| Age | Commit message (Collapse) | Author | Files | Lines |
|
Release 2.12.0 (10 Aug 2022)
----------------------------
* Added top-level functions run_client() and run_server() which allow
you to begin running an SSH client or server on an already-connected
socket. This capability is also available via a new "sock" argument
in the existing connect(), connect_reverse(), get_server_host_key(),
and get_server_auth_methods() functions.
* Added "sock" argument to listen() and listen_reverse() functions
which takes an already-bound listening socket instead of a host
and port to bind a new socket to.
* Added support for forwarding break, signal, and terminal size updates
when redirection of stdin is set up between two SSHProcess instances.
* Added support for sntrup761x25519-sha512@openssh.com post-quantum
key exchange algorithm. For this to be available, the Open Quantum
Safe (liboqs) dynamic library must be installed.
* Added "sig_alg" argument to set a signature algorithm when creating
OpenSSH certificates, allowing a choice between ssh-rsa, rsa-sha2-256,
and rsa-sha2-512 for certificates signed by RSA keys.
* Added new read_parallel() method in SFTPClientFile which allows
parallel reads to be performed from a remote file, delivering
incremental results as these reads complete. Previously, large
reads would automatically be parallelized, but a result was only
returned after all reads completed.
* Added definition of __all__ for public symbols in AsyncSSH to make
pyright autocompletion work better. Thanks go to Nicolas Riebesel
for providing this change.
* Updated SFTP and SCP glob and copy functions to use scandir() instead
of listdir() to improve efficiency.
* Updated default for "ignore_encrypted" client connection option to
ignore encrypted keys specified in an OpenSSH config file when no
passphrase is provided, similar to what was previosuly done for
keys with default names.
* Fixed an issue when using an SSH agent with RSA keys and an X.509
certificate while requesting SHA-2 signatures.
* Fixed an issue with use of expanduser() in unit tests on newer versions
of Python. Thanks go to Georg Sauthoff for providing an initial version
of this fix.
* Fixed an issue with fallback to a Pageant agent not working properly
on Windows when no agent_path or SSH_AUTH_SOCK was set.
* Fixed improper escaping in readuntil(), causing certain punctuation in
separator to not match properly. Thanks go to Github user MazokuMaxy
for reporting this issue.
* Fixed the connection close handler to properly mark channels as fully
closed when the peer unexpected closes the connection, allowing
exceptions to fire if an application continues to try and use
the channel. Thanks go to Taha Jahangir for reporting this issue and
suggesting a possible fix.
* Eliminated unit testing against OpenSSH for tests involving DSA and
RSA keys using SHA-1 signatures, since this support is being dropped
in some distributions of OpenSSH. These tests are still performed, but
using only AsyncSSH code. Thanks go to Ken Dreyer and Georg Sauthoff
for reporting this issue and helping me to reproduce it.
|
|
Release 2.11.0 (4 Jun 2022)
---------------------------
* Made a number of improvements in SFTP glob support, with thanks to
Github user LuckyDams for all the help working out these changes!
* Added a new glob_sftpname() method which returns glob matches
together with attribute information, avoiding the need for a
caller to make separate calls to stat() on the returned results.
* Switched from listdir() to scandir() to reduce the number of
stat() operations required while finding matches.
* Added code to remove duplicates when glob() is called with
multiple patterns that match the same path.
* Added a cache of directory listing and stat results to improve
performance when matching patterns with overlapping paths.
* Fixed an "index out of range" bug in recursive glob matching
and aligned it better with results reeturned by UNIX shells.
* Changed matching to ignore inaccessible or non-existent paths
in a glob pattern, to allow accessible paths to be fully
explored before returning an error. The error handler will now
be called only if a pattern results in no matches, or if a more
serious error occurs while scanning.
* Changed SFTP makedirs() method to work better cases where parts of
requested path already exist but don't allow read access. As long as
the entire path can be created, makedirs() will succeed, even if some
directories on the path don't allow their contents to be read. Thanks
go to Peter Rowlands for providing this fix.
* Replaced custom Diffie Hellman implementation in AsyncSSH with the
one in the cryptography package, resulting in an over 10x speedup.
Thanks go to Github user iwanb for suggesting this change.
* Fixed AsyncSSH to re-acquire GSS credentials when performing key
renegotiation to avoid expired credentials on long-lived connections.
Thanks go to Github user PromyLOPh for pointing out this issue and
suggesting a fix.
* Fixed GSS MIC to work properly with GSS key exchange when AsyncSSH
is running as a server. This was previously fixed on the client side,
but a similar fix for the server was missed.
* Changed connection timeout unit tests to work better in environments
where a firewall is present. Thanks go to Stefano Rivera for
reporting this issue.
* Improved unit tests of Windows SSPI GSSAPI module.
* Improved speed of unit tests by reducing the number of key generation
calls. RSA key generation in particular has gotten much more expensive
in OpenSSL 3.
|
|
Release 2.9.0 (23 Jan 2022)
---------------------------
* Added mypy-compatible type annotations to all AsyncSSH modules, and a
"py.typed" file to signal that annotations are now available for this
package.
* Added experimental support for SFTP versions 4-6. While AsyncSSH still
defaults to only advertising version 3 when acting as both a client and
a server, applications can explicitly enable support for later versions,
which will be used if both ends of the connection agree. Not all features
are fully supported, but a number of useful enhancements are now
available, including as users and groups specified by name, higher
resolution timestamps, and more granular error reporting.
* Updated documentation to make it clear that keys from a PKCS11 provider
or ssh-agent will be used even when client_keys is specified, unless
those sources are explicitly disabled.
* Improved handling of task cancellation in AsyncSSH to avoid triggering
an error of "Future exception was never retrieved". Thanks go to Krzysztof
Kotlenga for reporting this issue and providing test code to reliably
reproduce it.
* Changed implementation of OpenSSH keepalive handler to improve
interoperability with servers which don't expect a "success" response
when this message is sent.
Release 2.8.1 (8 Nov 2021)
--------------------------
* Fixed a regression in handling of the passphrase argument used to
decrypt private keys.
Release 2.8.0 (3 Nov 2021)
--------------------------
* Added new connect_timeout option to set a timeout which includes the
time taken to open an outbound TCP connection, allowing connections
to be aborted without waiting for the default socket connect timeout.
The existing login_timeout option only applies after the TCP connection
was established, so it could not be used for this. The support for the
ConnectTimeout config file option has also been updated to use this new
capability, making it more consistent with OpenSSH's behavior.
* Added the ability to use the passphrase argument specified in a connect
call to be used to decrypt keys used to connect to bastion hosts.
Previously, this argument was only applied when making a connection
to the main host and encrypted keys could only be used when they
were loaded separately.
* Updated AsyncSSH's "Record" class to make it more IDE-friendly when
it comes to things like auto-completion. This class is used as a base
class for SSHCompletedProcess and various SFTP attribute classes.
Thanks go to Github user zentarim for suggesting this improvement.
* Fixed a potential uncaught exception when handling forwarded connections
which are immediately closed by a peer.
|
|
Release 2.4.2
Fixed a potential race condition when receiving EOF right after a channel is opened.
Fixed a couple of issues related to the error_handler and progress_handler callbacks in AsyncSSH SFTP/SCP.
Fixed a couple of issues related to using pathlib objects with AsyncSSH SCP.
Release 2.4.1
Fixed SCP server to send back an exit status when closing the SSH channel, since the OpenSSH scp client returns this status to the shell which executed it.
Fixed listeners created by forward_local_port(), forward_local_path(), and forward_socks() to automatically close when the SSH connection closes, unblocking any wait_closed() calls which are in progress.
Fixed a potential exception that could trigger when the SSH connection is closed while authentication is in progress.
Fixed tunnel connect code to properly clean up an implicitly created tunnel when a failure occurs in trying to open a connection over that tunnel.
Release 2.4.0
Added support for accessing keys through a PKCS#11 provider, allowing keys on PIV security tokens to be used directly by AsyncSSH without the need to run an SSH agent. X.509 certificates can also be retrieved from the security token and used with SSH servers which support that.
Added support for using Ed25519 and Ed448 keys in X.509 certificates, and the corresponding SSH certificate and signature algorithms. Certificates can use these keys as either subject keys or signing keys, and certificates can be generated by either AsyncSSH or by OpenSSL version 1.1.1 or later.
Added support for feed_data() and feed_eof() methods in SSHReader, mirroring methods of the same name in asyncio’s StreamReader to improve interoperability between the two APIs.
Updated unit tests to test interoperability with OpenSSL 1.1.1 when reading and writing Ed25519 and Ed448 public and private key files. Previously, due to lack of support in OpenSSL, AsyncSSH could only test against OpenSSH, and only in OpenSSH key formats. With OpenSSL 1.1.1, testing is now also done using PKCS#8 format.
Fixed config file parser to properly ignore all comment lines, even if the lines contain unbalanced quotes.
Removed a note about the lack of a timeout parameter in the AsyncSSH connect() method, now that it supports a login_timeout argument.
|
|
Release 2.3.0
Added initial support for reading configuration from OpenSSH-compatible config files, when present. Both client and server configuration files are supported, but not all config options are supported. See the AsyncSSH documentation for the latest list of what client and server options are supported, as well as what match conditions and percent substitutions are understood.
Added support for the concept of only a subset of supported algorithms being enabled by default, and for the ability to use wildcards when specifying algorithm names. Also, OpenSSH’s syntax of prefixing the list with ‘^’, ‘+’, or ‘-‘ is supported for incrementally adjusting the list of algorithms starting from the default set.
Added support for specifying a preferred list of client authentication methods, in order of preference. Previously, the order of preference was hard-coded into AsyncSSH.
Added the ability to use AsyncSSH’s “password” argument on servers which are using keyboard-interactive authentication to prompt for a “passcode”. Previously, this was only supported when the prompt was for a “password”.
Added support for providing separate lists of private keys and certificates, rather than requiring them to be specifying together as a tuple. When this new option is used, AsyncSSH will automatically associate the private keys with their corresponding certificates if matching certificates are present in the list.
Added support for the “known_hosts” argument to accept a list of known host files, rather than just a single file. Known hosts can also be specified using the GlobalKnownHostFile and UserKnownHostFile config file options, each of which can take multiple filenames.
Added new “request_tty” option to provide finer grained control over whether AsyncSSH will request a TTY when opening new sessions. The default is to still tie this to whether a “term_type” is specified, but now that can be overridden. Supported options of “yes”, “no”, “force”, and “auto” match the values supported by OpenSSH.
Added new “rdns_lookup” option to control whether the server does a reverse DNS of client addresses to allow matching of clients based on hostname in authorized keys and config files. When this option is disabled (the default), matches can only be based on client IP.
Added new “send_env” argument when opening a session to forward local environment variables using their existing values, augmenting the “env” argument that lets you specify remote environment variables to set and their corresponding values.
Added new “tcp_keepalive” option to control whether TCP-level keepalives are enabled or not on SSH connections. Previously, TCP keepalives were enabled unconditionally and this is still the default, but the new option provides a way to disable them.
Added support for sending and parsing client EXT_INFO messages, and for sending the “global-requests-ok” option in these messages when AsyncSSH is acting as a client.
Added support for expansion of ‘~’ home directory expansion when specifying arguments which contain filenames.
Added support for time intervals and byte counts to optionally be specified as string values with units, allowing for values such as “1.5h” or “1h30m” instead of having to specify that as 5400 seconds. Similarly, a byte count of “1g” can be passed to indicate 1 gigabyte, rather than specifying 1073741824 bytes.
Enhanced logging to report lists of sent and received algorithms when no matching algorithm is found. Thanks go to Jeremy Schulman for suggesting this.
Fixed an interoperability issue with PKIXSSH when attempting to use X.509 certificates with a signature algorithm of “x509v3-rsa2048-sha256”.
Fixed an issue with some links not working in the ReadTheDocs sidebar. Thanks go to Christoph Giese for reporting this issue.
Fixed keepalive handler to avoid leaking a timer object in some cases. Thanks go to Tom van Neerijnen for reporting this issue.
|
|
Release 2.2.0
Added support for U2F/FIDO2 security keys, with the following capabilities:
ECDSA (NISTP256) and Ed25519 key algorithms
Key generation, including control over the application and user the key is associated with and whether touch is required when using the key
Certificate generation, both as a key being signed and a CA key
Resident keys, allowing security keys to be used on multiple machines without any information being stored outside of the key
Access to and management of keys loaded in an OpenSSH ssh-agent
Support for both user and host keys and certificates
Support for “no-touch-required” option in authorized_keys files
Support for “no-touch-required” option in OpenSSH certificates
Compatibility with security key support added in OpenSSH version 8.2
Added login timeout client option and limits on the length and number of banner lines AsyncSSH will accept prior to the SSH version header.
Improved load_keypairs() to read public key files, confirming that they are consistent with their associated private key when they are present.
Fixed issues in the SCP server related to handling filenames with spaces.
Fixed an issue with resuming reading after readuntil() returns an incomplete read.
Fixed a potential issue related to asyncio not reporting sockname/peername when a connection is closed immediately after it is opened.
Made SSHConnection a subclass of asyncio.Protocol to please type checkers.
|
|
Release 1.18.0:
Added support for GSSAPI ECDH and Edwards DH key exchange algorithms.
Fixed gssapi-with-mic authentication to work with GSS key exchanges, in cases where gssapi-keyex is not supported.
Made connect_ssh and connect_reverse_ssh methods into async context managers, simplifying the syntax needed to use them to create tunneled SSH connections.
Fixed a couple of issues with known hosts matching on tunneled SSH connections.
Improved flexibility of key/certificate parser automatic format detection to properly recognize PEM even when other arbitrary text is present at the beginning of the file. With this change, the parser can also now handle mixing of multiple key formats in a single file.
Added support for OpenSSL “TRUSTED” PEM certificates. For now, no enforcement is done of the additional trust restrictions, but such certificates can be loaded and used by AsyncSSH without converting them back to regular PEM format.
Fixed some additional SFTP and SCP issues related to parsing of Windows paths with drive letters and paths with multiple colons.
Made AsyncSSH tolerant of a client which sends multiple service requests for the “ssh-userauth” service. This is needed by the Paramiko client when it tries more than one form of authentication on a connection.
|
|
1.16.0:
Added support for Ed448 host/client keys and certificates and rewrote Ed25519 support to use the PyCA implementation, reducing the dependency on libnacl and libsodium to only be needed to support the chacha20-poly1305 cipher.
Added support for PKCS-8 format Ed25519 and Ed448 private and public keys (in addition to the OpenSSH format previously supported).
Added support for multiple delimiters in SSHReader’s readuntil() function, causing it to return data as soon as any of the specified delimiters are matched.
Added the ability to register custom key handlers in the line editor which can modify the input line, extending the built-in editing functionality.
Added SSHSubprocessProtocol and SSHSubprocessTransport classes to provide compatibility with asyncio.SubprocessProtocol and asyncio.SubprocessTransport. Code which is designed to call BaseEventLoop.subprocess_shell() or BaseEventLoop.subprocess_exec() can be easily adapted to work against a remote process by calling SSHClientConnection.create_subprocess().
Added support for sending keepalive messages when the SSH connection is idle, with an option to automatically disconnect the connection if the remote system doesn’t respond to these keepalives.
Changed AsyncSSH to ignore errors when loading unsupported key types from the default file locations.
Changed the reuse_port option to only be available on Python releases which support it (3.4.4 and later).
Fixed an issue where MSG_IGNORE packets could sometimes be sent between MSG_NEWKEYS and MSG_EXT_INFO, which caused some SSH implementations to fail to properly parse the MSG_EXT_INFO.
Fixed a couple of errors in the handling of disconnects occurring prior to authentication completing.
Renamed “session_encoding” and “session_errors” arguments in asyncssh.create_server() to “encoding” and “errors”, to match the names used for these arguments in other AsyncSSH APIs. The old names are still supported for now, but they are marked as deprecated and will be removed in a future release.
|
|
Release 1.13.2:
Added support for accessing client host keys via the OpenSSH ssh-keysign program when doing host-based authentication. If ssh-keysign is present and enabled on the system, an AsyncSSH based SSH client can use host-based authentication without access to the host private keys.
Added support for using pathlib path objects when reading and writing private and public keys and certificates.
Added support for auth_completed() callback in the SSHServer class which runs when authentication completes successfully on each new connection.
Fixed host-based authentication unit tests to mock out calls to getnameinfo() to avoid failures on systems with restricted network functionality.
|
|
Release 1.13.1:
Added client and server support for host-based SSH authentication. If enabled, this will allow all users from a given host to be authenticated by a shared host key, rather than each user needing their own key. This should only be used with hosts which are trusted to keep their host keys secure and provide accurate client usernames.
Added support for RSA key exchange algorithms (rsa2048-sha256 and rsa1024-sha1) available in PuTTY and some mobile SSH clients.
Added support for the SECP256K1 elliptic curve for ECDSA keys and ECDH key exchange. This curve is supported by the Bitvise SSH client and server.
Added debug logging of the algorithms listed in a received kexinit message.
|
|
Release 1.13.0:
Added support for dynamic port forwarding via SOCKS, where AsyncSSH will open a listener which understands SOCKS connect requests and for each request open a TCP/IP tunnel over SSH to the requested host and port.
Added support in SSHProcess for I/O redirection to file objects that implement read(), write(), and close() functions as coroutines, such as the “aiofiles” package. In such cases, AsyncSSH will automaically detect that it needs to make async calls to these methods when it performs I/O.
Added support for using pathlib objects in SSHProcess I/O redirection.
Added multiple improvements to pattern matching support in the SFTPClient glob(), mget(), mput(), and mcopy() methods. AsyncSSH now allows you to use ‘**’ in a pattern to do a recursive directory search, allows character ranges in square brackets in a pattern, and allows a trailing slash in a pattern to be specified to request that only directories matching the pattern should be returned.
Fixed an issue with calling readline() and readuntil() with a timeout, where partial data received before the timeout was sometimes discarded. Any partial data which was received when a timeout occurs will now be left in the input buffer, so it is still available to future read() calls.
Fixed a race condition where trying to restart a read() after a timeout could sometimes raise an exception about multiple simultaneous reads.
Changed readuntil() in SSHReader to raise IncompleteReadError if the receive window fills up before a delimiter match is found. This also applies to readline(), which will return a partial line without a newline at the end when this occurs. To support longer lines, a caller can call readuntil() or readline() as many times as they’d like, appending the data returned to the previous partial data until a delimiter is found or some maximum size is exceeded. Since the default window size is 2 MBytes, though, it’s very unlikely this will be needed in most applications.
Reworked the crypto support in AsyncSSH to separate packet encryption and decryption into its own module and simplified the directory structure of the asyncssh.crypto package, eliminating a pyca subdirectory that was created back when AsyncSSH used a mix of PyCA and PyCrypto.
|
|
Release 1.11.1:
Switched to using PBKDF2 implementation provided by PyCA, replacing a much slower pure-Python implementation used in earlier releases.
Improved support for file-like objects in process I/O redirection, properly handling objects which don’t support fileno() and allowing both text and binary file objects based on whether they have an ‘encoding’ member.
Changed PEM parser to be forgiving of trailing blank lines.
Updated documentation to note lack of support in OpenSSH for send_signal(), terminate(), and kill() channel requests.
Updated unit tests to work better with OpenSSH 7.6.
Updated Travis CI config to test with more recent Python versions.
|
|
AsyncSSH is a Python package which provides an asynchronous client and server
implementation of the SSHv2 protocol on top of the Python 3.4+ asyncio
framework.
|