Merge branch '2.0'

4 files changed, 31 insertions, 16 deletions

diff --git a/paramiko/ecdsakey.py b/paramiko/ecdsakey.py
index d435603d..e4f74310 100644
--- a/paramiko/ecdsakey.py
+++ b/paramiko/ecdsakey.py
@@ -258,7 +258,7 @@ class ECDSAKey(PKey):
             key = serialization.load_der_private_key(
                 data, password=None, backend=default_backend()
             )
-        except ValueError as e:
+        except (ValueError, AssertionError) as e:
             raise SSHException(str(e))
 
         self.signing_key = key
diff --git a/paramiko/proxy.py b/paramiko/proxy.py
index d3ae436f..059ba83e 100644
--- a/paramiko/proxy.py
+++ b/paramiko/proxy.py
@@ -21,7 +21,6 @@ from datetime import datetime
 import os
 from shlex import split as shlsplit
 import signal
-from subprocess import Popen, PIPE
 from select import select
 import socket
 import time
@@ -49,6 +48,9 @@ class ProxyCommand(ClosingContextManager):
         :param str command_line:
             the command that should be executed and used as the proxy.
         """
+        # NOTE: subprocess import done lazily so platforms without it (e.g.
+        # GAE) can still import us during overall Paramiko load.
+        from subprocess import Popen, PIPE
         self.cmd = shlsplit(command_line)
         self.process = Popen(self.cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE,
                              bufsize=0)
diff --git a/paramiko/transport.py b/paramiko/transport.py
index b52d3158..71d5109e 100644
--- a/paramiko/transport.py
+++ b/paramiko/transport.py
@@ -229,6 +229,7 @@ class Transport (threading.Thread, ClosingContextManager):
     }
 
     _modulus_pack = None
+    _active_check_timeout = 0.1
 
     def __init__(self,
                  sock,
@@ -316,7 +317,7 @@ class Transport (threading.Thread, ClosingContextManager):
             # we set the timeout so we can check self.active periodically to
             # see if we should bail.  socket.timeout exception is never
             # propagated.
-            self.sock.settimeout(0.1)
+            self.sock.settimeout(self._active_check_timeout)
         except AttributeError:
             pass
 
@@ -1428,20 +1429,18 @@ class Transport (threading.Thread, ClosingContextManager):
 
     def auth_gssapi_keyex(self, username):
         """
-        Authenticate to the Server with GSS-API / SSPI if GSS-API Key Exchange
-        was the used key exchange method.
+        Authenticate to the server with GSS-API/SSPI if GSS-API kex is in use.
 
-        :param str username: The username to authenticate as
-        :param str gss_host: The target host
-        :param bool gss_deleg_creds: Delegate credentials or not
-        :return: list of auth types permissible for the next stage of
-                 authentication (normally empty)
-        :rtype: list
-        :raise BadAuthenticationType: if GSS-API Key Exchange was not performed
-                                      (and no event was passed in)
-        :raise AuthenticationException: if the authentication failed (and no
-            event was passed in)
-        :raise SSHException: if there was a network error
+        :param str username: The username to authenticate as.
+        :returns:
+            a `list` of auth types permissible for the next stage of
+            authentication (normally empty)
+        :raises BadAuthenticationType:
+            if GSS-API Key Exchange was not performed (and no event was passed
+            in)
+        :raises AuthenticationException:
+            if the authentication failed (and no event was passed in)
+        :raises SSHException: if there was a network error
         """
         if (not self.active) or (not self.initial_kex_done):
             # we should never try to authenticate unless we're on a secure link
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index 49ddd848..f739c9fa 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -2,6 +2,20 @@
 Changelog
 =========
 
+* :bug:`742` (also re: :issue:`559`) Catch ``AssertionError`` thrown by
+  Cryptography when attempting to load bad ECDSA keys, turning it into an
+  ``SSHException``. This moves the behavior in line with other "bad keys"
+  situations, re: Paramiko's main auth loop. Thanks to MengHuan Yu for the
+  patch.
+* :bug:`334` Make the ``subprocess`` import in ``proxy.py`` lazy so users on
+  platforms without it (such as Google App Engine) can import Paramiko
+  successfully. (Relatedly, make it easier to tweak an active socket check
+  timeout  [in `Transport <paramko.transport.Transport>`] which was previously
+  hardcoded.) Credit: Shinya Okano.
+* :support:`854 backported` Fix incorrect docstring/param-list for
+  `Transport.auth_gssapi_keyex
+  <paramiko.transport.Transport.auth_gssapi_keyex>` so it matches the real
+  signature. Caught by ``@Score_Under``.
 * :bug:`681` Fix a Python3-specific bug re: the handling of read buffers when
   using ``ProxyCommand``. Thanks to Paul Kapp for catch & patch.
 * :feature:`398` Add an ``environment`` dict argument to `Client.exec_command