- Update to 3.4.0: (CVE-2023-48795, bsc#1218168)
* Transport grew a new packetizer_class kwarg for overriding the
packet-handler class used internally.
* Address CVE 2023-48795 (aka the "Terrapin Attack", a vulnerability found
in the SSH protocol re: treatment of packet sequence numbers) as follows:
+ The vulnerability only impacts encrypt-then-MAC digest algorithms in
tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko
currently only implements hmac-sha2-(256|512)-etm in tandem with
AES-CBC.
+ As the fix for the vulnerability requires both ends of the connection
to cooperate, the below changes will only take effect when the remote
end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode,
as of this patch version) and configured to use the new
"strict kex" mode.
+ Paramiko will now raise an SSHException subclass (MessageOrderError)
when protocol messages are received in unexpected order. This includes
situations like receiving MSG_DEBUG or MSG_IGNORE during initial key
exchange, which are no longer allowed during strict mode.
+ Key (re)negotiation -- i.e. MSG_NEWKEYS, whenever it is encountered --
now resets packet sequence numbers. (This should be invisible to users
during normal operation, only causing exceptions if the exploit is
encountered, which will usually result in, again, MessageOrderError.)
+ Sequence number rollover will now raise SSHException if it occurs
during initial key exchange (regardless of strict mode status).
* Tweak ext-info-(c|s) detection during KEXINIT protocol phase; the
original implementation made assumptions based on an OpenSSH
implementation detail.
- Add patch use-64-bit-maxsize-everywhere.patch:
* Use the 64-bit value of sys.maxsize.
OBS-URL: https://build.opensuse.org/request/show/1134140
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-paramiko?expand=0&rev=61
* Transport grew a new packetizer_class kwarg for overriding the
packet-handler class used internally.
* Address CVE 2023-48795 (aka the "Terrapin Attack", a vulnerability found
in the SSH protocol re: treatment of packet sequence numbers) as follows:
+ The vulnerability only impacts encrypt-then-MAC digest algorithms in
tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko
currently only implements hmac-sha2-(256|512)-etm in tandem with
AES-CBC.
+ As the fix for the vulnerability requires both ends of the connection
to cooperate, the below changes will only take effect when the remote
end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode,
as of this patch version) and configured to use the new
"strict kex" mode.
+ Paramiko will now raise an SSHException subclass (MessageOrderError)
when protocol messages are received in unexpected order. This includes
situations like receiving MSG_DEBUG or MSG_IGNORE during initial key
exchange, which are no longer allowed during strict mode.
+ Key (re)negotiation -- i.e. MSG_NEWKEYS, whenever it is encountered --
now resets packet sequence numbers. (This should be invisible to users
during normal operation, only causing exceptions if the exploit is
encountered, which will usually result in, again, MessageOrderError.)
+ Sequence number rollover will now raise SSHException if it occurs
during initial key exchange (regardless of strict mode status).
* Tweak ext-info-(c|s) detection during KEXINIT protocol phase; the
original implementation made assumptions based on an OpenSSH
implementation detail.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=118
* [Feature] #1951: Add SSH config token expansion (eg %h, %p) when
* [Support] #2004: (via #2011) Apply unittest skipIf to tests currently
using SHA1 in their critical path, to avoid failures on systems starting
* [Support] #1838: (via #1870/#2028) Update camelCase method calls
against the threading module to be snake_case; this and related tweaks
* [Support] #2038: (via #2039) Recent versions of Cryptography have
deprecated Blowfish algorithm support; in lieu of an easy method for
users to remove it from the list of algorithms Paramiko tries to import
and use, we’ve decided to remove it from our “preferred algorithms” list.
This will both discourage use of a weak algorithm, and avoid warnings.
* [Bug] #2017: OpenSSH 7.7 and older has a bug preventing it from
understanding how to perform SHA2 signature verification for RSA
certificates (specifically certs - not keys), so when we added SHA2
support it broke all clients using RSA certificates with these servers.
This has been fixed in a manner similar to what OpenSSH’s own client
does: a version check is performed and the algorithm used is downgraded
* [Bug] #1933: Align signature verification algorithm with OpenSSH re:
zero-padding signatures which don’t match their nominal size/length. This
shouldn’t affect most users, but will help Paramiko-implemented SSH
- Update to 2.10.3 (bsc#1197279, CVE-2022-24302)
- [Feature] #1846: Add a prefetch keyword argument to
- [Support] #1727: Add missing test suite fixtures directory to
- Set environment to utf-8 to allow tests to pass on Python 2. (bsc#1178341)
* gh#paramiko/paramiko#1655
- update to 2.7.2 (bsc#1166758, bsc#1166758, bsc#1205132)
- update to 2.6.0 (bsc#1200603)
- update to 2.5.0
extend timeout in testsuite to pass on ppc64le
key-decryption passphrases from password-auth passwords.
* Certificate support broke the no-certificate case for Ed25519 keys
OBS-URL: https://build.opensuse.org/request/show/1116019
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-paramiko?expand=0&rev=60
* [Support] #2004: (via #2011) Apply unittest skipIf to tests currently
using SHA1 in their critical path, to avoid failures on systems starting
* [Support] #1838: (via #1870/#2028) Update camelCase method calls
against the threading module to be snake_case; this and related tweaks
* [Support] #2038: (via #2039) Recent versions of Cryptography have
deprecated Blowfish algorithm support; in lieu of an easy method for
users to remove it from the list of algorithms Paramiko tries to import
and use, we’ve decided to remove it from our “preferred algorithms” list.
This will both discourage use of a weak algorithm, and avoid warnings.
* [Bug] #2017: OpenSSH 7.7 and older has a bug preventing it from
understanding how to perform SHA2 signature verification for RSA
certificates (specifically certs - not keys), so when we added SHA2
support it broke all clients using RSA certificates with these servers.
This has been fixed in a manner similar to what OpenSSH’s own client
does: a version check is performed and the algorithm used is downgraded
* [Bug] #1933: Align signature verification algorithm with OpenSSH re:
zero-padding signatures which don’t match their nominal size/length. This
shouldn’t affect most users, but will help Paramiko-implemented SSH
- Update to 2.10.3 (bsc#1197279, CVE-2022-24302)
- [Feature] #1846: Add a prefetch keyword argument to
- [Support] #1727: Add missing test suite fixtures directory to
- Set environment to utf-8 to allow tests to pass on Python 2. (bsc#1178341)
* gh#paramiko/paramiko#1655
- update to 2.7.2 (bsc#1166758, bsc#1166758, bsc#1205132)
- update to 2.6.0 (bsc#1200603)
- update to 2.5.0
extend timeout in testsuite to pass on ppc64le
key-decryption passphrases from password-auth passwords.
* Certificate support broke the no-certificate case for Ed25519 keys
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=116
- Delete paramiko-pr1665-remove-pytest-relaxed.patch
- Add remove-icecream-dep.patch
- Update to 3.1.0:
* [Feature] #2173: Accept single tabs as field separators (in
addition to single spaces) in
<paramiko.hostkeys.HostKeyEntry.from_line> for parity with
OpenSSH’s KnownHosts parser. Patched by Alex Chavkin.
* [Feature] #2013: (solving #2009, plus others) Add an explicit
channel_timeout keyword argument to
paramiko.client.SSHClient.connect, allowing users to configure the
previously-hardcoded default value of 3600 seconds. Thanks to
@VakarisZ and @ilija-lazoroski for the report and patch, with
credit to Mike Salvatore for patch review.
* [Support] #2178: Apply codespell to the codebase, which found a
lot of very old minor spelling mistakes in docstrings. Also
modernize many instances of *largs vs *args and **kwarg vs
**kwargs. Patch courtesy of Yaroslav Halchenko, with review from
Brian Skinn.
- 3.0.0:
* [Bug]: A handful of lower-level classes (notably
paramiko.message.Message and paramiko.pkey.PKey) previously
returned bytes objects from their implementation of __str__, even
under Python 3; and there was never any __bytes__ method.
* These issues have been fixed by renaming __str__ to __bytes__ and
relying on Python’s default “stringification returns the output of
__repr__” behavior re: any real attempts to str() such objects.
* [Bug] #2165: Streamline some redundant (and costly) byte
conversion calls in the packetizer and the core SFTP module. This
should lead to some SFTP speedups at the very least. Thanks to
Alex Gaynor for the patch.
* [Bug] #2110: Remove some unnecessary __repr__ calls when handling
bytes-vs-str conversions. This was apparently doing a lot of
unintentional data processing, which adds up in some use cases –
such as SFTP transfers, which may now be significantly faster.
Kudos to Shuhua Zhong for catch & patch.
* [Support]: Drop support for Python versions less than 3.6,
including Python 2. So long and thanks for all the fish!
* [Support]: Remove the now irrelevant paramiko.py3compat module.
* [Support]: paramiko.common.asbytes has been moved to
paramiko.util.asbytes.
* [Support]: PKey.__cmp__ has been removed. Ordering-oriented
comparison of key files is unlikely to have ever made sense (the
old implementation attempted to order by the hashes of the key
material) and so we have not bothered setting up __lt__ and
friends at this time. The class continues to have its original
__eq__ untouched.
* [Support]: The behavior of private key classes’ (ie anything
inheriting from PKey) private key writing methods used to perform
a manual, extra chmod call after writing. This hasn’t been
strictly necessary since the mid 2.x release line (when key
writing started giving the mode argument to os.open), and has now
been removed entirely.
* This should only be observable if you were mocking Paramiko’s
system calls during your own testing, or similar.
* [Support] #732: (also re: #630) SSHConfig used to straight-up
delete the proxycommand key from config lookup results when the
source config said ProxyCommand none. This has been altered to
preserve the key and give it the Python value None, thus making
the Python representation more in line with the source config
file.
* [Support]: paramiko.util.retry_on_signal (and any internal uses of
same, and also any internal retries of EINTR on eg socket
operations) has been removed. As of Python 3.5, per PEP 475, this
functionality (and retrying EINTR generally) is now part of the
standard library.
OBS-URL: https://build.opensuse.org/request/show/1086711
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-paramiko?expand=0&rev=58
- Add remove-icecream-dep.patch
- Update to 3.1.0:
* [Feature] #2173: Accept single tabs as field separators (in
addition to single spaces) in
<paramiko.hostkeys.HostKeyEntry.from_line> for parity with
OpenSSH’s KnownHosts parser. Patched by Alex Chavkin.
* [Feature] #2013: (solving #2009, plus others) Add an explicit
channel_timeout keyword argument to
paramiko.client.SSHClient.connect, allowing users to configure the
previously-hardcoded default value of 3600 seconds. Thanks to
@VakarisZ and @ilija-lazoroski for the report and patch, with
credit to Mike Salvatore for patch review.
* [Support] #2178: Apply codespell to the codebase, which found a
lot of very old minor spelling mistakes in docstrings. Also
modernize many instances of *largs vs *args and **kwarg vs
**kwargs. Patch courtesy of Yaroslav Halchenko, with review from
Brian Skinn.
- 3.0.0:
* [Bug]: A handful of lower-level classes (notably
paramiko.message.Message and paramiko.pkey.PKey) previously
returned bytes objects from their implementation of __str__, even
under Python 3; and there was never any __bytes__ method.
* These issues have been fixed by renaming __str__ to __bytes__ and
relying on Python’s default “stringification returns the output of
__repr__” behavior re: any real attempts to str() such objects.
* [Bug] #2165: Streamline some redundant (and costly) byte
conversion calls in the packetizer and the core SFTP module. This
should lead to some SFTP speedups at the very least. Thanks to
Alex Gaynor for the patch.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=112
- Update to 2.12.0
* [Feature] #2125: (also re: #2054) Add a transport_factory kwarg
to SSHClient.connect for advanced users to gain more control
over early Transport setup and manipulation. Thanks to Noah
Pederson for the patch.
- Release 2.11.1
* [Bug]: bug:1637 (via #1599) Raise SSHException explicitly when
blank private key data is loaded, instead of the natural result
of IndexError. This should help more bits of Paramiko or
Paramiko-adjacent codebases to correctly handle this class of
error. Credit: Nicholas Dietz.
* [Bug] #1822: (via, and relating to, far too many other issues
to mention here) Update SSHClient so it explicitly closes its
wrapped socket object upon encountering socket errors at
connection time. This should help somewhat with certain classes
of memory leaks, resource warnings, and/or errors (though we
hasten to remind everyone that Client and Transport have their
own .close() methods for use in non-error situations!). Patch
courtesy of @YoavCohen.
- Rename and refresh:
- paramiko-pr1655-remove-pytest-relaxed.patch
+ paramiko-pr1665-remove-pytest-relaxed.patch
* gh#paramiko/paramiko#1665
OBS-URL: https://build.opensuse.org/request/show/1036973
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=107
- update to 2.10.4:
* Servers offering certificate variants of hostkey algorithms (eg
ssh-rsa-cert-v01@openssh.com) could not have their host keys verified by
Paramiko clients, as it only ever considered non-cert key types for that
part of connection handshaking. This has been fixed.
* gq PKey instances’ __eq__ did not have the usual safety guard in place to
ensure they were being compared to another PKey object, causing occasional
spurious BadHostKeyException (among other things). This has been fixed.
* Update camelCase method calls against the threading module to be snake_case;
this and related tweaks should fix some deprecation warnings under Python 3.10.
OBS-URL: https://build.opensuse.org/request/show/973836
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-paramiko?expand=0&rev=54
* Servers offering certificate variants of hostkey algorithms (eg
ssh-rsa-cert-v01@openssh.com) could not have their host keys verified by
Paramiko clients, as it only ever considered non-cert key types for that
part of connection handshaking. This has been fixed.
* gq PKey instances’ __eq__ did not have the usual safety guard in place to
ensure they were being compared to another PKey object, causing occasional
spurious BadHostKeyException (among other things). This has been fixed.
* Update camelCase method calls against the threading module to be snake_case;
this and related tweaks should fix some deprecation warnings under Python 3.10.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=103
- Update to 2.8.0
- [Feature] #1846: Add a prefetch keyword argument to
SFTPClient.get/SFTPClient.getfo so users who need to skip SFTP
prefetching are able to conditionally turn it off.
- [Bug] #1462: (via #1882) Newer server-side key exchange
algorithms not intended to use SHA1 (diffie-hellman-group14-sha256,
diffie-hellman-group16-sha512) were incorrectly using SHA1 after all,
due to a bug causing them to ignore the hash_algo class attribute.
This has been corrected.
- [Support] #1722: Remove leading whitespace from OpenSSH RSA test
suite static key fixture, to conform better to spec.
- [Support] #1727: Add missing test suite fixtures directory to
MANIFEST.in, reinstating the ability to run Paramiko’s tests from
an sdist tarball.
- [Support]: Update our CI to catch issues with sdist generation,
installation and testing.
- [Support]: Administrivia overhaul, including but not limited to:
- Migrate CI to CircleCI
- Primary dev branch is now main (renamed)
- Many README edits for clarity, modernization etc; including
a bunch more (and consistent) status badges & unification with
main project site index
- PyPI page much more fleshed out (long_description is now filled
in with the README; sidebar links expanded; etc)
- flake8, pytest configs split out of setup.cfg into their own files
- Invoke/invocations (used by maintainers/contributors) upgraded
to modern versions
- Skip python2 to fix build errors for Leap.
- Rebase paramiko-pr1655-remove-pytest-relaxed.patch.
OBS-URL: https://build.opensuse.org/request/show/924852
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=98
- drop configs.tar.gz
* Add missing test suite fixtures directory to MANIFEST.in
* Remove leading whitespace from OpenSSH RSA test suite static key fixture,
* Fix incorrect string formatting causing unhelpful error message annotation
when using Kerberos/GSSAPI.
* Fix incorrectly swapped order of p and q numbers when loading
OpenSSH-format RSA private keys.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=92
- drop relaxed.patch and 1311.patch
* add a new keyword argument to SSHClient.connect <paramiko.client.SSHClient.connect>
and paramiko.transport.Transport -> disabled_algorithms
* Fix Ed25519 key handling so certain key comment lengths don't cause
SSHException("Invalid key")
* Add backwards-compatible support for the gssapi
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=88
- dropped 1379.patch
- refreshed patches:
paramiko-test_extend_timeout.patch
relaxed.patch
1311.patch
* Add support for encrypt-then-MAC (ETM) schemes (hmac-sha2-256-etm@openssh.com,
hmac-sha2-512-etm@openssh.com) and two newer Diffie-Hellman group key exchange
algorithms (group14, using SHA256; and group16, using SHA512).
* Add support for Curve25519 key exchange.
* Raise Cryptography dependency requirement to version 2.5
* Add support for the modern (as of Python 3.3) import location of MutableMapping
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=86
