diff options
| author | Jeff Forcier <jeff@bitprophet.org> | 2017-09-05 14:31:12 -0700 |
|---|---|---|
| committer | Jeff Forcier <jeff@bitprophet.org> | 2017-09-05 14:31:12 -0700 |
| commit | 73fcc4959437014a09a831dbd6badae4aede4db8 (patch) | |
| tree | ca14c1809b3a4e699c3bfd51a87bea6ce1a2529e /sites/www | |
| parent | 5a363f62e9ec35bae36fc84002b39e8482a59f34 (diff) | |
| parent | 5fb4bb2cfc415b287f629a398de5447da18a3fb2 (diff) | |
Merge branch 'master' into 1037-int
Diffstat (limited to 'sites/www')
| -rw-r--r-- | sites/www/changelog.rst | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index c9170dc9..5daa9243 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -5,6 +5,39 @@ Changelog * :bug:`60` Improved the performance of compressed transport by using default zlib compression level (which is 6) rather than the max level of 9 which is very CPU intensive. +* :support:`-` Display exception type and message when logging auth-rejection + messages (ones reading ``Auth rejected: unsupported or mangled public key``); + previously this error case had a bare except and did not display exactly why + the key failed. It will now append info such as ``KeyError: + 'some-unknown-type-string'`` or similar. +* :feature:`1042` (also partially :issue:`531`) Implement basic client-side + certificate authentication (as per the OpenSSH vendor extension.) + + The core implementation is `PKey.load_certificate + <paramiko.pkey.PKey.load_certificate>` and its corresponding ``.public_blob`` + attribute on key objects, which is honored in the auth and transport modules. + Additionally, `SSHClient.connect <paramiko.client.SSHClient.connect>` will + now automatically load certificate data alongside private key data when one + has appropriately-named cert files (e.g. ``id_rsa-cert.pub``) - see its + docstring for details. + + Thanks to Jason Rigby for a first draft (:issue:`531`) and to Paul Kapp for + the second draft, upon which the current functionality has been based (with + modifications.) + + .. note:: + This support is client-focused; Paramiko-driven server code is capable of + handling cert-bearing pubkey auth packets, *but* it does not interpret any + cert-specific fields, so the end result is functionally identical to a + vanilla pubkey auth process (and thus requires e.g. prepopulated + authorized-keys data.) We expect full server-side cert support to follow + later. + +* :support:`1041` Modify logic around explicit disconnect + messages, and unknown-channel situations, so that they rely on centralized + shutdown code instead of running their own. This is at worst removing some + unnecessary code, and may help with some situations where Paramiko hangs at + the end of a session. Thanks to Paul Kapp for the patch. * :support:`1012` (via :issue:`1016`) Enhance documentation around the new `SFTP.posix_rename <paramiko.sftp_client.SFTPClient.posix_rename>` method so it's referenced in the 'standard' ``rename`` method for increased visibility. |