* Transport grew a new packetizer_class kwarg for overriding the
packet-handler class used internally.
* Address CVE 2023-48795 (aka the "Terrapin Attack", a vulnerability found
in the SSH protocol re: treatment of packet sequence numbers) as follows:
+ The vulnerability only impacts encrypt-then-MAC digest algorithms in
tandem with CBC ciphers, and ChaCha20-poly1305; of these, Paramiko
currently only implements hmac-sha2-(256|512)-etm in tandem with
AES-CBC.
+ As the fix for the vulnerability requires both ends of the connection
to cooperate, the below changes will only take effect when the remote
end is OpenSSH >= 9.6 (or equivalent, such as Paramiko in server mode,
as of this patch version) and configured to use the new
"strict kex" mode.
+ Paramiko will now raise an SSHException subclass (MessageOrderError)
when protocol messages are received in unexpected order. This includes
situations like receiving MSG_DEBUG or MSG_IGNORE during initial key
exchange, which are no longer allowed during strict mode.
+ Key (re)negotiation -- i.e. MSG_NEWKEYS, whenever it is encountered --
now resets packet sequence numbers. (This should be invisible to users
during normal operation, only causing exceptions if the exploit is
encountered, which will usually result in, again, MessageOrderError.)
+ Sequence number rollover will now raise SSHException if it occurs
during initial key exchange (regardless of strict mode status).
* Tweak ext-info-(c|s) detection during KEXINIT protocol phase; the
original implementation made assumptions based on an OpenSSH
implementation detail.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=118
* [Support] #2004: (via #2011) Apply unittest skipIf to tests currently
using SHA1 in their critical path, to avoid failures on systems starting
* [Support] #1838: (via #1870/#2028) Update camelCase method calls
against the threading module to be snake_case; this and related tweaks
* [Support] #2038: (via #2039) Recent versions of Cryptography have
deprecated Blowfish algorithm support; in lieu of an easy method for
users to remove it from the list of algorithms Paramiko tries to import
and use, we’ve decided to remove it from our “preferred algorithms” list.
This will both discourage use of a weak algorithm, and avoid warnings.
* [Bug] #2017: OpenSSH 7.7 and older has a bug preventing it from
understanding how to perform SHA2 signature verification for RSA
certificates (specifically certs - not keys), so when we added SHA2
support it broke all clients using RSA certificates with these servers.
This has been fixed in a manner similar to what OpenSSH’s own client
does: a version check is performed and the algorithm used is downgraded
* [Bug] #1933: Align signature verification algorithm with OpenSSH re:
zero-padding signatures which don’t match their nominal size/length. This
shouldn’t affect most users, but will help Paramiko-implemented SSH
- Update to 2.10.3 (bsc#1197279, CVE-2022-24302)
- [Feature] #1846: Add a prefetch keyword argument to
- [Support] #1727: Add missing test suite fixtures directory to
- Set environment to utf-8 to allow tests to pass on Python 2. (bsc#1178341)
* gh#paramiko/paramiko#1655
- update to 2.7.2 (bsc#1166758, bsc#1166758, bsc#1205132)
- update to 2.6.0 (bsc#1200603)
- update to 2.5.0
extend timeout in testsuite to pass on ppc64le
key-decryption passphrases from password-auth passwords.
* Certificate support broke the no-certificate case for Ed25519 keys
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=116
- Add remove-icecream-dep.patch
- Update to 3.1.0:
* [Feature] #2173: Accept single tabs as field separators (in
addition to single spaces) in
<paramiko.hostkeys.HostKeyEntry.from_line> for parity with
OpenSSH’s KnownHosts parser. Patched by Alex Chavkin.
* [Feature] #2013: (solving #2009, plus others) Add an explicit
channel_timeout keyword argument to
paramiko.client.SSHClient.connect, allowing users to configure the
previously-hardcoded default value of 3600 seconds. Thanks to
@VakarisZ and @ilija-lazoroski for the report and patch, with
credit to Mike Salvatore for patch review.
* [Support] #2178: Apply codespell to the codebase, which found a
lot of very old minor spelling mistakes in docstrings. Also
modernize many instances of *largs vs *args and **kwarg vs
**kwargs. Patch courtesy of Yaroslav Halchenko, with review from
Brian Skinn.
- 3.0.0:
* [Bug]: A handful of lower-level classes (notably
paramiko.message.Message and paramiko.pkey.PKey) previously
returned bytes objects from their implementation of __str__, even
under Python 3; and there was never any __bytes__ method.
* These issues have been fixed by renaming __str__ to __bytes__ and
relying on Python’s default “stringification returns the output of
__repr__” behavior re: any real attempts to str() such objects.
* [Bug] #2165: Streamline some redundant (and costly) byte
conversion calls in the packetizer and the core SFTP module. This
should lead to some SFTP speedups at the very least. Thanks to
Alex Gaynor for the patch.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=112
- Update to 2.12.0
* [Feature] #2125: (also re: #2054) Add a transport_factory kwarg
to SSHClient.connect for advanced users to gain more control
over early Transport setup and manipulation. Thanks to Noah
Pederson for the patch.
- Release 2.11.1
* [Bug]: bug:1637 (via #1599) Raise SSHException explicitly when
blank private key data is loaded, instead of the natural result
of IndexError. This should help more bits of Paramiko or
Paramiko-adjacent codebases to correctly handle this class of
error. Credit: Nicholas Dietz.
* [Bug] #1822: (via, and relating to, far too many other issues
to mention here) Update SSHClient so it explicitly closes its
wrapped socket object upon encountering socket errors at
connection time. This should help somewhat with certain classes
of memory leaks, resource warnings, and/or errors (though we
hasten to remind everyone that Client and Transport have their
own .close() methods for use in non-error situations!). Patch
courtesy of @YoavCohen.
- Rename and refresh:
- paramiko-pr1655-remove-pytest-relaxed.patch
+ paramiko-pr1665-remove-pytest-relaxed.patch
* gh#paramiko/paramiko#1665
OBS-URL: https://build.opensuse.org/request/show/1036973
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=107
* Servers offering certificate variants of hostkey algorithms (eg
ssh-rsa-cert-v01@openssh.com) could not have their host keys verified by
Paramiko clients, as it only ever considered non-cert key types for that
part of connection handshaking. This has been fixed.
* gq PKey instances’ __eq__ did not have the usual safety guard in place to
ensure they were being compared to another PKey object, causing occasional
spurious BadHostKeyException (among other things). This has been fixed.
* Update camelCase method calls against the threading module to be snake_case;
this and related tweaks should fix some deprecation warnings under Python 3.10.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=103
- Update to 2.8.0
- [Feature] #1846: Add a prefetch keyword argument to
SFTPClient.get/SFTPClient.getfo so users who need to skip SFTP
prefetching are able to conditionally turn it off.
- [Bug] #1462: (via #1882) Newer server-side key exchange
algorithms not intended to use SHA1 (diffie-hellman-group14-sha256,
diffie-hellman-group16-sha512) were incorrectly using SHA1 after all,
due to a bug causing them to ignore the hash_algo class attribute.
This has been corrected.
- [Support] #1722: Remove leading whitespace from OpenSSH RSA test
suite static key fixture, to conform better to spec.
- [Support] #1727: Add missing test suite fixtures directory to
MANIFEST.in, reinstating the ability to run Paramiko’s tests from
an sdist tarball.
- [Support]: Update our CI to catch issues with sdist generation,
installation and testing.
- [Support]: Administrivia overhaul, including but not limited to:
- Migrate CI to CircleCI
- Primary dev branch is now main (renamed)
- Many README edits for clarity, modernization etc; including
a bunch more (and consistent) status badges & unification with
main project site index
- PyPI page much more fleshed out (long_description is now filled
in with the README; sidebar links expanded; etc)
- flake8, pytest configs split out of setup.cfg into their own files
- Invoke/invocations (used by maintainers/contributors) upgraded
to modern versions
- Skip python2 to fix build errors for Leap.
- Rebase paramiko-pr1655-remove-pytest-relaxed.patch.
OBS-URL: https://build.opensuse.org/request/show/924852
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=98
- drop configs.tar.gz
* Add missing test suite fixtures directory to MANIFEST.in
* Remove leading whitespace from OpenSSH RSA test suite static key fixture,
* Fix incorrect string formatting causing unhelpful error message annotation
when using Kerberos/GSSAPI.
* Fix incorrectly swapped order of p and q numbers when loading
OpenSSH-format RSA private keys.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=92
- drop relaxed.patch and 1311.patch
* add a new keyword argument to SSHClient.connect <paramiko.client.SSHClient.connect>
and paramiko.transport.Transport -> disabled_algorithms
* Fix Ed25519 key handling so certain key comment lengths don't cause
SSHException("Invalid key")
* Add backwards-compatible support for the gssapi
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=88
- dropped 1379.patch
- refreshed patches:
paramiko-test_extend_timeout.patch
relaxed.patch
1311.patch
* Add support for encrypt-then-MAC (ETM) schemes (hmac-sha2-256-etm@openssh.com,
hmac-sha2-512-etm@openssh.com) and two newer Diffie-Hellman group key exchange
algorithms (group14, using SHA256; and group16, using SHA512).
* Add support for Curve25519 key exchange.
* Raise Cryptography dependency requirement to version 2.5
* Add support for the modern (as of Python 3.3) import location of MutableMapping
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=86
- update to 2.4.2
- refresh paramiko-test_extend_timeout.patch
* Fix exploit (CVE pending) in Paramiko's server mode (not client mode)
where hostile clients could trick the server into thinking they were
authenticated without actually submitting valid authentication.
* Modify protocol message handling such that Transport does not respond
to MSG_UNIMPLEMENTED with its own MSG_UNIMPLEMENTED
* Updated SSHConfig.lookup <paramiko.config.SSHConfig.lookup> so it returns
a new, type-casting-friendly dict subclass (~paramiko.config.SSHConfigDict)
in lieu of dict literals.
OBS-URL: https://build.opensuse.org/request/show/640130
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=73
* changelog: update for #1039 / #1051
* Screen off dev version of Python from test matrix
* ensure ed25519 password is bytes
* Cut 2.0.8
* Cut 2.3.2
* Initial tests proving CVE-2018-7750 / #1175
* Guess something else added this prior to the merge
* Fixes CVE-2018-7750 / #1175
* Uncaught typo in test suite
* Initial tests proving CVE-2018-7750 / #XXX
* Test proving #1039 / efficacy of #1051
* Changelog closes#1175
* Cut 2.1.5
* Allow overriding test client connect kwargs in Transport test suite
* Cut 2.4.1
* Fixes CVE-2018-7750 / #XXX
* Cut 2.2.3
* flake8
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=70
- update to 2.3.1
+ cert_support.tar.gz - missing test certificates for testsuite
* Certificate support broke the no-certificate case for Ed25519 keys
(symptom is an AttributeError about public_blob.) This went uncaught
due to cert autoload behavior (i.e. our test suite never actually ran
the no-cert case, because the cert existed!) Both issues have been fixed.
* Implement basic client-side certificate authentication
(as per the OpenSSH vendor extension.)
* Added pre-authentication banner support for the server interface
(ServerInterface.get_banner plus related support in Transport/AuthHandler.)
* Update Ed25519Key so its constructor offers the same file_obj parameter
as its sibling key classes.
* Add a gss_trust_dns option to Client and Transport to allow explicitly
setting whether or not DNS canonicalization should occur when using GSSAPI.
* Paramiko originally defaulted to zlib compression level 9
(when one connects with compression=True; it defaults to off.) This has been
found to be quite wasteful and tends to cause much longer transfers in most
cases, than is necessar
* Enhance documentation around the new SFTP.posix_rename method
so it’s referenced in the ‘standard’ rename method for increased visibility.
* Modify logic around explicit disconnect messages, and unknown-channel situations,
so that they rely on centralized shutdown code instead of running their own.
This is at worst removing some unnecessary code, and may help with some
situations where Paramiko hangs at the end of a session.
* Display exception type and message when logging auth-rejection messages
(ones reading Auth rejected: unsupported or mangled public key); previously
this error case had a bare except and did not display exactly why the key
failed.
* Ed25519 keys never got proper API documentation support; this has been fixed.
* Update how we use Cryptography‘s signature/verification methods
OBS-URL: https://build.opensuse.org/request/show/531621
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=66
- update to 2.2.1:
* Missed a spot
* Update .travis.yml
* Whitespace
* Having this in a mini-toctree made the nav look funny and is also just unintuitive
* Changelog re #471, re #65
* these are bytes
* changelog: update for #990 and #993
* ecdh kex support
* flake8/whitespace
* Trailing comma
* Add test for posix-rename@openssh.com extension for SFTP client
* Changelog re #921
* Add a note about new Python-level deps to changelog re: Ed25519 support
* Add method for "posix-rename@openssh.com" extension for SFTP client.
* Add IOError in posix-rename@openssh.com test for python 2 support.
* this isnt bytes
* Added a auth_timeout to handle situations where SSH server stops responding during auth.
* small cleanups
* More changelog flimflammery
* Added changelog entry
* python 3 compatibility
* Incorrect comparison, should be <=
* DDD re #857
* Improve __hash__ functions
* Hrm that should always have been an h1
* No idea how this got past all the earlier flake8 work...
* comments
* Fixed test to support python 2.6
* Note ecdh-sha2 preferred-kex placement in changelog entry for #951, re #983
OBS-URL: https://build.opensuse.org/request/show/515893
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=64
- update to 2.1.3
* Make util.log_to_file append instead of replace.
* SSHClient and Transport could cause a memory leak if there’s a connection
problem or protocol error, even if Transport.close() is called.
* Prior support for ecdsa-sha2-nistp(384|521) algorithms didn’t fully extend
to covering host keys, preventing connection to hosts which only offer
these key types and no others. This is now fixed.
* Prefer newer ecdsa-sha2-nistp keys over RSA and DSA keys during host key
selection. This improves compatibility with OpenSSH, both in terms of general
behavior, and also re: ability to properly leverage OpenSSH-modified
known_hosts files.
* The RC4/arcfour family of ciphers has been broken since version 2.0; but since
the algorithm is now known to be completely insecure, we are opting
to remove support outright instead of fixing it.
* Move sha1 above the now-arguably-broken md5 in the list of preferred MAC
algorithms, as an incremental security improvement for users whose target
systems offer both.
* Writing encrypted/password-protected private key files was silently broken
since 2.0 due to an incorrect API call
Includes a directly related fix, namely adding the ability to read AES-256-CBC
ciphered private keys (which is now what we tend to write out as it is
Cryptography’s default private key cipher.)
* Allow any type implementing the buffer API to be used with BufferedFile,
Channel, and SFTPFile. This resolves a regression introduced in 1.13
with the Python 3 porting changes, when using types such as memoryview.
* Enhance default cipher preference order such that aes(192|256)-cbc are preferred
over blowfish-cbc.
* SSHClient now requests the type of host key it has (e.g. from known_hosts)
and does not consider a different type to be a “Missing” host key. This fixes
a common case where an ECDSA key is in known_hosts and the server also has
OBS-URL: https://build.opensuse.org/request/show/502890
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=62
- update to 2.1.2
* Fix a bug in server-mode concerning multiple interactive auth steps
* SSHClient now gives its internal Transport a handle on itself, preventing
garbage collection of the client until the session is closed. Without this,
some code which returns stream or transport objects without the client that
generated them, would result in premature session closure
when the client was GCd
* Avoid test suite exceptions on platforms lacking errno.ETIME
* weak how RSAKey.__str__ behaves so it doesn’t cause TypeError under Python 3.
OBS-URL: https://build.opensuse.org/request/show/460370
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=56
- update to 2.1.1
* A tweak to the original patch implementing gh#398 was not fully applied,
causing calls to ~paramiko.client.SSHClient.invoke_shell to fail with
AttributeError. This has been fixed.
* Fix the implementation of PKey.write_private_key_file (this method is only
publicly defined on subclasses; the fix was in the private real
implementation) so it passes the correct params to open()
* Add an optional timeout parameter to Transport.start_clienti
<paramiko.transport.Transport.start_client> (and feed it the value of the
configured connection timeout when used within SSHClient
<paramiko.client.SSHClient>.)
* Catch AssertionError thrown by Cryptography when attempting to load bad
ECDSA keys, turning it into an SSHException.
* Add a missing .closed attribute (plus ._closed because reasons) to
ProxyCommand <paramiko.proxy.ProxyCommand>
* Make the subprocess import in proxy.py lazy so users on platforms without
it (such as Google App Engine) can import Paramiko successfully
* Fix incorrect docstring/param-list for Transport.auth_gssapi_keyex
<paramiko.transport.Transport.auth_gssapi_keyex> so it matches
the real signature.
* Add an environment dict argument to Client.exec_command
OBS-URL: https://build.opensuse.org/request/show/445578
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=54
- update to 2.0.0:
* Add support for 384- and 512-bit elliptic curve groups in ECDSA
key types (aka ecdsa-sha2-nistp384 / ecdsa-sha2-nistp521).
* Due to an earlier bugfix, less-specific Host blocks' ProxyCommand
values were overriding ProxyCommand none in more-specific Host
blocks. This has been fixed in a backwards compatible manner (i.e.
ProxyCommand none continues to appear as a total lack of any
proxycommand key in parsed config structures).
* Fix a backwards incompatibility issue that cropped up in
SFTPFile.prefetch <~paramiko.sftp_file.prefetch> re: the
erroneously non-optional file_size parameter. Should only affect
users who manually call prefetch.
* Replace PyCrypto with the Python Cryptographic Authority (PyCA)
'Cryptography' library suite. This improves security,
installability, and performance; adds PyPy support; and much more.
* Fix stalled/hung SFTP downloads by cleaning up some threading lock
issues.
* Fix a Python 3 compatibility issue when handling two-factor
authentication.
* Clean up setup.py to always use setuptools, not doing so was a
historical artifact from bygone days.
* Update the module in charge of handling SSH moduli so it's
consistent with OpenSSH behavior re: prime number selection.
* Fix up ~paramiko.ssh_exception.NoValidConnectionsError so it
pickles correctly, and fix a related Python 3 compatibility issue.
* Update to jaraco.windows 3.4.1 to fix some errors related to
ctypes on Windows platforms.
* Annotate some public attributes on ~paramiko.channel.Channel such
as .closed.
* Fix logic bug in the SFTP client's callback-calling functionality;
OBS-URL: https://build.opensuse.org/request/show/394312
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=43
- update to 1.13.1:
* :support:`256 backported` Convert API documentation to Sphinx, yielding a new
API docs website to replace the old Epydoc one.
* 🐛`-` Use constant-time hash comparison operations where possible, to
protect against `timing-based attacks
<http://codahale.com/a-lesson-in-timing-attacks/>`_. Thanks to Alex Gaynor
for the patch.
* :feature:`58` Allow client code to access the stored SSH server banner via
`Transport.get_banner <paramiko.transport.Transport.get_banner>`. Thanks to
``@Jhoanor`` for the patch.
* 🐛`252` (`Fabric #1020 <https://github.com/fabric/fabric/issues/1020>`_)
Enhanced the implementation of ``ProxyCommand`` to avoid a deadlock/hang
condition that frequently occurs at ``Transport`` shutdown time. Thanks to
Mateusz Kobos, Matthijs van der Vleuten and Guillaume Zitta for the original
reports and to Marius Gedminas for helping test nontrivial use cases.
* 🐛`268` Fix some missed renames of ``ProxyCommand`` related error classes.
Thanks to Marius Gedminas for catch & patch.
* 🐛`34` (PR :issue:`35`) Fix SFTP prefetching incompatibility with some
SFTP servers regarding request/response ordering. Thanks to Richard
Kettlewell.
* 🐛`193` (and its attentant PRs :issue:`230` & :issue:`253`) Fix SSH agent
problems present on Windows. Thanks to David Hobbs for initial report and to
Aarni Koskela & Olle Lundberg for the patches.
* 🐛`225 (1.12+)` Note ecdsa requirement in README. Thanks to Amaury
Rodriguez for the catch.
* 🐛`176` Fix AttributeError bugs in known_hosts file (re)loading. Thanks
to Nathan Scowcroft for the patch & Martin Blumenstingl for the initial test
case.
OBS-URL: https://build.opensuse.org/request/show/235923
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-paramiko?expand=0&rev=35
