java-packages/apache-sshd
SHA256
6
0
Fork 0
forked from pool/apache-sshd
Code Pull Requests Activity
Files
main
apache-sshd/apache-sshd.changes
Fridrich Štrba 12a8a608f9 Changes
2025-09-25 16:09:42 +02:00

806 lines
36 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

-------------------------------------------------------------------
Thu Sep 25 13:47:05 UTC 2025 - Fridrich Strba <fstrba@suse.com>
- Update to upstream version 2.16.0
* Changes of version 2.16.0
+ bugfix: fix cert auth failed bug
+ GH-664: Skip MAC negotiation if an AEAD cipher was negotiated
+ GH-663: Fix a race in IoSession creation
+ Also test sshd-mina using mina-core 2.2.4
+ ScpShell fixes; SFTP append mode for buggy servers
+ fix sources.jar Reproducible Builds issue
+ GH-700: Fix race in AbstractCloseable.doCloseImmediately()
+ GH-705: Make ChannelToPortHandler accessible to user code
+ GH-709: Handle keep-alive channel messages sent by an old
OpenSSH server
+ GH-727: supply default port for proxyJump if no
HostConfigEntry
+ GH-733: Fix SftpRemotePathChannel.transferTo
+ GH-725: Added commandTimeoutMillis in executeRemoteCommand
+ GH-774: Fix WritePendingException
+ #771 Avoid NoClassDefFoundError:
net/i2p/crypto/eddsa/EdDSAPublicKey
+ GH-516: Fix filesystem-id parsing in getFileSystem(URI)
+ GH-754: Don't close DefaultForwarder on bind error
+ Close repository after usage in GitPackCommand
+ Trigger ClientChannelEvent.Timeout and
ClientSessionEvent.TIMEOUT independently to host's program
cycle times
* Changes of version 2.15.0
+ GH-618: Fix reading an OpenSshCertificate from a Buffer
+ Add interface to configure details of JGit's pack
implementation
+ ML-KEM key exchanges using Bouncy Castle 1.79
+ GH-628: Fix reading directories with trailing blanks in the
name
+ GH-626: Enable Streaming.Async for ChannelDirectTcpip
+ Sftp server ls command timeout
+ GH-636: Handle unknown key types in known_hosts
+ GH-643: provide interfaces for caching file attributes on
paths
+ Bouncy Castle EdDSA / Ed25519 Support
+ Abstract revoked key handling in KnownHostsServerKeyVerifier
- Removed patch:
* apache-sshd-javadoc.patch
+ not needed with this version
-------------------------------------------------------------------
Fri Jun 20 10:20:32 UTC 2025 - Fridrich Strba <fstrba@suse.com>
- Fix an incompletely interpolated dependency with maven 4.0.0-rc-4
-------------------------------------------------------------------
Thu Mar 27 15:20:27 UTC 2025 - Fridrich Strba <fstrba@suse.com>
- Fix wrong invocation of xmvn-subst
-------------------------------------------------------------------
Thu Oct 17 07:53:50 UTC 2024 - Anton Shvetz <shvetz.anton@gmail.com>
- Updated to upstream version 2.14.0
- Changes in version 2.14.0
* Bug Fixes
+ GH-524 Performance improvements
+ GH-533 Fix multi-step authentication
+ GH-582 Fix filtering in NamedFactory
+ GH-587 Prevent NullPointerExceptionon closed channel in
NettyIoSession
+ GH-590 Better support for FIPS
+ GH-597 Pass on Charset in
ClientSession.executeRemoteCommand()
* New Features
+ New utility methods SftpClient.put(Path localFile, String
remoteFileName) and SftpClient.put(InputStream in, String
remoteFileName) facilitate SFTP file uploading.
* GH-590 Better support for FIPS
Besides fixing a bug with bc-fips (the RandomGenerator class
exists in normal Bouncy Castle, but not in the FIPS version,
but Apache MINA sshd referenced it even if only bc-fips was
present), support was improved for running in an environment
restricted by FIPS.
There is a new system property
org.apache.sshd.security.fipsEnabled. If set to true, a number
of crypto-algorithms not approved by FIPS 140 are disabled:
+ key exchange methods sntrup761x25519-sha512,
sntrup761x25519-sha512@openssh.com, curve25519-sha256,
curve25519-sha256@libssh.org, curve448-sha512.
+ the chacha20-poly1305 cipher.
+ the bcrypt KDF used in encrypted private key files in
OpenSSH format.
+ all ed25519 keys and signatures.
Additionally, the new "SunJCEWrapper" SecurityProviderRegistrar
(see below) and the EdDSASecurityProviderRegistrar are
disabled, and the BouncyCastleScurityProviderRegistrar looks
only for the "BCFIPS" security provider, not for the normal
"BC" provider.
If the system property is not set to true, FIPS mode can be
enabled programmatically by calling SecurityUtils.setFipsMode()
before any other call to Apache MINA sshd.
* Potential compatibility issues
+ New security provider registrar
There is a new SecurityProviderRegistrar that is registered
by default if there is a SunJCE security provider. It uses
the AES and HmacSHA* implementations from SunJCE even if
Bouncy Castle is also registered. SunJCE has native
implementations, whereas Bouncy Castle may not.
The new registrar has the name "SunJCEWrapper" and can be
configured like any other registrar. It can be disabled via
the system property
org.apache.sshd.security.provider.SunJCEWrapper.enabled=false.
It is also disabled in FIPS mode (see above).
+ GH-582 Fix filtering in NamedFactory
The methods NamedFactory.setupBuiltinFactories(boolean
ignoreUnsupported, ...) and
NamedFactory.setupTransformedFactories(boolean
ignoreUnsupported, ...) had a bug that gave the
"ignoreUnsupported" parameter actually the meaning of
"include unsupported".
This was fixed in this release, but existing code calling
these or one of the following methods:
~ BaseBuilder.setUpDefaultMacs(boolean ignoreUnsupported)
~ BaseBuilder.setUpDefaultCiphers(boolean ignoreUnsupported)
~ ClientBuilder.setUpDefaultCompressionFactories(boolean
ignoreUnsupported)
~ ClientBuilder.setUpDefaultKeyExchanges(boolean
ignoreUnsupported)
~ ClientBuilder.setUpDefaultSignatureFactories(boolean
ignoreUnsupported)
~ ServerBuilder.setUpDefaultCompressionFactories(boolean
ignoreUnsupported)
~ ServerBuilder.setUpDefaultKeyExchanges(boolean
ignoreUnsupported)
~ ServerBuilder.setUpDefaultSignatureFactories(boolean
ignoreUnsupported)
~ any of the methods starting with
SshConfigFileReader.configure
~ SshClientConfigFileReader.configure(...)
~ SshServerConfigFileReader.configure(...)
should be reviewed:
~ if the method is called with parameter value true, the
result will no longer include unsupported algorithms.
Formerly it wrongly did.
~ if the method is called with parameter value false, the
result may include unsupported algorithms. Formerly it
did not.
So if existing code used parameter value false to ensure it
never got unsupported algorithms, change it to true.
* Major Code Re-factoring
+ JDK requirements
~ GH-536 The project now requires JDK 17 at build time, while
the target runtime still remains unchanged to support JDK
8.
- Changes in version 2.13.2
* What's Changed
+ GH-525: Fix sntrup761x25519-sha512 by @tomaswolf in #528
- Changes in version 2.13.1
* What's changed
+ This release does not contain any code changes. It is solely
to rectify the issue that the 2.13.0 release encountered
during the release process, where the source jars were not
created.
- Changes in version 2.13.0
* What's changed
+ GH-318: Handle cascaded proxy jumps by @tomaswolf in #512
+ GH-427: Read initial ACK on channel open prior to direct
stream upload & close streams prior to exit code handling by
@TerraNibble in #464
+ GH-455: ensure BaseCipher.update() fulfills the contract by
@tomaswolf in #463
+ GH-470: Synchronize not thread safe
java.security.KeyPairGenerator.generateKe… by
@zakharovsergey1000 in #467
+ GH-476: Fix Android detection false negative by @wh0
+ GH-475: Switch uses of JSch library to the
com.github.mwiede:jsch fork by @Alex-Vol-Amz
+ GH-472: change client start condition in sshd-spring-sftp by
@alwaystom
+ GH-489: sftp readdir: determine file type from longname by
@tomaswolf in #491
+ GH-486: Add missing U2F {ed25519,ecdsa}-sk public key
equality methods by @lf-
+ SSHD-1237 Handle keep-alive channel requests by @tomaswolf in
#492
+ GH-494: Nio2Session improvements by @evgeny-pasynkov
+ GH-468: Handle excess data in SFTP read requests by
@tomaswolf in #495
+ GH-498: Implement the "sntrup761x25519-sha512@openssh.com"
KEX method by @tomaswolf
+ GH-500: SftpFileSystemProvider: close SftpClient on exception
by @tomaswolf in #501
+ GH-504: Pass reason to sessionNegotiationEnd by @duco-lw in
#505
+ GH-461: Fix heartbeats with wantReply=true by @tomaswolf in
#507
+ GH-493: Fix arcfour128 and arcfour256 ciphers (regression in
2.2.0)
+ GH-509: SFTP v[456] client: validate attribute flags
+ GH-510: Fix class name in BuiltinIoServiceFactoryFactories
(regression in 2.6.0)
* New Features
+ sntrup761x25519-sha512@openssh.com Key Exchange
The key exchange method sntrup761x25519-sha512@openssh.com is
now available if the Bouncy Castle library is available.
This uses a post-quantum key encapsulation method (KEM) to
make key exchange future-proof against quantum attacks.
More information can be found in IETF Memo Secure Shell (SSH)
Key Exchange Method Using Hybrid Streamlined NTRU Prime
sntrup761 and X25519 with SHA-512: sntrup761x25519-sha512.
+ Behavioral changes and enhancements
~ GH-318 Handle cascaded proxy jumps
Proxy jumps can be configured via host configuration
entries in two ways. First, proxies can be chained directly
by specifiying several proxies in one ProxyJump directive:
Host target
Hostname somewhere.example.org
User some_user
IdentityFile ~/.ssh/some_id
ProxyJump jumphost2, jumphost1
Host jumphost1
Hostname jumphost1@example.org
User jumphost1_user
IdentityFile ~/.ssh/id_jumphost1
Host jumphost2
Hostname jumphost2@example.org
User jumphost2_user
IdentityFile ~/.ssh/id_jumphost2
Connecting to server target will first connect to
jumphost1, then tunnel through to jumphost2, and finally
tunnel to target. So the full connection will be
client→jumphost1→jumphost2→target.
Such proxy jump chains were already supported in Apache
MINA SSHD.
Newly, Apache MINA SSHD also supports cascading proxy
jumps, so a configuration like
Host target
Hostname somewhere.example.org
User some_user
IdentityFile ~/.ssh/some_id
ProxyJump jumphost2
Host jumphost1
Hostname jumphost1@example.org
User jumphost1_user
IdentityFile ~/.ssh/id_jumphost1
Host jumphost2
Hostname jumphost2@example.org
ProxyJump jumphost1
User jumphost2_user
IdentityFile ~/.ssh/id_jumphost2
also works now, and produces the same connection
client→jumphost1→jumphost2→target.
It is possible to mis-configure such proxy jump cascades to
have loops. (For instance, if host jumphost1 in the above
example had a ProxyJump jumphost2 directive.) To catch such
misconfigurations, Apache MINA SSHD imposes an upper limit
on the total number of proxy jumps in a connection. An
exception is thrown if there are more than
CoreModuleProperties.MAX_PROXY_JUMPS proxy jumps in a
connection. The default value of this property is 10. Most
real uses of proxy jumps will have one or maybe two proxy
jumps only.
~ GH-461 Fix heartbeats with wantReply=true
The client-side heartbeat mechanism has been updated. Such
heartbeats are configured via the
CoreModuleProperties.HEARTBEAT_INTERVAL property. If this
interval is > 0, heartbeats are sent to the server.
Previously these heartbeats could also be configured with a
CoreModuleProperties.HEARTBEAT_REPLY_WAIT timeout. If the
timeout was <= 0, the client would just send heartbeat
requests without expecting any answers. If the timeout was
> 0, the client would send requests with a flag indicating
that the server should reply. The client would then wait
for the specified duration for the reply and would
terminate the connection if none was received.
This mechanism could cause trouble if the timeout was
fairly long and the server was slow to respond. A timeout
longer than the interval could also delay subsequent
heartbeats.
The CoreModuleProperties.HEARTBEAT_REPLY_WAIT property is
now deprecated.
There is a new configuration property
CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX instead. It
defines a limit for the number of heartbeats sent without
receiving a reply before a session is terminated. If the
value is <= 0, the client still sends heartbeats without
expecting any reply. If the value is > 0, the client will
request a reply from the server for each heartbeat message,
and it will terminate the connection if the number of
unanswered heartbeats reaches
CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX.
This new way to configure heartbeats aligns with the
OpenSSH configuration options ServerAliveInterval and
ServerAliveCountMax.
For compatibility with older configurations that explicitly
define CoreModuleProperties.HEARTBEAT_REPLY_WAIT, the new
code maps this to the new configuration (but only if
CoreModuleProperties.HEARTBEAT_INTERVAL > 0 and the new
property CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX has
not been set) by setting
CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX to
= CoreModuleProperties.HEARTBEAT_REPLY_WAIT <= 0:
CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX = 0
= otherwise: (CoreModuleProperties.HEARTBEAT_REPLY_WAIT /
CoreModuleProperties.HEARTBEAT_INTERVAL) + 1.
~ GH-468 SFTP: validate length of data received: must not be
more than requested
SFTP read operations now check the amount of data they get
back. If it's more than requested an exception is thrown.
SFTP servers must never return more data than the client
requested, but it appears that there are some that do so.
If property SftpModuleProperties.TOLERATE_EXCESS_DATA is
set to true, a warning is logged and such excess data is
silently discarded.
* Potential compatibility issues
+ AES-CBC ciphers removed from server's defaults
The AES-CBC ciphers aes128-cbc, aes192-cbc, and aes256-cbc
have been removed from the default list of cipher algorithms
that a server proposes in the key exchange. OpenSSH has
removed these cipher algorithms from the server proposal in
2014, and has removed them from the client proposal in 2017.
The cipher implementations still exist but they are not
enabled by default. Existing code that explicitly sets the
cipher factories is unaffected. Code that relies on the
default settings will newly create a server that does not
support the CBC-mode ciphers. To enable the CBC-mode ciphers,
one can use for instance
SshServer server = ServerBuilder.builder()
...
.cipherFactories(BuiltinFactory.setUpFactories(false,
BaseBuilder.DEFAULT_CIPHERS_PREFERENCES));
...
.build();
For the SSH client, the CBC ciphers are still enabled by
default to facilitate connecting to legacy servers. We plan
to remove the CBC ciphers from the client's defaults in the
next release.
- Changes in version 2.12.1
* Bug Fixes
+ GH-458 Singleton thread pool for kex message handler flushing
+ SSHD-1338 Restore binary compatibility with 2.9.2
* What's Changed
+ Fix link by @swiedenfeld in #454
+ SSHD-1338 Restore binary compatibility with 2.9.2 by @gnodet
in #456
+ Use a singleton threadpool for kex message handler flushing
by @FliegenKLATSCH in #459
- Enable module: sshd-openpgp
-------------------------------------------------------------------
Thu Oct 17 01:00:02 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Add an "extras" flavour to build without cycles all modules we
can
- Build also a standalone apache-sshd application
- Removed patch:
* 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch
+ use tomcat-jni instead and build the module
- Added patches:
* file-name-mapping.patch
+ Do not add version to the assembled artifacts
* password-no-echo.patch
+ Do not echo on the console the password
-------------------------------------------------------------------
Tue Feb 20 11:07:06 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Use %patch -P N instead of deprecated %patchN.
-------------------------------------------------------------------
Fri Jan 19 22:17:57 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Updated to upstream version 2.12.0
- Changes in version 2.11.0
* Bug Fixes
+ GH-328 Added configurable timeout(s) to DefaultSftpClient
+ GH-370 Also compare file keys in ModifiableFileWatcher.
+ GH-371 Fix channel pool in SftpFileSystem.
+ GH-383 Use correct default OpenOptions in
SftpFileSystemProvider.newFileChannel().
+ GH-384 Use correct lock modes for SFTP FileChannel.lock().
+ GH-388 ScpClient: support issuing commands to a server that
uses a non-UTF-8 locale.
+ GH-398 SftpInputStreamAsync: fix reporting EOF on zero-length
reads.
+ GH-403 Work-around a bug in WS_FTP <= 12.9 SFTP clients.
+ GH-407 (Regression in 2.10.0) SFTP performance fix: override
FilterOutputStream.write(byte[], int, int).
+ GH-410 Fix a race condition to ensure SSH_MSG_CHANNEL_EOF is
always sent before SSH_MSG_CHANNEL_CLOSE.
+ GH-414 Fix error handling while flushing queued packets at end
of KEX.
+ GH-420 Fix wrong log level on closing an Nio2Session.
+ SSHD-789 Fix detection of Android O/S from system properties.
+ SSHD-1259 Consider all applicable host keys from the
known_hosts files.
+ SSHD-1310 SftpFileSystem: do not close user session.
+ SSHD-1327 ChannelAsyncOutputStream: remove write future when
done.
+ SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile
file names in HostConfigEntry.
* New Features
+ SSHD-1330 Use KeepAliveHandler global request instance in
client as well
+ GH-356 Publish snapshot maven artifacts to the Apache
Snapshots maven repository.
+ Bundle sshd-contrib has support classes for the HAProxy
protocol V2.
- Changes in version 2.12.0
* Bug Fixes
+ GH-428/GH-392 SCP client fails silently when error signalled
due to missing file or lacking permissions
+ GH-434 Ignore unknown key types from agent or in OpenSSH host
keys extension
* New Features
+ GH-429 Support GIT protocol-v2
+ GH-445 OpenSSH "strict key exchange" protocol extension
(CVE-2023-48795, bsc#1218189 mitigation)
- Modified patch:
* apache-sshd-javadoc.patch
+ rediff to changed context and drop integrated hunks
-------------------------------------------------------------------
Wed Oct 11 09:03:24 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstrem version 2.10.0
* Bug
+ SSHD-1295: Connection attempt not canceled when a connection
timeout occurs
+ SSHD-1316: Possible OOM in ChannelPipedInputStream
+ SSHD-1319: SftpRemotePathChannel.transferFrom(...) ignores
position argument
+ SSHD-1324: Rooted file system can leak informations
+ SSHD-1326: Failed to establish an SSH connection because the
server identifier exceeds the int range
* Improvement
+ SSHD-1315: Password in clear in SSHD server's logs
- Modified patch:
* 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch
+ rediff to changed context
-------------------------------------------------------------------
Fri Feb 10 07:26:34 UTC 2023 - Fridrich Strba <fstrba@suse.com>
- Clean-up the spec a bit
-------------------------------------------------------------------
Wed Nov 16 11:36:21 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Upgrade to version 2.9.2 (bsc#1205463, CVE-2022-45047)
- Changes in version 2.8.0
* Bug
+ Wrong server key algorithm choose
+ Expiration of OpenSshCertificates needs to compare timestamps
as unsigned long
+ SFTP Get downloads empty file from servers which supports EOF
indication after data
+ skip() doesn't work properly in SftpInputStreamAsync
+ OpenMode and CopyMode is not honored as expected in
version > 4 of SFTP api
+ SftpTransferTest sometimes hangs (failure during rekeying)
+ Race condition in KEX
+ Fix the ciphers supported documentation
+ Update tarLongFileMode to use POSIX
+ WinsCP transfer failure to Apache SSHD Server
+ Pubkey auth: keys from ssh-agent are used even if
HostConfigEntry.isIdentitiesOnly() is true
+ Support RSA SHA2 signatures via SSH agent
+ NOTICE: wrong copyright year range
+ Wrong creationTime in writeAttrs for SFTP
+ sshd-netty logs all traffic on INFO level
* New Feature
+ Add support for chacha20-poly1305@openssh.com
+ Parsing of ~/.ssh/config Host patterns fails with extra
whitespace
+ Support generating OpenSSH client certificates
* Improvement
+ Add support for curve25519-sha256@libssh.org key exchange
+ OpenSSH certificates: check certificate type
+ OpenSSHCertificatesTest: certificates expire in 2030
+ Display IdleTimeOut in more user-friendly format
+ sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in
ChannelAsyncOutputStream constructor configurable from
outside using variable/config file
+ Intercepting the server exception message from server in SSHD
client
+ Implement RFC 8332 server-sig-algs on the server
+ Slow performance listing huge number of files on Apache SSHD
server
+ SFTP: too many LSTAT calls
+ Support key constraints when adding a key to an SSH agent
+ Add SFTP server side file custom attributes hook
* Task
+ Make sure the project is built using a <release>1.8</release>
* Question
+ UserInteraction Problem
- Changes of vesion 2.9.0
* Bug
+ Deadlock on disconnection at the end of key-exchange
+ Remote port forwarding mode does not handle EOF properly
+ Public key authentication: wrong signature algorithm used
(ed25519 key with ssh-rsa signature)
+ Client fails window adjust above Integer.MAX_VALUE
+ class loader fails to load
org.apache.sshd.common.cipher.BaseGCMCipher
+ Shell is not getting closed if the command has already closed
the OutputStream it is using.
+ Sometimes async write listener is not called
+ Unhandled SSH_MSG_CHANNEL_WINDOW_ADJUST leeds to
SocketTimeoutException
+ different host key algorithm used on rekey than used for the
initial connection
+ OpenSSH certificate is not properly encoded when critical
options are included
+ TCP/IP remote port forwarding with wildcard IP addresses
doesn't work with OpenSSH
+ UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from
an agent
* New Feature
+ Add support for Argon2 encrypted PUTTY key files
+ Add support for merged inverted output and error streams of
remote process
* Improvement
+ Add support for "limits@openssh.com" SFTP extension
+ Support host-based pubkey authentication in the client
+ Send environment variable and open subsystem at the same time
for SSH session
- Changes of version 2.9.1
* Bug
+ ClientSession.auth().verify() is terminated with timeout
+ 2.9.0 release broken on Java 8
+ Infinite loop in
org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead
+ Deadlock during session exit
+ Race condition is logged in ChannelAsyncOutputStream
- Changes of version 2.9.2
* Bug
+ SFTP worker threads got stuck while processing PUT methods
against one specific SFTP server
+ Use the maximum packet size of the communication partner
+ ExplicitPortForwardingTracker does not unbind auto-allocated
one
+ Default SshClient FD leak because Selector not closed
+ Reading again from exhausted ChannelExec#getInvertedOut()
throws IOException instead of returning -1
+ Keeping error streams and input streams separate after
ChannelExec#setRedirectErrorStream(true) is called
+ Nio2Session.shutdownOutput() should wait for writes in
progress
* Test
+ Research intermittent failure in unit tests using various I/O
service factories
- Modified patch:
* 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch
+ rediff to changed context
- Removed patches:
* 0002-Fix-manifest-generation.patch
+ not needed any more in this version
* apache-sshd-2.7.0-java8.patch
+ not needed since the Java 8 compatibility is handled by the
--release option
- Added patch:
* apache-sshd-javadoc.patch
+ Fix different warnings in javadoc generation
-------------------------------------------------------------------
Fri Jul 30 08:13:19 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Upgrade to version 2.7.0
- Changes in version 2.5.0
* Major code re-factoring
+ Reception of an SSH_MSG_UNIMPLEMENTED response to a
SSH_MSG_GLOBAL_REQUEST is translated internally into same code
flow as if an SSH_MSH_REQUEST_FAILURE has been received - see
SSHD-968.
+ Server SFTP subsystem internal code dealing with the local
files has been delegated to the SftpFileSystemAccessor in
order to allow easier hooking into the SFTP subsystem.
- Resolving a local file path for an SFTP remote one
- Reading/Writing a file's attribute(s)
- Creating files links
- Copying / Renaming / Deleting files
+ SftpVersionSelector is now consulted when client sends initial
command (as well as when session is re-negotiated)
+ ScpCommandFactory is also a ShellFactory that can be used to
provide a minimalistic shell that is good enough for WinSCP.
+ Rework SFTP streams so that the client asks and receives as
much data as possible - see SSHD-979.
* Minor code helpers
+ Handling of debug/ignore/unimplemented messages has been split
into handleXXX and doInvokeXXXMsgHandler methods where the
former validate the messages and deal with the idle timeout,
and the latter execute the actual invcation.
+ Added overloaded methods that accept a java.time.Duration
specifier for timeout value.
+ The argument representing the SFTP subsystem in invocations to
SftpFileSystemAccessor has been enhanced to expose as much of
the available functionality as possible.
* Behavioral changes and enhancements
+ SSHD-964 - Send SSH_MSG_CHANNEL_EOF when tunnel channel being
closed.
+ SSHD-967 - Extra bytes written when
SftpRemotePathChannel#transferTo is used.
+ SSHD-968 - Interpret SSH_MSG_UNIMPLEMENTED response to a
heartbeat request as a liveness indicator
+ SSHD-970 - transferTo function of SftpRemotePathChannel will
loop if count parameter is greater than file size
+ SSHD-972 - Add support for peers using OpenSSH "security key"
key types
+ SSHD-977 - Apply consistent logging policy to caught
exceptions
+ SSHD-660 - Added support for server-side signed certificate
keys
+ SSHD-984 - Utility method to export KeyPair in OpenSSH format
+ SSHD-992 - Provide more hooks into the SFTP server subsystem
via SftpFileSystemAccessor
+ SSHD-997 - Fixed OpenSSH private key decoders for RSA and
Ed25519
+ SSHD-998 - Take into account SFTP version preference when
establishing initial channel
+ SSHD-989 - Read correctly ECDSA key pair from PKCS8 encoded
data
+ SSHD-1009 - Provide a minimalistic shell for supporting WinSCP
SCP mode.
- Changes in version 2.5.1
* Behavioral changes and enhancements
+ SSHD-1022 NPE in SftpOutputStreamAsync#flush() if no data
written in between.
- Changes in version 2.6.0
* Major code re-factoring
+ SshServerMain uses by default an ECDSA key instead of an RSA
one. This can be overridden either by -key-type / -key-size or
-key-file command line option.
+ SSHD-1034 Rename org.apache.sshd.common.ForwardingFilter to
Forwarder.
+ SSHD-1035 Move property definitions to common locations.
+ SSHD-1038 Refactor packages from a module into a cleaner
hierarchy.
+ SSHD-1080 Rework the PacketWriter to split according to the
various semantics
+ SSHD-1084 Revert the usage of asynchronous streams when
forwarding ports.
* Minor code helpers
+ SSHD-1004 Using a more constant time MAC validation to
minimize timing side channel information leak.
+ SSHD-1030 Added a NoneFileSystemFactory implementation
+ SSHD-1042 Added more callbacks to SftpEventListener
+ SSHD-1040 Make server key available after KEX completed.
+ SSHD-1060 Do not store logger level in fields.
+ SSHD-1064 Fixed ClientSession#executeRemoteCommand handling
of STDERR in case of exception to behave according to its
documentation
+ SSHD-1076 Break down ClientUserAuthService#auth method into
several to allow for flexible override
+ SSHD-1077 Added command line option to request specific SFTP
version in SftpCommandMain
+ SSHD-1079 Experimental async mode on the local port forwarder
+ SSHD-1086 Added SFTP aware directory scanning helper classes
+ SSHD-1089 Added wrappers for one-time single session usage of
SFTP/SCP clients
+ Propagate SCP file transfer ACK data to ScpTransferListener
before validating it.
* Behavioral changes and enhancements
+ SSHD-506 Added support for AES-GCM ciphers.
+ SSHD-954 Improve validation of DH public key values.
+ SSHD-1004 Deprecate DES, RC4 and Blowfish ciphers from default
setup.
+ SSHD-1004 Deprecate SHA-1 based key exchanges and signatures
from default setup.
+ SSHD-1004 Deprecate MD5-based and truncated HMAC algorithms
from default setup.
+ SSHD-1005 Added support for SCP remote-to-remote file transfer
+ SSHD-1020 SSH connections getting closed abruptly with timeout
exceptions.
+ SSHD-1026 Improve build reproductibility.
+ SSHD-1028 Fix SSH_MSG_DISCONNECT: Too many concurrent
connections.
+ SSHD-1032 Fix possible ArrayIndexOutOfBoundsException in
ChannelAsyncOutputStream.
+ SSHD-1033 Fix simultaneous usage of dynamic and local port
forwarding.
+ SSHD-1039 Fix support for some basic options in ssh/sshd cli.
+ SSHD-1047 Support for SSH jumps.
+ SSHD-1048 Wrap instead of rethrow IOException in Future.
+ SSHD-1050 Fixed race condition in AuthFuture if exception
caught before authentication started.
+ SSHD-1053 Fixed handling of certified keys authentication.
+ SSHD-1056 Added support for SCP remote-to-remote directory
transfer - including '-3' option of SCP command CLI.
+ SSHD-1057 Added capability to select a ShellFactory based on
the current session + use it for "WinSCP"
+ SSHD-1058 Improve exception logging strategy.
+ SSHD-1059 Do not send heartbeat if KEX state not DONE
+ SSHD-1063 Fixed known-hosts file server key verifier matching
of same host with different ports
+ SSHD-1066 Allow multiple binding to local port tunnel on
different addresses
+ SSHD-1070 OutOfMemoryError when use async port forwarding
+ SSHD-1100 Updated used moduli for DH group KEX
+ SSHD-1102 Provide filter support for SftpDirectoryStream
+ SSHD-1104 Take into account possible key type aliases when
using public key authentication
+ SSHD-1107 Allow configuration of minimum DH group exchange key
size via property or programmatically
+ SSHD-1108 Increased minimum default DH group exchange key size
to 2048 (but support 1024)
- Changes in version 2.7.0
* Major code re-factoring
+ SSHD-1133 Re-factored locations and names of ServerSession and
server-side ChannelSession related classes
+ Moved some helper methods and classes to more natural
locations
* Minor code helpers
+ SSHD-525 Added support for "posix-rename@openssh.com" SFTP
extension
+ SSHD-1083 Relaxed required Nio2Connector/Acceptor required
constructor arguments
+ SSHD-1085 Added CliLogger + more verbosity on SshClientMain
+ SSHD-1109 Route tests JUL logging via SLF4JBridgeHandler
+ SSHD-1109 Provide full slf4j logger capabilities to CliLogger
and use it in all CLI classes
+ SSHD-1110 Replace Class#newInstance() calls with
Class#getDefaultConstructor().newInstance()
+ SSHD-1111 Fixed SshClientCliSupport compression option
detection
+ SSHD-1116 Provide SessionContext argument to
HostKeyIdentityProvider#loadHostKeys
+ SSHD-1116 Provide SessionContext argument to
PasswordIdentityProvider#loadPasswords
+ SSHD-1116 Provide SessionContext argument to
AuthenticationIdentitiesProvider#loadIdentities
+ SSHD-1125 Added option to require immediate close of channel
in command ExitCallback invocation
+ SSHD-1127 Consolidated SftpSubsystem support implementations
into SftpSubsystemConfigurator
+ SSHD-1148 Generate a unique thread name for each SftpSubsystem
instance
* Behavioral changes and enhancements
+ SSHD-1085 Added more notifications related to channel state
change for detecting channel closing or closed earlier.
+ SSHD-1091 Renamed sshd-contrib top-level package in order to
align naming convention.
+ SSHD-1097 Added more SessionListener callbacks related to the
initial version and key exchange
+ SSHD-1097 Added more capability to send peer identification
via ReservedSessionMessagesHandler
+ SSHD-1097 Implemented endless tarpit example in sshd-contrib
+ SSHD-1109 Replace log4j with logback as the slf4j logger
implementation for tests
+ SSHD-1114 Added callbacks for client-side password
authentication progress
+ SSHD-1114 Added callbacks for client-side public key
authentication progress
+ SSHD-1114 Added callbacks for client-side host-based
authentication progress
+ SSHD-1114 Added capability for interactive password
authentication participation via UserInteraction
+ SSHD-1114 Added capability for interactive key based
authentication participation via UserInteraction
+ SSHD-1123 Add option to chunk data in ChannelAsyncOutputStream
if window size is smaller than packet size
+ SSHD-1125 Added mechanism to throttle pending write requests
in BufferedIoOutputStream
+ SSHD-1127 Added capability to register a custom receiver for
SFTP STDERR channel raw or stream data
+ SSHD-1132 Added SFTP client-side support for
'filename-charset' extension
+ SSHD-1132 Added SFTP client-side support for
'filename-translation-control' extension
+ SSHD-1132 Added SFTP servder-side support for non-UTF8
encoding of returned file names
+ SSHD-1133 Added capability to specify a custom charset for
parsing incoming commands to the ScpShell
+ SSHD-1133 Added capability to specify a custom charset for
returning environment variables related data from the ScpShell
+ SSHD-1133 Added capability to specify a custom charset for
handling the SCP protocol textual commands and responses
+ SSHD-1136 Use configuration property to decide whether to
allow fallback to DH group exchange using SHA-1 if no suitable
primes found for SHA-256
+ SSHD-1137 Added capability to override LinkOption(s) when
accessing a file/folder via SFTP
+ SSHD-1147 SftpInputStreamAsync: get file size before SSH_FXP_OPEN
- Modified patches:
* 0001-Avoid-optional-dependency-on-native-tomcat-APR-libra.patch
* apache-sshd-2.4.0-java8.patch -> apache-sshd-2.7.0-java8.patch
+ rediff to changed context
- Added patch:
* 0002-Fix-manifest-generation.patch
+ do not import self
-------------------------------------------------------------------
Thu Jul 16 21:58:44 UTC 2020 - Fridrich Strba <fstrba@suse.com>
- Added patch:
* apache-sshd-2.4.0-java8.patch
+ restore Java 8 compatibility of bytecode generated by Java 9+
-------------------------------------------------------------------
Mon Jun 29 11:32:37 UTC 2020 - Fridrich Strba <fstrba@suse.com>
- Initial packaging of apache-sshd 2.4.0
View Git Blame Copy Permalink