- [Bug] Servers offering certificate variants of hostkey algorithms
(eg ssh-rsa-cert-v01@openssh.com) could not have their host keys
verified by Paramiko clients, as it only ever considered non-cert key
types for that part of connection handshaking. This has been fixed.
- [Bug] PKey instances’ __eq__ did not have the usual safety guard in
place to ensure they were being compared to another PKey object,
causing occasional spurious BadHostKeyException (among other things).
This has been fixed. Thanks to Shengdun Hua for the original report
/patch and to Christopher Papke for the final version of the fix.
- [Support] Update camelCase method calls against the threading
module to be snake_case; this and related tweaks should fix some
deprecation warnings under Python 3.10. Thanks to Karthikeyan
Singaravelan for the report, @Narendra-Neerukonda for the patch, and
to Thomas Grainger and Jun Omae for patch workshopping.
Signed-off-by: Javier Marcet <javier@marcet.info>
2.10.2:
- [Bug] Fix Python 2 compatibility breakage introduced in 2.10.1.
Spotted by Christian Hammond.
2.10.3:
- [Bug] Switch from module-global to thread-local storage when
recording thread IDs for a logging helper; this should avoid one
flavor of memory leak for long-running processes. Catch & patch via
Richard Kojedzinszky.
- [Bug] Certificate-based pubkey auth was inadvertently broken when
adding SHA2 support; this has been fixed. Reported by Erik Forsberg
and fixed by Jun Omae.
Signed-off-by: Javier Marcet <javier@marcet.info>
2.10.1:
- [Bug]: (CVE-2022-24302) Creation of new private key files using
PKey subclasses was subject to a race condition between file creation
& mode modification, which could be exploited by an attacker with
knowledge of where the Paramiko-using code would write out such
files.
- This has been patched by using os.open and os.fdopen to ensure new
files are opened with the correct mode immediately. We’ve left the
subsequent explicit chmod in place to minimize any possible
disruption, though it may get removed in future backwards-
incompatible updates.
- Thanks to Jan Schejbal for the report & feedback on the solution,
and to Jeremy Katz at Tidelift for coordinating the disclosure.
2.10.0:
- [Feature] Add support for OpenSSH’s Windows agent as a fallback
when Putty/WinPageant isn’t available or functional. Reported by
@benj56 with patches/PRs from @lewgordon and Patrick Spendrin.
- [Feature] Add support for the %C token when parsing SSH config
files. Foundational PR submitted by @jbrand42.
- [Bug] Significantly speed up low-level read/write actions on
SFTPFile objects by using bytearray/memoryview. This is unlikely to
change anything for users of the higher level methods like
SFTPClient.get or SFTPClient.getfo, but users of SFTPClient.open will
likely see orders of magnitude improvements for files larger than a
few megabytes in size.
- Thanks to @jkji for the original report and to Sevastian Tchernov
for the patch.
- [Support] Add six explicitly to install-requires; it snuck into
active use at some point but has only been indicated by transitive
dependency on bcrypt until they somewhat-recently dropped it. This
will be short-lived until we drop Python 2 support. Thanks to
Sondre Lillebø Gundersen for catch & patch.
Signed-off-by: Javier Marcet <javier@marcet.info>
- [Bug]: Enhanced log output when connecting to servers that do not
support server-sig-algs extensions, making the new-as-of-2.9
defaulting to SHA2 pubkey algorithms more obvious when it kicks in.
- [Bug]: Connecting to servers which support server-sig-algs but
which have no overlap between that list and what a Paramiko client
supports, now raise an exception instead of defaulting to
rsa-sha2-512 (since the use of server-sig-algs allows us to know
what the server supports).
Signed-off-by: Javier Marcet <javier@marcet.info>
