute to most key classes (which will eventually replace
'.get_name()')
- '~paramiko.pkey.PKey' grew a new '.algorithm_name' property that displays
the key algorithm; this is typically derived from the value of
'~paramiko.pkey.PKey.get_name'; for example, ED25519 keys have a 'get_name'
of 'ssh-ed25519' (the SSH protocol key type field value), and now have a
'algorithm_name' of 'ED25519'
- '~paramiko.pkey.PKey' grew a new '.fingerprint' property that emits a
fingerprint string matching the SHA256+Base64 values printed by various
OpenSSH tooling (e.g. 'ssh-add -l', 'ssh -v'); this is intended to help
troubleshoot Paramiko-vs-OpenSSH behavior and will eventually replace the
venerable 'get_fingerprint' method
- '~paramiko.agent.AgentKey' had a dangling Python 3 incompatible '__str__'
method returning bytes; this method has been removed, allowing the
superclass' ('~paramiko.pkey.PKey') method to run instead
* Sun Mar 12 2023 Paul Howarth <paul@city-fan.org> - 3.1.0-1
- Update to 3.1.0 (rhbz#2177436)
- Add an explicit 'channel_timeout' keyword argument to
'paramiko.client.SSHClient.connect', allowing users to configure the
previously-hardcoded default value of 3600 seconds (GH#2009, GH#2013, and
others)
- Accept single tabs as field separators (in addition to single spaces) in
'paramiko.hostkeys.HostKeyEntry.from_line' for parity with OpenSSH's
KnownHosts parser (GH#2173)
- Apply 'codespell' to the codebase, which found a lot of very old minor
spelling mistakes in docstrings; also, modernize many instances of '*largs'
vs. '*args' and '**kwarg' vs. '**kwargs' (GH#2178)
* Sun Jan 22 2023 Paul Howarth <paul@city-fan.org> - 3.0.0-1
- Update to 3.0.0 (rhbz#2162914)
- Remove some unnecessary '__repr__' calls when handling bytes-vs-str
conversions; this was apparently doing a lot of unintentional data
processing, which adds up in some use cases, such as SFTP transfers,
which may now be significantly faster (GH#2110)
- Streamline some redundant (and costly) byte conversion calls in the
packetizer and the core SFTP module; this should lead to some SFTP
speedups at the very least (GH#2165)
- 'paramiko.util.retry_on_signal' (and any internal uses of same, and also
any internal retries of 'EINTR' on e.g. socket operations) has been
removed; as of Python 3.5, per PEP 475 (https://peps.python.org/pep-0475/),
this functionality (and retrying 'EINTR' generally) is now part of the
standard library
Note: This change is backwards incompatible if you were explicitly
importing/using this particular function; the observable behavior otherwise
should not be changing
- '~paramiko.config.SSHConfig' used to straight-up delete the 'proxycommand'
key from config lookup results when the source config said
'ProxyCommand none'; this has been altered to preserve the key and give it
the Python value 'None', thus making the Python representation more in line
with the source config file
Note: This change is backwards incompatible if you were relying on the old
(1.x, 2.x) behavior for some reason (e.g. assuming all 'proxycommand'
values were valid subcommand strings)
- The behavior of private key classes' (i.e. anything inheriting from
'~paramiko.pkey.PKey') private key writing methods used to perform a
manual, extra 'chmod' call after writing; this hasn't been strictly
necessary since the mid 2.x release line (when key writing started giving
the 'mode' argument to 'os.open'), and has now been removed entirely; this
should only be observable if you were mocking Paramiko's system calls
during your own testing, or similar
- 'PKey.__cmp__' has been removed - ordering-oriented comparison of key files
is unlikely to have ever made sense (the old implementation attempted to
order by the hashes of the key material) and so we have not bothered
setting up '__lt__' and friends at this time; the class continues to have
its original '__eq__' untouched
Note: This change is backwards incompatible if you were actually trying to
sort public key objects (directly or indirectly); please file bug reports
detailing your use case if you have some intractable need for this
behavior, and we'll consider adding back the necessary Python 3 magic
methods so that it works as before
- A handful of lower-level classes (notably 'paramiko.message.Message' and
'paramiko.pkey.PKey') previously returned 'bytes' objects from their
implementation of '__str__', even under Python 3; and there was never any
'__bytes__' method; these issues have been fixed by renaming '__str__' to
'__bytes__' and relying on Python's default "stringification returns the
output of '__repr__'" behavior re: any real attempts to 'str()' such objects
- 'paramiko.common.asbytes' has been moved to 'paramiko.util.asbytes'
Note: This change is backwards incompatible if you were directly using this
function (which is unlikely)
- Remove the now irrelevant 'paramiko.py3compat' module
Note: This change is backwards incompatible - such references should be
search-and-replaced with their modern Python 3.6+ equivalents; in some
cases, still-useful methods or values have been moved to 'paramiko.util'
(most) or 'paramiko.common' ('byte_*')
- Drop support for Python versions less than 3.6, including Python 2; so long
and thanks for all the fish! Our packaging metadata has been updated to
include 'python_requires', so this should not cause breakage unless you're
on an old installation method that can't read this metadata
Note: As part of this change, our dependencies have been updated; e.g. we
now require Cryptography>=3.3, up from 2.5
* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.12.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Sun Nov 06 2022 Paul Howarth <paul@city-fan.org> - 2.12.0-1
- Update to 2.12.0 (rhbz#2140281)
- Add a 'transport_factory' kwarg to 'SSHClient.connect' for advanced users
to gain more control over early Transport setup and manipulation (GH#2054,
GH#2125)
- Update '~paramiko.client.SSHClient' so it explicitly closes its wrapped
socket object upon encountering socket errors at connection time; this
should help somewhat with certain classes of memory leaks, resource
warnings, and/or errors (though we hasten to remind everyone that Client
and Transport have their own '.close()' methods for use in non-error
situations!) (GH#1822)
- Raise '~paramiko.ssh_exception.SSHException' explicitly when blank private
key data is loaded, instead of the natural result of 'IndexError'; this
should help more bits of Paramiko or Paramiko-adjacent codebases to
correctly handle this class of error (GH#1599, GH#1637)
- Use SPDX-format license tag
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.11.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Jun 14 2022 Python Maint <python-maint@redhat.com> - 2.11.0-2
- Rebuilt for Python 3.11
* Tue May 17 2022 Paul Howarth <paul@city-fan.org> - 2.11.0-1
- Update to 2.11.0
- Align signature verification algorithm with OpenSSH re: zero-padding
signatures that don't match their nominal size/length; this shouldn't
affect most users, but will help Paramiko-implemented SSH servers handle
poorly behaved clients such as PuTTY (GH#1933)
- OpenSSH 7.7 and older has a bug preventing it from understanding how to
perform SHA2 signature verification for RSA certificates (specifically
certs - not keys), so when we added SHA2 support it broke all clients using
RSA certificates with these servers; this has been fixed in a manner similar
to what OpenSSH's own client does - a version check is performed and the
algorithm used is downgraded if needed (GH#2017)
- Recent versions of Cryptography have deprecated Blowfish algorithm support;
in lieu of an easy method for users to remove it from the list of
algorithms Paramiko tries to import and use, we've decided to remove it
from our "preferred algorithms" list, which will both discourage use of a
weak algorithm, and avoid warnings (GH#2038, GH#2039)
- Windows-native SSH agent support as merged in 2.10 could encounter
'Errno 22' 'OSError' exceptions in some scenarios (e.g. server not cleanly
closing a relevant named pipe); this has been worked around and should be
less problematic (GH#2008, GH#2010)
- Add SSH config token expansion (eg '%h', '%p') when parsing 'ProxyJump'
directives (GH#1951)
- Apply unittest 'skipIf' to tests currently using SHA1 in their critical
path, to avoid failures on systems starting to disable SHA1 outright in
their crypto backends (e.g. RHEL 9) (GH#2004, GH#2011)
* Tue Apr 26 2022 Paul Howarth <paul@city-fan.org> - 2.10.4-1
- Update to 2.10.4
- Update 'camelCase' method calls against the 'threading' module to be
'snake_case'; this and related tweaks should fix some deprecation warnings
under Python 3.10 (GH#1838, GH#1870, GH#2028)
- '~paramiko.pkey.PKey' instances' '__eq__' did not have the usual safety
guard in place to ensure they were being compared to another 'PKey' object,
causing occasional spurious 'BadHostKeyException', among other things
(GH#1964, GH#2023, GH#2024)
- Servers offering certificate variants of hostkey algorithms (e.g.
'ssh-rsa-cert-v01@openssh.com') could not have their host keys verified by
Paramiko clients, as it only ever considered non-cert key types for that
part of connection handshaking (GH#2035)
* Mon Mar 21 2022 Paul Howarth <paul@city-fan.org> - 2.10.3-2
- Skip tests that would fail without SHA-1 signing support in backend, such as
on EL-9 (GH#2011)
* Sat Mar 19 2022 Paul Howarth <paul@city-fan.org> - 2.10.3-1
- Update to 2.10.3
- Certificate-based pubkey auth was inadvertently broken when adding SHA2
support in version 2.9.0 (GH#1963, GH#1977)
- Switch from module-global to thread-local storage when recording thread IDs
for a logging helper; this should avoid one flavor of memory leak for
long-running processes (GH#2002, GH#2003)
* Tue Mar 15 2022 Paul Howarth <paul@city-fan.org> - 2.10.2-1
- Update to 2.10.2
- Fix Python 2 compatibility breakage introduced in 2.10.1 (GH#2001)
- Re-enable sftp tests, no longer failing under mock
* Sun Mar 13 2022 Paul Howarth <paul@city-fan.org> - 2.10.1-1
- Update to 2.10.1
- CVE-2022-24302: Creation of new private key files using
'~paramiko.pkey.PKey' subclasses was subject to a race condition between
file creation and mode modification, which could be exploited by an
attacker with knowledge of where the Paramiko-using code would write out
such files; this has been patched by using 'os.open' and 'os.fdopen' to
ensure new files are opened with the correct mode immediately (we've left
the subsequent explicit 'chmod' in place to minimize any possible
disruption, though it may get removed in future backwards-incompatible
updates)
- Add support for the '%C' token when parsing SSH config files (GH#1976)
- Add support for OpenSSH's Windows agent as a fallback when Putty/WinPageant
isn't available or functional (GH#1509, GH#1837, GH#1868)
- Significantly speed up low-level read/write actions on
'~paramiko.sftp_file.SFTPFile' objects by using 'bytearray'/'memoryview'
(GH#892); this is unlikely to change anything for users of the higher level
methods like 'SFTPClient.get' or 'SFTPClient.getfo', but users of
'SFTPClient.open' will likely see orders of magnitude improvements for
files larger than a few megabytes in size
- Add 'six' explicitly to install-requires; it snuck into active use at some
point but has only been indicated by transitive dependency on 'bcrypt'
until they somewhat-recently dropped it (GH#1985); this will be short-lived
until we drop Python 2 support
|
