diff options
| -rw-r--r-- | paramiko/transport.py | 5 | ||||
| -rw-r--r-- | sites/www/changelog.rst | 5 |
2 files changed, 9 insertions, 1 deletions
diff --git a/paramiko/transport.py b/paramiko/transport.py index 9f00f198..1fddb7e4 100644 --- a/paramiko/transport.py +++ b/paramiko/transport.py @@ -125,10 +125,13 @@ class Transport(threading.Thread, ClosingContextManager): 'hmac-sha1', ) _preferred_keys = ( + 'ecdsa-sha2-nistp256', + 'ecdsa-sha2-nistp384', + 'ecdsa-sha2-nistp521', 'ssh-ed25519', 'ssh-rsa', 'ssh-dss', - ) + tuple(ECDSAKey.supported_key_format_identifiers()) + ) _preferred_kex = ( 'diffie-hellman-group1-sha1', 'diffie-hellman-group14-sha1', diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst index 70126c27..fb99e49b 100644 --- a/sites/www/changelog.rst +++ b/sites/www/changelog.rst @@ -2,6 +2,11 @@ Changelog ========= +* :bug:`900` (via :issue:`911`) Prefer newer ``ecdsa-sha2-nistp`` keys over RSA + and DSA keys during host key selection. This improves compatibility with + OpenSSH, both in terms of general behavior, and also re: ability to properly + leverage OpenSSH-modified ``known_hosts`` files. Credit: ``@kasdoe`` for + original report/PR and Pierce Lopez for the second draft. * :bug:`794` (via :issue:`981`) Prior support for ``ecdsa-sha2-nistp(384|521)`` algorithms didn't fully extend to covering host keys, preventing connection to hosts which only offer these key types and no others. This is now fixed. |