- Changes in version 2.14.0
* Bug Fixes
+ GH-524 Performance improvements
+ GH-533 Fix multi-step authentication
+ GH-582 Fix filtering in NamedFactory
+ GH-587 Prevent NullPointerExceptionon closed channel in
NettyIoSession
+ GH-590 Better support for FIPS
+ GH-597 Pass on Charset in
ClientSession.executeRemoteCommand()
* New Features
+ New utility methods SftpClient.put(Path localFile, String
remoteFileName) and SftpClient.put(InputStream in, String
remoteFileName) facilitate SFTP file uploading.
* GH-590 Better support for FIPS
Besides fixing a bug with bc-fips (the RandomGenerator class
exists in normal Bouncy Castle, but not in the FIPS version,
but Apache MINA sshd referenced it even if only bc-fips was
present), support was improved for running in an environment
restricted by FIPS.
There is a new system property
org.apache.sshd.security.fipsEnabled. If set to true, a number
of crypto-algorithms not approved by FIPS 140 are disabled:
+ key exchange methods sntrup761x25519-sha512,
sntrup761x25519-sha512@openssh.com, curve25519-sha256,
curve25519-sha256@libssh.org, curve448-sha512.
+ the chacha20-poly1305 cipher.
+ the bcrypt KDF used in encrypted private key files in
OpenSSH format.
+ all ed25519 keys and signatures.
Additionally, the new "SunJCEWrapper" SecurityProviderRegistrar
(see below) and the EdDSASecurityProviderRegistrar are
disabled, and the BouncyCastleScurityProviderRegistrar looks
only for the "BCFIPS" security provider, not for the normal
"BC" provider.
If the system property is not set to true, FIPS mode can be
enabled programmatically by calling SecurityUtils.setFipsMode()
before any other call to Apache MINA sshd.
* Potential compatibility issues
+ New security provider registrar
There is a new SecurityProviderRegistrar that is registered
by default if there is a SunJCE security provider. It uses
the AES and HmacSHA* implementations from SunJCE even if
Bouncy Castle is also registered. SunJCE has native
implementations, whereas Bouncy Castle may not.
The new registrar has the name "SunJCEWrapper" and can be
configured like any other registrar. It can be disabled via
the system property
org.apache.sshd.security.provider.SunJCEWrapper.enabled=false.
It is also disabled in FIPS mode (see above).
+ GH-582 Fix filtering in NamedFactory
The methods NamedFactory.setupBuiltinFactories(boolean
ignoreUnsupported, ...) and
NamedFactory.setupTransformedFactories(boolean
ignoreUnsupported, ...) had a bug that gave the
"ignoreUnsupported" parameter actually the meaning of
"include unsupported".
This was fixed in this release, but existing code calling
these or one of the following methods:
~ BaseBuilder.setUpDefaultMacs(boolean ignoreUnsupported)
~ BaseBuilder.setUpDefaultCiphers(boolean ignoreUnsupported)
~ ClientBuilder.setUpDefaultCompressionFactories(boolean
ignoreUnsupported)
~ ClientBuilder.setUpDefaultKeyExchanges(boolean
ignoreUnsupported)
~ ClientBuilder.setUpDefaultSignatureFactories(boolean
ignoreUnsupported)
~ ServerBuilder.setUpDefaultCompressionFactories(boolean
ignoreUnsupported)
~ ServerBuilder.setUpDefaultKeyExchanges(boolean
ignoreUnsupported)
~ ServerBuilder.setUpDefaultSignatureFactories(boolean
ignoreUnsupported)
~ any of the methods starting with
SshConfigFileReader.configure
~ SshClientConfigFileReader.configure(...)
~ SshServerConfigFileReader.configure(...)
should be reviewed:
~ if the method is called with parameter value true, the
result will no longer include unsupported algorithms.
Formerly it wrongly did.
~ if the method is called with parameter value false, the
result may include unsupported algorithms. Formerly it
did not.
So if existing code used parameter value false to ensure it
never got unsupported algorithms, change it to true.
* Major Code Re-factoring
+ JDK requirements
~ GH-536 The project now requires JDK 17 at build time, while
the target runtime still remains unchanged to support JDK
8.
- Changes in version 2.13.2
* What's Changed
+ GH-525: Fix sntrup761x25519-sha512 by @tomaswolf in #528
- Changes in version 2.13.1
* What's changed
+ This release does not contain any code changes. It is solely
to rectify the issue that the 2.13.0 release encountered
during the release process, where the source jars were not
created.
- Changes in version 2.13.0
* What's changed
+ GH-318: Handle cascaded proxy jumps by @tomaswolf in #512
+ GH-427: Read initial ACK on channel open prior to direct
stream upload & close streams prior to exit code handling by
@TerraNibble in #464
+ GH-455: ensure BaseCipher.update() fulfills the contract by
@tomaswolf in #463
+ GH-470: Synchronize not thread safe
java.security.KeyPairGenerator.generateKe… by
@zakharovsergey1000 in #467
+ GH-476: Fix Android detection false negative by @wh0
+ GH-475: Switch uses of JSch library to the
com.github.mwiede:jsch fork by @Alex-Vol-Amz
+ GH-472: change client start condition in sshd-spring-sftp by
@alwaystom
+ GH-489: sftp readdir: determine file type from longname by
@tomaswolf in #491
+ GH-486: Add missing U2F {ed25519,ecdsa}-sk public key
equality methods by @lf-
+ SSHD-1237 Handle keep-alive channel requests by @tomaswolf in
#492
+ GH-494: Nio2Session improvements by @evgeny-pasynkov
+ GH-468: Handle excess data in SFTP read requests by
@tomaswolf in #495
+ GH-498: Implement the "sntrup761x25519-sha512@openssh.com"
KEX method by @tomaswolf
+ GH-500: SftpFileSystemProvider: close SftpClient on exception
by @tomaswolf in #501
+ GH-504: Pass reason to sessionNegotiationEnd by @duco-lw in
#505
+ GH-461: Fix heartbeats with wantReply=true by @tomaswolf in
#507
+ GH-493: Fix arcfour128 and arcfour256 ciphers (regression in
2.2.0)
+ GH-509: SFTP v[456] client: validate attribute flags
+ GH-510: Fix class name in BuiltinIoServiceFactoryFactories
(regression in 2.6.0)
* New Features
+ sntrup761x25519-sha512@openssh.com Key Exchange
The key exchange method sntrup761x25519-sha512@openssh.com is
now available if the Bouncy Castle library is available.
This uses a post-quantum key encapsulation method (KEM) to
make key exchange future-proof against quantum attacks.
More information can be found in IETF Memo Secure Shell (SSH)
Key Exchange Method Using Hybrid Streamlined NTRU Prime
sntrup761 and X25519 with SHA-512: sntrup761x25519-sha512.
+ Behavioral changes and enhancements
~ GH-318 Handle cascaded proxy jumps
Proxy jumps can be configured via host configuration
entries in two ways. First, proxies can be chained directly
by specifiying several proxies in one ProxyJump directive:
Host target
Hostname somewhere.example.org
User some_user
IdentityFile ~/.ssh/some_id
ProxyJump jumphost2, jumphost1
Host jumphost1
Hostname jumphost1@example.org
User jumphost1_user
IdentityFile ~/.ssh/id_jumphost1
Host jumphost2
Hostname jumphost2@example.org
User jumphost2_user
IdentityFile ~/.ssh/id_jumphost2
Connecting to server target will first connect to
jumphost1, then tunnel through to jumphost2, and finally
tunnel to target. So the full connection will be
client→jumphost1→jumphost2→target.
Such proxy jump chains were already supported in Apache
MINA SSHD.
Newly, Apache MINA SSHD also supports cascading proxy
jumps, so a configuration like
Host target
Hostname somewhere.example.org
User some_user
IdentityFile ~/.ssh/some_id
ProxyJump jumphost2
Host jumphost1
Hostname jumphost1@example.org
User jumphost1_user
IdentityFile ~/.ssh/id_jumphost1
Host jumphost2
Hostname jumphost2@example.org
ProxyJump jumphost1
User jumphost2_user
IdentityFile ~/.ssh/id_jumphost2
also works now, and produces the same connection
client→jumphost1→jumphost2→target.
It is possible to mis-configure such proxy jump cascades to
have loops. (For instance, if host jumphost1 in the above
example had a ProxyJump jumphost2 directive.) To catch such
misconfigurations, Apache MINA SSHD imposes an upper limit
on the total number of proxy jumps in a connection. An
exception is thrown if there are more than
CoreModuleProperties.MAX_PROXY_JUMPS proxy jumps in a
connection. The default value of this property is 10. Most
real uses of proxy jumps will have one or maybe two proxy
jumps only.
~ GH-461 Fix heartbeats with wantReply=true
The client-side heartbeat mechanism has been updated. Such
heartbeats are configured via the
CoreModuleProperties.HEARTBEAT_INTERVAL property. If this
interval is > 0, heartbeats are sent to the server.
Previously these heartbeats could also be configured with a
CoreModuleProperties.HEARTBEAT_REPLY_WAIT timeout. If the
timeout was <= 0, the client would just send heartbeat
requests without expecting any answers. If the timeout was
> 0, the client would send requests with a flag indicating
that the server should reply. The client would then wait
for the specified duration for the reply and would
terminate the connection if none was received.
This mechanism could cause trouble if the timeout was
fairly long and the server was slow to respond. A timeout
longer than the interval could also delay subsequent
heartbeats.
The CoreModuleProperties.HEARTBEAT_REPLY_WAIT property is
now deprecated.
There is a new configuration property
CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX instead. It
defines a limit for the number of heartbeats sent without
receiving a reply before a session is terminated. If the
value is <= 0, the client still sends heartbeats without
expecting any reply. If the value is > 0, the client will
request a reply from the server for each heartbeat message,
and it will terminate the connection if the number of
unanswered heartbeats reaches
CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX.
This new way to configure heartbeats aligns with the
OpenSSH configuration options ServerAliveInterval and
ServerAliveCountMax.
For compatibility with older configurations that explicitly
define CoreModuleProperties.HEARTBEAT_REPLY_WAIT, the new
code maps this to the new configuration (but only if
CoreModuleProperties.HEARTBEAT_INTERVAL > 0 and the new
property CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX has
not been set) by setting
CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX to
= CoreModuleProperties.HEARTBEAT_REPLY_WAIT <= 0:
CoreModuleProperties.HEARTBEAT_NO_REPLY_MAX = 0
= otherwise: (CoreModuleProperties.HEARTBEAT_REPLY_WAIT /
CoreModuleProperties.HEARTBEAT_INTERVAL) + 1.
~ GH-468 SFTP: validate length of data received: must not be
more than requested
SFTP read operations now check the amount of data they get
back. If it's more than requested an exception is thrown.
SFTP servers must never return more data than the client
requested, but it appears that there are some that do so.
If property SftpModuleProperties.TOLERATE_EXCESS_DATA is
set to true, a warning is logged and such excess data is
silently discarded.
* Potential compatibility issues
+ AES-CBC ciphers removed from server's defaults
The AES-CBC ciphers aes128-cbc, aes192-cbc, and aes256-cbc
have been removed from the default list of cipher algorithms
that a server proposes in the key exchange. OpenSSH has
removed these cipher algorithms from the server proposal in
2014, and has removed them from the client proposal in 2017.
The cipher implementations still exist but they are not
enabled by default. Existing code that explicitly sets the
cipher factories is unaffected. Code that relies on the
default settings will newly create a server that does not
support the CBC-mode ciphers. To enable the CBC-mode ciphers,
one can use for instance
SshServer server = ServerBuilder.builder()
...
.cipherFactories(BuiltinFactory.setUpFactories(false,
BaseBuilder.DEFAULT_CIPHERS_PREFERENCES));
...
.build();
For the SSH client, the CBC ciphers are still enabled by
default to facilitate connecting to legacy servers. We plan
to remove the CBC ciphers from the client's defaults in the
next release.
- Changes in version 2.12.1
* Bug Fixes
+ GH-458 Singleton thread pool for kex message handler flushing
+ SSHD-1338 Restore binary compatibility with 2.9.2
* What's Changed
+ Fix link by @swiedenfeld in #454
+ SSHD-1338 Restore binary compatibility with 2.9.2 by @gnodet
in #456
+ Use a singleton threadpool for kex message handler flushing
by @FliegenKLATSCH in #459
- Enable module: sshd-openpgp
OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-sshd?expand=0&rev=37
