-
Modify protocol message handling such thatTransport
does not respond toMSG_UNIMPLEMENTED
with its ownMSG_UNIMPLEMENTED
message. This behavior probably didn't cause any outright errors, but it doesn't seem to conform to the RFCs and could cause (non-infinite) feedback loops in some scenarios (usually those involving Paramiko on both ends).1283 (1.17+)
Fix exploit (CVE pending) in Paramiko's server mode (not client mode) where hostile clients could trick the server into thinking they were authenticated without actually submitting valid authentication.Specifically, steps have been taken to start separating client and server related message types in the message handling tables within
Transport
andAuthHandler
; this work is not complete but enough has been performed to close off this particular exploit (which was the only obvious such exploit for this particular channel).Thanks to Daniel Hoffman for the detailed report.
1292 backported
Backport changes from979
(added in Paramiko 2.3) to Paramiko 2.0-2.2, using duck-typing to preserve backwards compatibility. This allows these older versions to use newer Cryptography sign/verify APIs when available, without requiring them (as is the case with Paramiko 2.3+).Practically speaking, this change prevents spamming of
CryptographyDeprecationWarning
notices which pop up in the above scenario (older Paramiko, newer Cryptography).Note
This is a no-op for Paramiko 2.3+, which have required newer Cryptography releases since they were released.
1291 backported
Backport pytest support and application of theblack
code formatter (both of which previously only existed in the 2.4 branch and above) to everything 2.0 and newer. This makes back/forward porting bugfixes significantly easier.2.0.8 <2018-03-12>
1.18.5 <2018-03-12>
1.17.6 <2018-03-12>
1175 (1.17+)
Fix a security flaw (CVE-2018-7750) in Paramiko's server mode (emphasis on server mode; this does not impact client use!) where authentication status was not checked before processing channel-open and other requests typically only sent after authenticating. Big thanks to Matthijs Kooijman for the report.1108 (1.17+)
Rename a private method keyword argument (which was namedasync
) so that we're compatible with the upcoming Python 3.7 release (whereasync
is a new keyword.) Thanks to@vEpiphyte
for the report.- backported
Include LICENSE file in wheel archives.2.0.7 <2017-09-18>
1.18.4 <2017-09-18>
1061
Clean up GSSAPI authentication procedures so they do not prevent normal fallback to other authentication methods on failure. (In other words, presence of GSSAPI functionality on a target server precluded use of _any other auth type if the user was unable to pass GSSAPI auth.) Patch via Anselm Kruis.1060
Fix key exchange (kex) algorithm list for GSSAPI authentication; previously, the list used solely out-of-date algorithms, and now contains newer ones listed preferentially before the old. Credit: Anselm Kruis.945 (1.18+)
(backport of910
and re:865
) SSHClient now requests the type of host key it has (e.g. from known_hosts) and does not consider a different type to be a "Missing" host key. This fixes a common case where an ECDSA key is in known_hosts and the server also has an RSA host key. Thanks to Pierce Lopez.1055 (1.17+)
(also1056
,1057
,1058
,1059
) Fix up host-key checking in our GSSAPI support, which was previously using an incorrect API call. Thanks to Anselm Kruis for the patches.2.0.6 <2017-06-09>
1.18.3 <2017-06-09>
1.17.5 <2017-06-09>
906 (1.18+)
Clean up a handful of outdated imports and related tweaks. Thanks to Pierce Lopez.984
Enhance default cipher preference order such thataes(192|256)-cbc
are preferred overblowfish-cbc
. Thanks to Alex Gaynor.971 (1.17+)
Allow any type implementing the buffer API to be used with BufferedFile <paramiko.file.BufferedFile>, Channel <paramiko.channel.Channel>, and SFTPFile <paramiko.sftp_file.SFTPFile>. This resolves a regression introduced in 1.13 with the Python 3 porting changes, when using types such asmemoryview
. Credit: Martin Packman.741
(also809
,772
; all via912
) Writing encrypted/password-protected private key files was silently broken since 2.0 due to an incorrect API call; this has been fixed.Includes a directly related fix, namely adding the ability to read
AES-256-CBC
ciphered private keys (which is now what we tend to write out as it is Cryptography's default private key cipher.)Thanks to
@virlos
for the original report, Chris Harris and@ibuler
for initial draft PRs, and@jhgorrell
for the final patch.956 (1.17+)
Switch code coverage service from coveralls.io to codecov.io (& then disable the latter's auto-comments.) Thanks to Nikolai Røed Kristiansen for the patch.983
Movesha1
above the now-arguably-brokenmd5
in the list of preferred MAC algorithms, as an incremental security improvement for users whose target systems offer both. Credit: Pierce Lopez.667
The RC4/arcfour family of ciphers has been broken since version 2.0; but since the algorithm is now known to be completely insecure, we are opting to remove support outright instead of fixing it. Thanks to Alex Gaynor for catch & patch.- backported
A big formatting pass to clean up an enormous number of invalid Sphinx reference links, discovered by switching to a modern, rigorous nitpicking doc-building mode.900
(via911
) Prefer newerecdsa-sha2-nistp
keys over RSA and DSA keys during host key selection. This improves compatibility with OpenSSH, both in terms of general behavior, and also re: ability to properly leverage OpenSSH-modifiedknown_hosts
files. Credit:@kasdoe
for original report/PR and Pierce Lopez for the second draft.794
(via981
) Prior support forecdsa-sha2-nistp(384|521)
algorithms didn't fully extend to covering host keys, preventing connection to hosts which only offer these key types and no others. This is now fixed. Thanks to@ncoult
and@kasdoe
for reports and Pierce Lopez for the patch.974 backported
Overhaul the codebase to be PEP-8, etc, compliant (i.e. passes the maintainer's preferred flake8 configuration) and add aflake8
step to the Travis config. Big thanks to Dorian Pula!949 (1.17+)
SSHClient and Transport could cause a memory leak if there's a connection problem or protocol error, even ifTransport.close()
is called. Thanks Kyle Agronick for the discovery and investigation, and Pierce Lopez for assistance.683 (1.17+)
Makeutil.log_to_file
append instead of replace. Thanks to@vlcinsky
for the report.2.0.5 <2017-02-20>
1.18.2 <2017-02-20>
1.17.4 <2017-02-20>
853 (1.17+)
Tweak how RSAKey.__str__ <paramiko.rsakey.RSAKey> behaves so it doesn't causeTypeError
under Python 3. Thanks to Francisco Couzo for the report.862 (1.17+)
(via863
) Avoid test suite exceptions on platforms lackingerrno.ETIME
(which seems to be some FreeBSD and some Windows environments.) Thanks to Sofian Brabez.44 (1.17+)
(via891
) SSHClient <paramiko.client.SSHClient> now gives its internal Transport <paramiko.transport.Transport> a handle on itself, preventing garbage collection of the client until the session is closed. Without this, some code which returns stream or transport objects without the client that generated them, would result in premature session closure when the client was GCd. Credit:@w31rd0
for original report, Omer Anson for the patch.713 (<2.0)
(via714
and889
) Don't pass initialization vectors to PyCrypto when dealing with counter-mode ciphers; newer PyCrypto versions throw an exception otherwise (older ones simply ignored this parameter altogether). Thanks to@jmh045000
for report & patches.895 (1.17+)
Fix a bug in server-mode concerning multiple interactive auth steps (which were incorrectly responded to). Thanks to Dennis Kaarsemaker for catch & patch.866 backported (1.17+)
(also838
) Remove an old test-related file we don't support, and add PyPy to Travis-CI config. Thanks to Pierce Lopez for the final patch and Pedro Rodrigues for an earlier edition.2.0.4 <2016-12-12>
1.18.1 <2016-12-12>
859 (1.18+)
(via860
) A tweak to the original patch implementing398
was not fully applied, causing calls to ~paramiko.client.SSHClient.invoke_shell to fail withAttributeError
. This has been fixed. Patch credit: Kirk Byers.-
Accidentally merged the new features from 1.18.0 into the 2.0.x bugfix-only branch. This included merging a bug in one of those new features (breaking ~paramiko.client.SSHClient.invoke_shell with anAttributeError
.) The offending code has been stripped out of the 2.0.x line (but of course, remains in 2.1.x and above.)2.0.3 <2016-12-09>
1.18.0 <2016-12-09>
1.17.3 <2016-12-09>
802 (1.17+)
(via804
) Update our vendored Windows API module to address errors of the formAttributeError: 'module' object has no attribute 'c_ssize_t'
. Credit to Jason R. Coombs.824 (1.17+)
Fix the implementation ofPKey.write_private_key_file
(this method is only publicly defined on subclasses; the fix was in the private real implementation) so it passes the correct params toopen()
. This bug apparently went unnoticed and unfixed for 12 entire years. Congrats to John Villalovos for noticing & submitting the patch!801 backported (1.17+)
Skip a Unix-only test when on Windows; thanks to Gabi Davar.792 backported (1.17+)
Minor updates to the README and demos; thanks to Alan Yee.780 (1.18+)
(also779
, and may help users affected by520
) Add an optionaltimeout
parameter to Transport.start_client <paramiko.transport.Transport.start_client> (and feed it the value of the configured connection timeout when used within SSHClient <paramiko.client.SSHClient>.) This helps prevent situations where network connectivity isn't timing out, but the remote server is otherwise unable to service the connection in a timely manner. Credit to@sanseihappa
.742
(also re:559
) CatchAssertionError
thrown by Cryptography when attempting to load bad ECDSA keys, turning it into anSSHException
. This moves the behavior in line with other "bad keys" situations, re: Paramiko's main auth loop. Thanks to MengHuan Yu for the patch.789 (1.17+)
Add a missing.closed
attribute (plus._closed
because reasons) to ProxyCommand <paramiko.proxy.ProxyCommand> so the earlier partial fix for520
works in situations where one is gatewaying viaProxyCommand
.334 (1.17+)
Make thesubprocess
import inproxy.py
lazy so users on platforms without it (such as Google App Engine) can import Paramiko successfully. (Relatedly, make it easier to tweak an active socket check timeout [in Transport <paramiko.transport.Transport>] which was previously hardcoded.) Credit: Shinya Okano.854 backported (1.17+)
Fix incorrect docstring/param-list for Transport.auth_gssapi_keyex <paramiko.transport.Transport.auth_gssapi_keyex> so it matches the real signature. Caught by@Score_Under
.681 (1.17+)
Fix a Python3-specific bug re: the handling of read buffers when usingProxyCommand
. Thanks to Paul Kapp for catch & patch.819 backported (>=1.15,<2.0)
Document how lackinggmp
headers at install time can cause a significant performance hit if you build PyCrypto from source. (Most system-distributed packages already have this enabled.)2.0.2 <2016-07-25>
1.17.2 <2016-07-25>
1.16.3 <2016-07-25>
673 (1.16+)
(via681
) Fix protocol banner read errors (SSHException
) which would occasionally pop up when usingProxyCommand
gatewaying. Thanks to@Depado
for the initial report and Paul Kapp for the fix.774 (1.16+)
Add a_closed
private attribute to ~paramiko.channel.Channel objects so that they continue functioning when used as proxy sockets under Python 3 (e.g. asdirect-tcpip
gateways for other Paramiko connections.)758 (1.16+)
Apply type definitions to_winapi
module from jaraco.windows 3.6.1. This should address issues on Windows platforms that often result in errors likeArgumentError: [...] int too long to convert
. Thanks to@swohlerLL
for the report and Jason R. Coombs for the patch.2.0.1 <2016-06-21>
1.17.1 <2016-06-21>
1.16.2 <2016-06-21>
520 (1.16+)
(Partial fix) Fix at least one instance of race condition driven threading hangs at end of the Python interpreter session. (Includes a docs update as well - always make sure to.close()
your clients!)537 (1.16+)
Fix a bug in BufferedPipe.set_event <paramiko.buffered_pipe.BufferedPipe.set_event> which could cause deadlocks/hangs when one uses select.select against ~paramiko.channel.Channel objects (or otherwise calls Channel.fileno <paramiko.channel.Channel.fileno> after the channel has closed). Thanks to Przemysław Strzelczak for the report & reproduction case, and to Krzysztof Rusek for the fix.2.0.0 <2016-04-28>
1.17.0 <2016-04-28>
1.16.1 <2016-04-28>
1.15.5 <2016-04-28>
731
(working off the earlier611
) Add support for 384-and 512-bit elliptic curve groups in ECDSA key types (akaecdsa-sha2-nistp384
/ecdsa-sha2-nistp521
). Thanks to Michiel Tiller and@CrazyCasta
for the patches.670
Due to an earlier bugfix, less-specificHost
blocks'ProxyCommand
values were overridingProxyCommand none
in more-specificHost
blocks. This has been fixed in a backwards compatible manner (i.e.ProxyCommand none
continues to appear as a total lack of anyproxycommand
key in parsed config structures). Thanks to Pat Brisbin for the catch.676
(via677
) Fix a backwards incompatibility issue that cropped up in SFTPFile.prefetch <paramiko.sftp_file.SFTPFile.prefetch> re: the erroneously non-optionalfile_size
parameter. Should only affect users who manually callprefetch
. Thanks to@stevevanhooser
for catch & patch.394
Replace PyCrypto with the Python Cryptographic Authority (PyCA) 'Cryptography' library suite. This improves security, installability, and performance; adds PyPy support; and much more.There aren't enough ways to thank Alex Gaynor for all of his work on this, and then his patience while the maintainer let his PR grow moss for a year and change. Paul Kehrer came in with an assist, and I think I saw Olle Lundberg,
@techtonik
and@johnthagen
supplying backup as well. Thanks to all!Warning
This is a backwards incompatible change.
However, it should only affect installation requirements; no API changes are intended or expected. Please report any such breakages as bugs.
See our updated
installation docs <installing>
for details on what is now required to install Paramiko; many/most users should be able to simplypip install -U paramiko
(especially if you upgrade to pip 8).577
(via578
; should also fix718
,560
) Fix stalled/hung SFTP downloads by cleaning up some threading lock issues. Thanks to Stephen C. Pope for the patch.716
Fix a Python 3 compatibility issue when handling two-factor authentication. Thanks to Mateusz Kowalski for the catch & original patch.729 backported (>=1.15,<2.0)
Clean upsetup.py
to always usesetuptools
, not doing so was a historical artifact from bygone days. Thanks to Alex Gaynor.649 major (==1.17)
Update the module in charge of handling SSH moduli so it's consistent with OpenSSH behavior re: prime number selection. Thanks to Damien Tournoud for catch & patch.617
(aka fabric/fabric#1429; via679
; related:678
,685
,615
&616
) Fix up ~paramiko.ssh_exception.NoValidConnectionsError so it pickles correctly, and fix a related Python 3 compatibility issue. Thanks to Rebecca Schlussel for the report & Marius Gedminas for the patch.613
(via619
) Update tojaraco.windows
3.4.1 to fix some errors related toctypes
on Windows platforms. Credit to Jason R. Coombs.621 backported (>=1.15,<2.0)
Annotate some public attributes on ~paramiko.channel.Channel such as.closed
. Thanks to Sergey Vasilyev for the report.632
Fix logic bug in the SFTP client's callback-calling functionality; previously there was a chance the given callback would fire twice at the end of a transfer. Thanks to@ab9-er
for catch & original patch.612 backported (>=1.15,<2.0)
Identify & work around a race condition in the test for handshake timeouts, which was causing frequent test failures for a subset of contributors as well as Travis-CI (usually, but not always, limited to Python 3.5). Props to Ed Kellett for assistance during some of the troubleshooting.697 backported (>=1.15,<2.0)
Remove whitespace in oursetup.py
'sinstall_requires
as it triggers occasional bugs in some versions ofsetuptools
. Thanks to Justin Lecher for catch & original patch.499
Strip trailing/leading whitespace from lines when parsing SSH config files - this brings things in line with OpenSSH behavior. Thanks to Alfredo Esteban for the original report and Nick Pillitteri for the patch.652
Fix behavior ofgssapi-with-mic
auth requests so they fail gracefully (allowing followup via other auth methods) instead of raising an exception. Patch courtesy of@jamercee
.588 (==1.17)
Add missing file-like object methods for ~paramiko.file.BufferedFile and ~paramiko.sftp_file.SFTPFile. Thanks to Adam Meily for the patch.636 backported (>=1.15,<2.0)
Clean up and enhance the README (and rename it toREADME.rst
from justREADME
). Thanks to@LucasRMehl
.1.16.0 <2015-11-04>
194 major
(also562
,530
,576
) Streamline use ofstat
when downloading SFTP files via SFTPClient.get <paramiko.sftp_client.SFTPClient.get>; this avoids triggering bugs in some off-spec SFTP servers such as IBM Sterling. Thanks to@muraleee
for the initial report and to Torkil Gustavsen for the patch.467
(also139
,412
) Fully enable two-factor authentication (e.g. when a server requiresAuthenticationMethods pubkey,keyboard-interactive
). Thanks to@perryjrandall
for the patch and to@nevins-b
and Matt Robenolt for additional support.502 major
Fix 'exec' requests in server mode to useget_string
instead ofget_text
to avoidUnicodeDecodeError
on non-UTF-8 input. Thanks to Anselm Kruis for the patch & discussion.401
Fix line number reporting in log output regarding invalidknown_hosts
line entries. Thanks to Dylan Thacker-Smith for catch & patch.525 backported
Update the vendored Windows API addon to a more recent edition. Also fixes193
,488
,498
. Thanks to Jason Coombs.1.15.4 <2015-11-02>
1.14.3 <2015-11-02>
1.13.4 <2015-11-02>
366
Fix ~paramiko.sftp_attr.SFTPAttributes so its string representation doesn't raise exceptions on empty/initialized instances. Patch by Ulrich Petri.359
Use correct attribute name when trying to use Python 3'sint.bit_length
method; prior to fix, the Python 2 custom fallback implementation was always used, even on Python 3. Thanks to Alex Gaynor.594 backported
Correct some post-Python3-port docstrings to specifybytes
type instead ofstr
. Credit to@redixin
.565
Don't explode withIndexError
when reading private key files lacking an-----END <type> PRIVATE KEY-----
footer. Patch courtesy of Prasanna Santhanam.604
Add support for theaes192-ctr
andaes192-cbc
ciphers. Thanks to Michiel Tiller for noticing it was as easy as tweaking some key sizes :D356
(also596
,365
,341
,164
,581
, and a bunch of other duplicates besides) Add support for SHA-2 based key exchange (kex) algorithmdiffie-hellman-group-exchange-sha256
and (H)MAC algorithmshmac-sha2-256
andhmac-sha2-512
.This change includes tweaks to debug-level logging regarding algorithm-selection handshakes; the old all-in-one log line is now multiple easier-to-read, printed-at-handshake-time log lines.
Thanks to the many people who submitted patches for this functionality and/or assisted in testing those patches. That list includes but is not limited to, and in no particular order: Matthias Witte, Dag Wieers, Ash Berlin, Etienne Perot, Gert van Dijk,
@GuyShaanan
, Aaron Bieber,@cyphase
, and Eric Brown.1.15.3 <2015-10-02>
554 backported
Fix inaccuracies in the docstring for the ECDSA key class. Thanks to Jared Hance for the patch.516 backported
Document ~paramiko.agent.AgentRequestHandler. Thanks to@toejough
for report & suggestions.496 (1.15+)
Fix a handful of small but critical bugs in Paramiko's GSSAPI support (note: this includes switching from PyCrypo's Random to os.urandom). Thanks to Anselm Kruis for catch & patch.491
(combines62
and439
) Implement timeout functionality to address hangs from dropped network connections and/or failed handshakes. Credit to@vazir
and@dacut
for the original patches and to Olle Lundberg for reimplementation.490
Skip invalid/unparseable lines inknown_hosts
files, instead of raising ~paramiko.ssh_exception.SSHException. This brings Paramiko's behavior more in line with OpenSSH, which silently ignores such input. Catch & patch courtesy of Martin Topholm.404
Print details when displaying ~paramiko.ssh_exception.BadHostKeyException objects (expected vs received data) instead of just "hey shit broke". Patch credit: Loic Dachary.469
(also488
,461
and like a dozen others) Fix a typo introduced in the 1.15 release which broke WinPageant support. Thanks to everyone who submitted patches, and to Steve Cohen who was the lucky winner of the cherry-pick lottery.353
(via482
) Fix a bug introduced in the Python 3 port which causedOverFlowError
(and other symptoms) in SFTP functionality. Thanks to@dboreham
for leading the troubleshooting charge, and to Scott Maxwell for the final patch.582
Fix some oldsetup.py
related helper code which was breakingbdist_dumb
on Mac OS X. Thanks to Peter Odding for the patch.22 major
Try harder to connect to multiple network families (e.g. IPv4 vs IPv6) in case of connection issues; this helps with problems such as hosts which resolve both IPv4 and IPv6 addresses but are only listening on IPv4. Thanks to Dries Desmet for original report and Torsten Landschoff for the foundational patchset.402
Check to see if an SSH agent is actually present before trying to forward it to the remote end. This replaces what was usually a uselessTypeError
with a human-readable ~paramiko.ssh_exception.AuthenticationException. Credit to Ken Jordan for the fix and Yvan Marques for original report.1.15.2 <2014-12-19>
1.14.2 <2014-12-19>
1.13.3 <2014-12-19>
413
(also414
,420
,454
) Be significantly smarter about polling & timing behavior when running proxy commands, to avoid unnecessary (often 100%!) CPU usage. Major thanks to Jason Dunsmore for report & initial patchset and to Chris Adams & John Morrissey for followup improvements.455
Tweak packet size handling to conform better to the OpenSSH RFCs; this helps address issues with interactive program cursors. Courtesy of Jeff Quast.428
Fix an issue in ~paramiko.file.BufferedFile (primarily used in the SFTP modules) concerning incorrect behavior by ~paramiko.file.BufferedFile.readlines on files whose size exceeds the buffer size. Thanks to@achapp
for catch & patch.415
Fixssh_config
parsing to correctly interpretProxyCommand none
as the lack of a proxy command, instead of as a literal command string of"none"
. Thanks to Richard Spiers for the catch & Sean Johnson for the fix.431 backported
Replace handrolledssh_config
parsing code with use of theshlex
module. Thanks to Yan Kalchevskiy.422 backported
Clean up some unused imports. Courtesy of Olle Lundberg.421 backported
Modernize threading calls to use newer API. Thanks to Olle Lundberg.419 backported
Modernize a bunch of the codebase internals to leverage decorators. Props to@beckjake
for realizing we're no longer on Python 2.2 :D266
Change numbering of ~paramiko.transport.Transport channels to start at 0 instead of 1 for better compatibility with OpenSSH & certain server implementations which break on 1-indexed channels. Thanks to@egroeper
for catch & patch.459
Tighten up agent connection closure behavior to avoid spuriousResourceWarning
display in some situations. Thanks to@tkrapp
for the catch.429
Server-level debug message logging was overlooked during the Python 3 compatibility update; Python 3 clients attempting to log SSH debug packets encountered type errors. This is now fixed. Thanks to@mjmaenpaa
for the catch.320
Update our win_pageant module to be Python 3 compatible. Thanks to@sherbang
and@adamkerz
for the patches.1.15.1 <2014-09-22>
399
SSH agent forwarding (potentially other functionality as well) would hang due to incorrect values passed into the new window size arguments for ~paramiko.transport.Transport (thanks to a botched merge). This has been corrected. Thanks to Dylan Thacker-Smith for the report & patch.167
Add ~paramiko.config.SSHConfig.get_hostnames for easier introspection of a loaded SSH config file or object. Courtesy of Søren Løvborg.1.15.0 <2014-09-18>
393
Replace internal use of PyCrypto'sSHA.new
with the stdlib'shashlib.sha1
. Thanks to Alex Gaynor.267
(also250
,241
,228
) Add GSS-API / SSPI (e.g. Kerberos) key exchange and authentication support (installation docs here <gssapi>
). Mega thanks to Sebastian Deiß, with assist by Torsten Landschoff.Note
Unix users should be aware that the
python-gssapi
library (a requirement for using this functionality) only appears to support Python 2.7 and up at this time.346 major
Fix an issue in private key files' encryption salts that could cause tracebacks and file corruption if keys were re-encrypted. Credit to Xavier Nunn.362
Allow users to control the SSH banner timeout. Thanks to Cory Benfield.372
Update default window & packet sizes to more closely adhere to the pertinent RFC; also expose these settings in the public API so they may be overridden by client code. This should address some general speed issues such as175
. Big thanks to Olle Lundberg for the update.373 major
Attempt to fix a handful of issues (such as354
) related to infinite loops and threading deadlocks. Thanks to Olle Lundberg as well as a handful of community members who provided advice & feedback via IRC.374
(also375
) Old code cleanup courtesy of Olle Lundberg.377
Factor ~paramiko.channel.Channel openness sanity check into a decorator. Thanks to Olle Lundberg for original patch.298 major
Don't perform point validation on ECDSA keys inknown_hosts
files, since a) this can cause significant slowdown when such keys exist, and b)known_hosts
files are implicitly trustworthy. Thanks to Kieran Spear for catch & patch.Note
This change bumps up the version requirement for the
ecdsa
library to0.11
.234 major
Lower logging levels for a few overly-noisy log messages about secure channels. Thanks to David Pursehouse for noticing & contributing the fix.218
Add support for ECDSA private keys on the client side. Thanks to@aszlig
for the patch.335 major
Fix ECDSA key generation (generation of brand new ECDSA keys was broken previously). Thanks to@solarw
for catch & patch.184
Support quoted values in SSH config file parsing. Credit to Yan Kalchevskiy.131
Add a ~paramiko.sftp_client.SFTPClient.listdir_iter method to ~paramiko.sftp_client.SFTPClient allowing for more efficient, async/generator based file listings. Thanks to John Begeman.378 backported
Minor code cleanup in the SSH config module courtesy of Olle Lundberg.249 backported
Consolidate version information into one spot. Thanks to Gabi Davar for the reminder.1.14.1 <2014-08-25>
1.13.2 <2014-08-25>
376
Be less aggressive about expanding variables inssh_config
files, which results in a speedup of SSH config parsing. Credit to Olle Lundberg.324 backported
A bevvy of documentation typo fixes, courtesy of Roy Wellington.312
paramiko.transport.Transport had a bug in its__repr__
which surfaces during errors encountered within its__init__
, causing problematic tracebacks in such situations. Thanks to Simon Percivall for catch & patch.272
Fix a bug whereknown_hosts
parsing hashed the input hostname as well as the hostnames from theknown_hosts
file, on every comparison. Thanks to@sigmunau
for final patch and@ostacey
for the original report.239
Add Windows-style CRLF support to SSH config file parsing. Props to Christopher Swenson.229 backported
Fix a couple of incorrectly-copied docstrings'.. versionadded::
RST directives. Thanks to Aarni Koskela for the catch.169 backported
Minor refactor of paramiko.sftp_client.SFTPClient.put thanks to Abhinav Upadhyay.285
(also352
) Update our Python 3b()
compatibility shim to handlebuffer
objects correctly; this fixes a frequently reported issue affecting many users, including users of thebzr
software suite. Thanks to@basictheprogram
for the initial report, Jelmer Vernooij for the fix and Andrew Starr-Bochicchio & Jeremy T. Bouse (among others) for discussion & feedback.371
Add Travis support & docs update for Python 3.4. Thanks to Olle Lundberg.1.14.0 <2014-05-07>
1.13.1 <2014-05-07>
1.12.4 <2014-05-07>
1.11.6 <2014-05-07>
-
paramiko.file.BufferedFile.read incorrectly returned text strings after the Python 3 migration, despite bytes being more appropriate for file contents (which may be binary or of an unknown encoding.) This has been addressed.Note
paramiko.file.BufferedFile.readline continues to return strings, not bytes, as "lines" only make sense for textual data. It assumes UTF-8 by default.
This should fix this issue raised on the Obnam mailing list. Thanks to Antoine Brenner for the patch.
-
Added self.args for exception classes. Used for unpickling. Related to (Fabric #986, Fabric #714). Thanks to Alex Plugaru.-
Fix logging error in sftp_client for filenames containing the '%' character. Thanks to Antoine Brenner.308
Fix regression in dsskey.py that caused sporadic signature verification failures. Thanks to Chris Rose.299
Use deterministic signatures for ECDSA keys for improved security. Thanks to Alex Gaynor.297
Replace PyCrypto'sRandom
with os.urandom for improved speed and security. Thanks again to Alex.295
Swap out a bunch of PyCrypto hash functions with use of hashlib. Thanks to Alex Gaynor.290
(also292
) Add support for building universal (Python 2+3 compatible) wheel files during the release process. Courtesy of Alex Gaynor.284
Add Python language trove identifiers tosetup.py
. Thanks to Alex Gaynor for catch & patch.235
Improve string type testing in a handful of spots (e.g.s/if type(x) is str/if isinstance(x, basestring)/g
.) Thanks to@ksamuel
for the report.1.13.0 <2014-03-13>
1.12.3 <2014-03-13>
1.11.5 <2014-03-13>
1.10.7 <2014-03-13>
16
Python 3 support! Our test suite passes under Python 3, and it (& Fabric's test suite) continues to pass under Python 2. Python 2.5 is no longer supported with this change!The merged code was built on many contributors' efforts, both code & feedback. In no particular order, we thank Daniel Goertzen, Ivan Kolodyazhny, Tomi Pieviläinen, Jason R. Coombs, Jan N. Schulze,
@Lazik
, Dorian Pula, Scott Maxwell, Tshepang Lekhonkhobe, Aaron Meurer, and Dave Halter.256 backported
Convert API documentation to Sphinx, yielding a new API docs website to replace the old Epydoc one. Thanks to Olle Lundberg for the initial conversion work.-
Use constant-time hash comparison operations where possible, to protect against timing-based attacks. Thanks to Alex Gaynor for the patch.1.12.2 <2014-02-14>
1.11.4 <2014-02-14>
1.10.6 <2014-02-14>
58
Allow client code to access the stored SSH server banner via Transport.get_banner <paramiko.transport.Transport.get_banner>. Thanks to@Jhoanor
for the patch.252
(Fabric #1020) Enhanced the implementation ofProxyCommand
to avoid a deadlock/hang condition that frequently occurs atTransport
shutdown time. Thanks to Mateusz Kobos, Matthijs van der Vleuten and Guillaume Zitta for the original reports and to Marius Gedminas for helping test nontrivial use cases.268
Fix some missed renames ofProxyCommand
related error classes. Thanks to Marius Gedminas for catch & patch.34
(PR35
) Fix SFTP prefetching incompatibility with some SFTP servers regarding request/response ordering. Thanks to Richard Kettlewell.193
(and its attentant PRs230
&253
) Fix SSH agent problems present on Windows. Thanks to David Hobbs for initial report and to Aarni Koskela & Olle Lundberg for the patches.1.12.1 <2014-01-08>
1.11.3 <2014-01-08>
1.10.5 <2014-01-08>
225 (1.12+)
Note ecdsa requirement in README. Thanks to Amaury Rodriguez for the catch.176
Fix AttributeError bugs in known_hosts file (re)loading. Thanks to Nathan Scowcroft for the patch & Martin Blumenstingl for the initial test case.1.12.0 <2013-09-27>
1.11.2 <2013-09-27>
1.10.4 <2013-09-27>
152
Add tentative support for ECDSA keys. This adds the ecdsa module as a new dependency of Paramiko. The module is available at warner/python-ecdsa on Github and ecdsa on PyPI.- Note that you might still run into problems with key negotiation --Paramiko picks the first key that the server offers, which might not be what you have in your known_hosts file.
- Mega thanks to Ethan Glasser-Camp for the patch.
136
Add server-side support for the SSH protocol's 'env' command. Thanks to Benjamin Pollack for the patch.156 (1.11+)
Fix potential deadlock condition when using Channel objects as sockets (e.g. when using SSH gatewaying). Thanks to Steven Noonan and Frank Arnold for catch & patch.179
Fix a missing variable causing errors when an ssh_config file has a non-default AddressFamily set. Thanks to Ed Marshall & Tomaz Muraus for catch & patch.200
Fix an exception-causing typo indemo_simple.py
. Thanks to Alex Buchanan for catch & Dave Foster for patch.199
Typo fix in the license header cross-project. Thanks to Armin Ronacher for catch & patch.1.11.1 <2013-09-20>
1.10.3 <2013-09-20>
162
Clean up HMAC module import to avoid deadlocks in certain uses of SSHClient. Thanks to Gernot Hillier for the catch & suggested fix.36
Fix the port-forwarding demo to avoid file descriptor errors. Thanks to Jonathan Halcrow for catch & patch.168
Update config handling to properly handle multiple 'localforward' and 'remoteforward' keys. Thanks to Emre Yılmaz for the patch.1.11.0 <2013-07-26>
1.10.2 <2013-07-26>
98 major
On Windows, when interacting with the PuTTY PAgeant, Paramiko now creates the shared memory map with explicit Security Attributes of the user, which is the same technique employed by the canonical PuTTY library to avoid permissions issues when Paramiko is running under a different UAC context than the PuTTY Ageant process. Thanks to Jason R. Coombs for the patch.100
Remove use of PyWin32 inwin_pageant
module. Module was already dependent on ctypes for constructing appropriate structures and had ctypes implementations of all functionality. Thanks to Jason R. Coombs for the patch.87 major
Ensure updates toknown_hosts
files account for any updates to said files after Paramiko initially read them. (Includes related fix to guard against duplicate entries during subsequentknown_hosts
loads.) Thanks to@sunweaver
for the contribution.153
(also67
) Warn on parse failure when reading known_hosts file. Thanks to@glasserc
for patch.146
Indentation fixes for readability. Thanks to Abhinav Upadhyay for catch & patch.1.10.1 <2013-04-05>
142
(Fabric #811) SFTP put of empty file will still return the attributes of the put file. Thanks to Jason R. Coombs for the patch.154
(Fabric #876) Forwarded SSH agent connections left stale local pipes lying around, which could cause local (and sometimes remote or network) resource starvation when running many agent-using remote commands. Thanks to Kevin Tegtmeier for catch & patch.1.10.0 <2013-03-01>
66
Batch SFTP writes to help speed up file transfers. Thanks to Olle Lundberg for the patch.133 major
Fix handling of window-change events to be on-spec and not attempt to wait for a response from the remote sshd; this fixes problems with less common targets such as some Cisco devices. Thanks to Phillip Heller for catch & patch.93
Overhaul SSH config parsing to be in line withman ssh_config
(& the behavior ofssh
itself), including addition of parameter expansion within config values. Thanks to Olle Lundberg for the patch.110
Honor SSH configAddressFamily
setting when looking up local host's FQDN. Thanks to John Hensley for the patch.128
Defer FQDN resolution until needed, when parsing SSH config files. Thanks to Parantapa Bhattacharya for catch & patch.102 major
Forego random padding for packets when running under*-ctr
ciphers. This corrects some slowdowns on platforms where random byte generation is inefficient (e.g. Windows). Thanks to@warthog618
for catch & patch, and Michael van der Kolff for code/technique review.127
TurnSFTPFile
into a context manager. Thanks to Michael Williamson for the patch.116
LimitMessage.get_bytes
to an upper bound of 1MB to protect against potential DoS vectors. Thanks to@mvschaik
for catch & patch.115
Add convenienceget_pty
kwarg toClient.exec_command
so users not manually controlling a channel object can still toggle PTY creation. Thanks to Michael van der Kolff for the patch.71
AddSFTPClient.putfo
and.getfo
methods to allow direct uploading/downloading of file-like objects. Thanks to Eric Buehl for the patch.113
Addtimeout
parameter toSSHClient.exec_command
for easier setting of the command's internal channel object's timeout. Thanks to Cernov Vladimir for the patch.94
Remove duplication of SSH port constant. Thanks to Olle Lundberg for the catch.80
Expose the internal "is closed" property of the file transfer classBufferedFile
as.closed
, better conforming to Python's file interface. Thanks to@smunaut
and James Hiscock for catch & patch.