2.4.1:
[Bug] Ed25519 auth key decryption raised an unexpected exception when given a unicode password string (typical in python 3). Report by Theodor van Nahl and fix by Pierce Lopez.
[Bug] Add newer key classes for Ed25519 and ECDSA to paramiko.__all__ so that code introspecting that attribute, or using from paramiko import * (such as some IDEs) sees them. Thanks to @patriksevallius for the patch.
[Bug] Fix a security flaw (CVE-2018-7750) in Paramiko’s server mode (emphasis on server mode; this does not impact client use!) where authentication status was not checked before processing channel-open and other requests typically only sent after authenticating. Big thanks to Matthijs Kooijman for the report.
2.4.0:
[Feature]: Add a new passphrase kwarg to SSHClient.connect so users may disambiguate key-decryption passphrases from password-auth passwords. (This is a backwards compatible change; password will still pull double duty as a passphrase when passphrase is not given.)
[Support]: Drop Python 2.6 and Python 3.3 support; now only 2.7 and 3.4+ are supported. If you’re unable to upgrade from 2.6 or 3.3, please stick to the Paramiko 2.3.x (or below) release lines.
[Support]: Include LICENSE file in wheel archives.
[Support]: Updated the test suite & related docs/metadata/config to be compatible with pytest instead of using the old, custom, crufty unittest-based test.py.
This includes marking known-slow tests (mostly the SFTP ones) so they can be filtered out by inv test‘s default behavior; as well as other minor tweaks to test collection and/or display (for example, GSSAPI tests are collected, but skipped, instead of not even being collected by default as in test.py.)
[Support]: Update tearDown of client test suite to avoid hangs due to eternally blocking accept() calls on the internal server thread (which can occur when test code raises an exception before actually connecting to the server.)
2.3.1:
[Bug] 1071: Certificate support broke the no-certificate case for Ed25519 keys (symptom is an AttributeError about public_blob.) This went uncaught due to cert autoload behavior (i.e. our test suite never actually ran the no-cert case, because the cert existed!) Both issues have been fixed. Thanks to John Hu for the report.
Pkgsrc changes:
Adapt PLIST.
Upstream changes:
1.18.2 2017-02-20
[Bug] #895: Fix a bug in server-mode concerning multiple interactive
auth steps (which were incorrectly responded to). Thanks to Dennis
Kaarsemaker for catch & patch.
[Bug] #713: (via #714 and #889) Don't pass initialization vectors
to PyCrypto when dealing with counter-mode ciphers; newer PyCrypto
versions throw an exception otherwise (older ones simply ignored
this parameter altogether). Thanks to @jmh045000 for report &
patches.
[Bug] #44: (via #891) SSHClient now gives its internal Transport
a handle on itself, preventing garbage collection of the client
until the session is closed. Without this, some code which returns
stream or transport objects without the client that generated
them, would result in premature session closure when the client
was GCd. Credit: @w31rd0 for original report, Omer Anson for the
patch.
[Bug] #862: (via #863) Avoid test suite exceptions on platforms
lacking errno.ETIME (which seems to be some FreeBSD and some
Windows environments.) Thanks to Sofian Brabez.
[Bug] #853: Tweak how RSAKey.__str__ behaves so it doesn't
cause TypeError under Python 3. Thanks to Francisco Couzo for
the report.
[Support] #866: (also #838) Remove an old test-related file we
don't support, and add PyPy to Travis-CI config. Thanks to
Pierce Lopez for the final patch and Pedro Rodrigues for an
earlier edition.
1.18.1 2016-12-12
[Bug] #859: (via #860) A tweak to the original patch implementing
#398 was not fully applied, causing calls to invoke_shell to
fail with AttributeError. This has been fixed. Patch credit:
Kirk Byers.
1.18.0 2016-12-09
[Feature] #398: Add an environment dict argument to
Client.exec_command (plus the lower level Channel.update_environment
and Channel.set_environment_variable methods) which implements
the env SSH message type. This means the remote shell environment
can be set without the use of VARNAME=value shell tricks,
provided the server's AcceptEnv lists the variables you need
to set. Thanks to Philip Lorenz for the pull request.
[Feature] #780: (also #779, and may help users affected by
#520) Add an optional timeout parameter to Transport.start_client
(and feed it the value of the configured connection timeout
when used within SSHClient.) This helps prevent situations
where network connectivity isn't timing out, but the remote
server is otherwise unable to service the connection in a timely
manner. Credit to @sanseihappa.
[Support] #819: Document how lacking gmp headers at install
time can cause a significant performance hit if you build
PyCrypto from source. (Most system-distributed packages already
have this enabled.)
[Support] #854: Fix incorrect docstring/param-list for
Transport.auth_gssapi_keyex so it matches the real signature.
Caught by @Score_Under.
[Support] #792: Minor updates to the README and demos; thanks to Alan Yee.
[Support] #801: Skip a Unix-only test when on Windows; thanks to Gabi Davar.
For pre-1.18.0 changes, see
http://www.paramiko.org/changelog.html
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
is not, from what I can tell by building and using (also from the repo),
broken under py3x. Therefore, dependencies marked as broken under py3x due to
paramiko will be unmarked (unless they are broken for lack of py3x support).
From sites/www/changelog.rst:
:support:`554 backported` Fix inaccuracies in the docstring for the ECDSA key class. Thanks to Jared Hance for the patch.
:support:`516 backported` Document ~paramiko.agent.AgentRequestHandler. Thanks to @toejough for report & suggestions.
🐛`496` Fix a handful of small but critical bugs in Paramiko's GSSAPI support (note: this includes switching from PyCrypo's Random to os.urandom). Thanks to Anselm Kruis for catch & patch.
🐛`491` (combines :issue:`62` and :issue:`439`) Implement timeout functionality to address hangs from dropped network connections and/or failed handshakes. Credit to @vazir and @dacut for the original patches and to Olle Lundberg for reimplementation.
🐛`490` Skip invalid/unparseable lines in known_hosts files, instead of raising ~paramiko.ssh_exception.SSHException. This brings Paramiko's behavior more in line with OpenSSH, which silently ignores such input. Catch & patch courtesy of Martin Topholm.
🐛`404` Print details when displaying ~paramiko.ssh_exception.BadHostKeyException objects (expected vs received data) instead of just "hey shit broke". Patch credit: Loic Dachary.
🐛`469` (also :issue:`488`, :issue:`461` and like a dozen others) Fix a typo introduced in the 1.15 release which broke WinPageant support. Thanks to everyone who submitted patches, and to Steve Cohen who was the lucky winner of the cherry-pick lottery.
🐛`353` (via :issue:`482`) Fix a bug introduced in the Python 3 port which caused OverFlowError (and other symptoms) in SFTP functionality. Thanks to @dboreham for leading the troubleshooting charge, and to Scott Maxwell for the final patch.
:support:`582` Fix some old setup.py related helper code which was breaking bdist_dumb on Mac OS X. Thanks to Peter Odding for the patch.
🐛`22 major` Try harder to connect to multiple network families (e.g. IPv4 vs IPv6) in case of connection issues; this helps with problems such as hosts which resolve both IPv4 and IPv6 addresses but are only listening on IPv4. Thanks to Dries Desmet for original report and Torsten Landschoff for the foundational patchset.
🐛`402` Check to see if an SSH agent is actually present before trying to forward it to the remote end. This replaces what was usually a useless TypeError with a human-readable ~paramiko.ssh_exception.AuthenticationException. Credit to Ken Jordan for the fix and Yvan Marques for original report.
Upstream changes:
-----------------
:release:`1.14.0 <2014-05-07>`
------------------------------
🐛`-` paramiko.file.BufferedFile.read incorrectly returned text
strings after the Python 3 migration, despite bytes being more
appropriate for file contents
(which may be binary or of an unknown encoding.) This has been addressed.
Note
paramiko.file.BufferedFile.readline continues to return strings,
not bytes, as "lines" only make sense for textual data.
It assumes UTF-8 by default.
This should fix this issue raised on the Obnam mailing list.
Thanks to Antoine Brenner for the patch.
🐛`-` Added self.args for exception classes. Used for unpickling.
Related to (Fabric #986, Fabric #714). Thanks to Alex Plugaru.
🐛`-` Fix logging error in sftp_client for filenames containing
the '%' character. Thanks to Antoine Brenner.
🐛`308` Fix regression in dsskey.py that caused sporadic
signature verification failures. Thanks to Chris Rose.
:support:`299` Use deterministic signatures for ECDSA keys for
improved security. Thanks to Alex Gaynor.
:support:`297` Replace PyCrypto's Random with os.urandom for
improved speed and security. Thanks again to Alex.
:support:`295` Swap out a bunch of PyCrypto hash functions with use of
hashlib. Thanks to Alex Gaynor.
:support:`290` (also :issue:`292`) Add support for building universal
(Python 2+3 compatible) wheel files during the release process.
Courtesy of Alex Gaynor.
:support:`284` Add Python language trove identifiers to setup.py.
Thanks to Alex Gaynor for catch & patch.
🐛`235` Improve string type testing in a handful of spots
(e.g. s/if type(x) is str/if isinstance(x, basestring)/g.)
Thanks to @ksamuel for the report.
:release:`1.13.0 <2014-03-13>`
------------------------------
:feature:`16` Python 3 support! Our test suite passes under Python 3,
and it (& Fabric's test suite) continues to pass under Python 2.
Python 2.5 is no longer supported with this change!
The merged code was built on many contributors' efforts, both code &
feedback. In no particular order, we thank Daniel Goertzen, Ivan
Kolodyazhny, Tomi Pieviläinen, Jason R. Coombs, Jan N. Schulze,
@Lazik, Dorian Pula, Scott Maxwell, Tshepang Lekhonkhobe, Aaron Meurer,
and Dave Halter.
:support:`256 backported` Convert API documentation to Sphinx, yielding
a new API docs website to replace the old Epydoc one.
Thanks to Olle Lundberg for the initial conversion work.
🐛`-` Use constant-time hash comparison operations where possible,
to protect against timing-based attacks. Thanks to Alex Gaynor for the patch.
:release:`1.12.2 <2014-02-14>`
------------------------------
:feature:`58` Allow client code to access the stored SSH server banner via
Transport.get_banner <paramiko.transport.Transport.get_banner>.
Thanks to @Jhoanor for the patch.
🐛`252` (Fabric #1020) Enhanced the implementation of ProxyCommand to
avoid a deadlock/hang condition that frequently occurs at Transport
shutdown time. Thanks to Mateusz Kobos, Matthijs van der Vleuten and
Guillaume Zitta for the original reports and to Marius Gedminas for
helping test nontrivial use cases.
🐛`268` Fix some missed renames of ProxyCommand related error classes.
Thanks to Marius Gedminas for catch & patch.
🐛`34` (PR :issue:`35`) Fix SFTP prefetching incompatibility with some
SFTP servers regarding request/response ordering.
Thanks to Richard Kettlewell.
🐛`193` (and its attentant PRs :issue:`230` & :issue:`253`) Fix SSH
agent problems present on Windows. Thanks to David Hobbs for initial
report and to Aarni Koskela & Olle Lundberg for the patches.
:release:`1.12.1 <2014-01-08>`
------------------------------
🐛`225 (1.12+)` Note ecdsa requirement in README. Thanks to Amaury
Rodriguez for the catch.
🐛`176` Fix AttributeError bugs in known_hosts file (re)loading.
Thanks to Nathan Scowcroft for the patch & Martin Blumenstingl for the
initial test case.
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
pkgsrc changes:
---------------
- Depends on security/py-ecdsa
- FETCH_USING=curl to deal with PyPi's htpps only website.
upstream changes:
-----------------
v1.12.0 (27th Sep 2013)
-----------------------
* #152: Add tentative support for ECDSA keys. *This adds the ecdsa
module as a new dependency of Paramiko.* The module is available at
[warner/python-ecdsa on Github](https://github.com/warner/python-ecdsa) and
[ecdsa on PyPI](https://pypi.python.org/pypi/ecdsa).
* Note that you might still run into problems with key negotiation --
Paramiko picks the first key that the server offers, which might not be
what you have in your known_hosts file.
* Mega thanks to Ethan Glasser-Camp for the patch.
* #136: Add server-side support for the SSH protocol's 'env' command. Thanks to
Benjamin Pollack for the patch.
v1.11.2 (27th Sep 2013)
-----------------------
* #156: Fix potential deadlock condition when using Channel objects as sockets
(e.g. when using SSH gatewaying). Thanks to Steven Noonan and Frank Arnold
for catch & patch.
* #179: Fix a missing variable causing errors when an ssh_config file has a
non-default AddressFamily set. Thanks to Ed Marshall & Tomaz Muraus for catch
& patch.
* #200: Fix an exception-causing typo in `demo_simple.py`. Thanks to Alex
Buchanan for catch & Dave Foster for patch.
* #199: Typo fix in the license header cross-project. Thanks to Armin Ronacher
for catch & patch.
v1.12.0 (27th Sep 2013)
-----------------------
* #152: Add tentative support for ECDSA keys. *This adds the ecdsa
module as a new dependency of Paramiko.* The module is available at
[warner/python-ecdsa on Github](https://github.com/warner/python-ecdsa) and
[ecdsa on PyPI](https://pypi.python.org/pypi/ecdsa).
* Note that you might still run into problems with key negotiation --
Paramiko picks the first key that the server offers, which might not be
what you have in your known_hosts file.
* Mega thanks to Ethan Glasser-Camp for the patch.
* #136: Add server-side support for the SSH protocol's 'env' command. Thanks to
Benjamin Pollack for the patch.
v1.11.2 (27th Sep 2013)
-----------------------
* #156: Fix potential deadlock condition when using Channel objects as sockets
(e.g. when using SSH gatewaying). Thanks to Steven Noonan and Frank Arnold
for catch & patch.
* #179: Fix a missing variable causing errors when an ssh_config file has a
non-default AddressFamily set. Thanks to Ed Marshall & Tomaz Muraus for catch
& patch.
* #200: Fix an exception-causing typo in `demo_simple.py`. Thanks to Alex
Buchanan for catch & Dave Foster for patch.
* #199: Typo fix in the license header cross-project. Thanks to Armin Ronacher
for catch & patch.
pkgsrc changes:
---------------
FETCH_USING= curl, as PyPi moved to https.
Upstream changes:
-----------------
v1.11.0 (26th Jul 2013)
-----------------------
* #98: On Windows, when interacting with the PuTTY PAgeant, Paramiko now
creates the shared memory map with explicit Security Attributes of the user,
which is the same technique employed by the canonical PuTTY library to avoid
permissions issues when Paramiko is running under a different UAC context
than the PuTTY Ageant process. Thanks to Jason R. Coombs for the patch.
* #100: Remove use of PyWin32 in `win_pageant` module. Module was already
dependent on ctypes for constructing appropriate structures and had ctypes
implementations of all functionality. Thanks to Jason R. Coombs for the
patch.
* #87: Ensure updates to `known_hosts` files account for any updates to said
files after Paramiko initially read them. (Includes related fix to guard
against duplicate entries during subsequent `known_hosts` loads.) Thanks to
`@sunweaver` for the contribution.
v1.10.2 (26th Jul 2013)
-----------------------
* #153, #67: Warn on parse failure when reading known_hosts file. Thanks to
`@glasserc` for patch.
* #146: Indentation fixes for readability. Thanks to Abhinav Upadhyay for catch
& patch.
Upstream appears to have no changelog or NEWS; the included README is
about changes in 1.8.0. Browsing github makes this look like minor
features and bugfixes.
Fix a tyop in DESCR.
Upstream changes:
-----------------
v1.9.0 (6th Nov 2012)
---------------------
* #97 (with a little #93): Improve config parsing of `ProxyCommand` directives
and provide a wrapper class to allow subprocess-driven proxy commands to be
used as `sock=` arguments for `SSHClient.connect`.
* #77: Allow `SSHClient.connect()` to take an explicit `sock` parameter
overriding creation of an internal, implicit socket object.
* Thanks in no particular order to Erwin Bolwidt, Oskari Saarenmaa, Steven
Noonan, Vladimir Lazarenko, Lincoln de Sousa, Valentino Volonghi, Olle
Lundberg, and Github user `@acrish` for the various and sundry patches
leading to the above changes.
v1.8.1 (6th Nov 2012)
---------------------
* #90: Ensure that callbacks handed to `SFTPClient.get()` always fire at least
once, even for zero-length files downloaded. Thanks to Github user `@enB` for
the catch.
* #85: Paramiko's test suite overrides
`unittest.TestCase.assertTrue/assertFalse` to provide these modern assertions
to Python 2.2/2.3, which lacked them. However on newer Pythons such as 2.7,
this now causes deprecation warnings. The overrides have been patched to only
execute when necessary. Thanks to `@Arfrever` for catch & patch.
v1.8.0 (3rd Oct 2012)
---------------------
* #17 ('ssh' 28): Fix spurious `NoneType has no attribute 'error'` and similar
exceptions that crop up on interpreter exit.
* 'ssh' 32: Raise a more useful error explaining which `known_hosts` key line was
problematic, when encountering `binascii` issues decoding known host keys.
Thanks to `@thomasvs` for catch & patch.
* 'ssh' 33: Bring `ssh_config` parsing more in line with OpenSSH spec, re: order of
setting overrides by `Host` specifiers. Specifically, the overrides now go by
file order instead of automatically sorting by `Host` value length. In
addition, the first value found per config key (e.g. `Port`, `User` etc)
wins, instead of the last. Thanks to Jan Brauer for the contribution.
* 'ssh' 36: Support new server two-factor authentication option
(`RequiredAuthentications2`), at least re: combining key-based & password
auth. Thanks to Github user `bninja`.
* 'ssh' 11: When raising an exception for hosts not listed in
`known_hosts` (when `RejectPolicy` is in effect) the exception message was
confusing/vague. This has been improved somewhat. Thanks to Cal Leeming for
highlighting the issue.
* 'ssh' 40: Fixed up & expanded EINTR signal handling. Thanks to Douglas Turk.
* 'ssh' 15: Implemented parameter substitution in SSHConfig, matching the
implementation of `ssh_config(5)`. Thanks to Olle Lundberg for the patch.
* 'ssh' 24: Switch some internal type checking to use `isinstance` to help prevent
problems with client libraries using subclasses of builtin types. Thanks to
Alex Morega for the patch.
* Fabric #562: Agent forwarding would error out (with `Authentication response
too long`) or freeze, when more than one remote connection to the local agent
was active at the same time. This has been fixed. Thanks to Steven McDonald
for assisting in troubleshooting/patching, and to GitHub user `@lynxis` for
providing the final version of the patch.
* 'ssh' 5: Moved a `fcntl` import closer to where it's used to help avoid
`ImportError` problems on Windows platforms. Thanks to Jason Coombs for the
catch + suggested fix.
* 'ssh' 4: Updated implementation of WinPageant integration to work on 64-bit
Windows. Thanks again to Jason Coombs for the patch.
* Added an IO loop sleep() call to avoid needless CPU usage when agent
forwarding is in use.
* Handful of internal tweaks to version number storage.
* Updated `setup.py` with `==dev` install URL for `pip` users.
* Updated `setup.py` to account for packaging problems in PyCrypto 2.4.0
* Added an extra `atfork()` call to help prevent spurious RNG errors when
running under high parallel (multiprocess) load.
* Merge PR #28: https://github.com/paramiko/paramiko/pull/28 which adds a
ssh-keygen like demo module. (Sofian Brabez)
v1.7.7.2 16may12
----------------
* Merge pull request #63: https://github.com/paramiko/paramiko/pull/63 which
fixes exceptions that occur when re-keying over fast connections. (Dwayne
Litzenberger)
distfile anymore. Add DIST_SUBDIR to force re-download of the tarball, which
content has been modified.
While here, switch DEPENDS to py-crypto instead of py-amkCrypto.
Bump PKG_REVISION.
pkgsrc changes:
- patches/patch-aa no longer required
- Added LICENSE
Changelog:
ARC4 & CTR support, IP6 support, and various bug fixes (incl. an important
Windows random number generation fix)
- assume that Python 2.4 and 2.5 are compatible and allow checking for
fallout.
- remove PYTHON_VERSIONS_COMPATIBLE that are obsoleted by the 2.3+
default. Modify the others to deal with the removals.
Changes:
Update to version 1.7.1. Changes:
v1.7.1 (Amy) 10jun07
--------------------
* windows SSH agent support can use the 'ctypes' module now if 'win32all' is
not available [patch from alexander belchenko]
* SFTPClient.listdir_attr() now preserves the 'longname' field [patch from
wesley augur]
* SFTPClient.get_channel() API added
* SSHClient constuctor takes an optional 'timeout' parameter [patch from
james bardin]
v1.7 (zubat) 18feb07
--------------------
* added x11 channel support (patch from david guerizec)
* added reverse port forwarding support
* (bug 75370) raise an exception when contacting a broken SFTP server
* (bug 80295) SSHClient shouldn't expand the user directory twice when reading
RSA/DSS keys
* (bug 82383) typo in DSS key in SSHClient
* (bug 83523) python 2.5 warning when encoding a file's modification time
* if connecting to an SSH agent fails, silently fallback instead of raising
an exception
v1.6.4 (yanma) 19nov06
----------------------
* fix setup.py on osx (oops!)
* (bug 69330) check for the existence of RSA/DSA keys before trying to open
them in SFTPClient
* (bug 69222) catch EAGAIN in socket code to workaround a bug in recent
Linux 2.6 kernels
* (bug 70398) improve dict emulation in HostKeys objects
* try harder to make sure all worker threads are joined on Transport.close()
v1.6.3 (xatu) 14oct06
---------------------
* fixed bug where HostKeys.__setitem__ wouldn't always do the right thing
* fixed bug in SFTPClient.chdir and SFTPAttributes.__str__ [patch from
mike barber]
* try harder not to raise EOFError from within SFTPClient
* fixed bug where a thread waiting in accept() could block forever if the
transport dies [patch from mike looijmans]
v1.6.2 (weedle) 16aug06
-----------------------
* added support for "old" group-exchange server mode, for compatibility
with the windows putty client
* fixed some more interactions with SFTP file readv() and prefetch()
* when saving the known_hosts file, preserve the original order [patch from
warren young]
* fix a couple of broken lines when exporting classes (bug 55946)
v1.6.1 (vulpix) 10jul06
-----------------------
* more unit tests fixed for windows/cygwin (thanks to alexander belchenko)
* a couple of fixes related to exceptions leaking out of SFTPClient
* added ability to set items in HostKeys via __setitem__
* HostKeys now retains order and has a save() method
* added PKey.write_private_key and PKey.from_private_key
v1.6 (umbreon) 10may06
----------------------
* pageant support on Windows thanks to john arbash meinel and todd whiteman
* fixed unit tests to work under windows and cygwin (thanks to alexander
belchenko for debugging)
* various bugfixes/tweaks to SFTP file prefetch
* added SSHClient for a higher-level API
* SFTP readv() now yields results as it gets them
* several APIs changed to throw an exception instead of "False" on failure