summaryrefslogtreecommitdiffhomepage
path: root/sites/www/changelog.rst
diff options
context:
space:
mode:
Diffstat (limited to 'sites/www/changelog.rst')
-rw-r--r--sites/www/changelog.rst91
1 files changed, 77 insertions, 14 deletions
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index d924d1af..31320c91 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -2,24 +2,14 @@
Changelog
=========
-- :support:`1292 backported` Backport changes from :issue:`979` (added in
- Paramiko 2.3) to Paramiko 2.0-2.2, using duck-typing to preserve backwards
- compatibility. This allows these older versions to use newer Cryptography
- sign/verify APIs when available, without requiring them (as is the case with
- Paramiko 2.3+).
-
- Practically speaking, this change prevents spamming of
- ``CryptographyDeprecationWarning`` notices which pop up in the above scenario
- (older Paramiko, newer Cryptography).
-
- .. note::
- This is a no-op for Paramiko 2.3+, which have required newer Cryptography
- releases since they were released.
-
- :support:`1291 backported` Backport pytest support and application of the
``black`` code formatter (both of which previously only existed in the 2.4
branch and above) to everything 2.0 and newer. This makes back/forward
porting bugfixes significantly easier.
+- :support:`1262 backported` Add ``*.pub`` files to the MANIFEST so distributed
+ source packages contain some necessary test assets. Credit: Alexander
+ Kapshuna.
+- :release:`2.3.2 <2018-03-12>`
- :release:`2.2.3 <2018-03-12>`
- :release:`2.1.5 <2018-03-12>`
- :release:`2.0.8 <2018-03-12>`
@@ -37,6 +27,13 @@ Changelog
``async``) so that we're compatible with the upcoming Python 3.7 release
(where ``async`` is a new keyword.) Thanks to ``@vEpiphyte`` for the report.
- :support:`- backported` Include LICENSE file in wheel archives.
+- :release:`2.3.1 <2017-09-22>`
+- :bug:`1071` Certificate support broke the no-certificate case for Ed25519
+ keys (symptom is an ``AttributeError`` about ``public_blob``.) This went
+ uncaught due to cert autoload behavior (i.e. our test suite never actually
+ ran the no-cert case, because the cert existed!) Both issues have been fixed.
+ Thanks to John Hu for the report.
+- :release:`2.3.0 <2017-09-18>`
- :release:`2.2.2 <2017-09-18>`
- :release:`2.1.4 <2017-09-18>`
- :release:`2.0.7 <2017-09-18>`
@@ -46,6 +43,10 @@ Changelog
a ``gss-kex``-authed `~paramiko.transport.Transport` would cause a MIC
failure and terminate the connection. Thanks to Sebastian Deiß and Anselm
Kruis for the patch.
+- :feature:`1063` Add a ``gss_trust_dns`` option to ``Client`` and
+ ``Transport`` to allow explicitly setting whether or not DNS canonicalization
+ should occur when using GSSAPI. Thanks to Richard E. Silverman for the report
+ & Sebastian Deiß for initial patchset.
- :bug:`1061` Clean up GSSAPI authentication procedures so they do not prevent
normal fallback to other authentication methods on failure. (In other words,
presence of GSSAPI functionality on a target server precluded use of _any_
@@ -63,6 +64,68 @@ Changelog
consider a different type to be a "Missing" host key. This fixes a common
case where an ECDSA key is in known_hosts and the server also has an RSA host
key. Thanks to Pierce Lopez.
+- :support:`979` Update how we use `Cryptography <https://cryptography.io>`_'s
+ signature/verification methods so we aren't relying on a deprecated API.
+ Thanks to Paul Kehrer for the patch.
+
+ .. warning::
+ This bumps the minimum Cryptography version from 1.1 to 1.5. Such an
+ upgrade should be backwards compatible and easy to do. See `their changelog
+ <https://cryptography.io/en/latest/changelog/>`_ for additional details.
+- :support:`-` Ed25519 keys never got proper API documentation support; this
+ has been fixed.
+- :feature:`1026` Update `~paramiko.ed25519key.Ed25519Key` so its constructor
+ offers the same ``file_obj`` parameter as its sibling key classes. Credit:
+ Michal Kuffa.
+- :feature:`1013` Added pre-authentication banner support for the server
+ interface (`ServerInterface.get_banner
+ <paramiko.server.ServerInterface.get_banner>` plus related support in
+ ``Transport/AuthHandler``.) Patch courtesy of Dennis Kaarsemaker.
+- :bug:`60 major` (via :issue:`1037`) Paramiko originally defaulted to zlib
+ compression level 9 (when one connects with ``compression=True``; it defaults
+ to off.) This has been found to be quite wasteful and tends to cause much
+ longer transfers in most cases, than is necessary.
+
+ OpenSSH defaults to compression level 6, which is a much more reasonable
+ setting (nearly identical compression characteristics but noticeably,
+ sometimes significantly, faster transmission); Paramiko now uses this value
+ instead.
+
+ Thanks to Damien Dubé for the report and ``@DrNeutron`` for investigating &
+ submitting the patch.
+- :support:`-` Display exception type and message when logging auth-rejection
+ messages (ones reading ``Auth rejected: unsupported or mangled public key``);
+ previously this error case had a bare except and did not display exactly why
+ the key failed. It will now append info such as ``KeyError:
+ 'some-unknown-type-string'`` or similar.
+- :feature:`1042` (also partially :issue:`531`) Implement basic client-side
+ certificate authentication (as per the OpenSSH vendor extension.)
+
+ The core implementation is `PKey.load_certificate
+ <paramiko.pkey.PKey.load_certificate>` and its corresponding ``.public_blob``
+ attribute on key objects, which is honored in the auth and transport modules.
+ Additionally, `SSHClient.connect <paramiko.client.SSHClient.connect>` will
+ now automatically load certificate data alongside private key data when one
+ has appropriately-named cert files (e.g. ``id_rsa-cert.pub``) - see its
+ docstring for details.
+
+ Thanks to Jason Rigby for a first draft (:issue:`531`) and to Paul Kapp for
+ the second draft, upon which the current functionality has been based (with
+ modifications.)
+
+ .. note::
+ This support is client-focused; Paramiko-driven server code is capable of
+ handling cert-bearing pubkey auth packets, *but* it does not interpret any
+ cert-specific fields, so the end result is functionally identical to a
+ vanilla pubkey auth process (and thus requires e.g. prepopulated
+ authorized-keys data.) We expect full server-side cert support to follow
+ later.
+
+- :support:`1041` Modify logic around explicit disconnect
+ messages, and unknown-channel situations, so that they rely on centralized
+ shutdown code instead of running their own. This is at worst removing some
+ unnecessary code, and may help with some situations where Paramiko hangs at
+ the end of a session. Thanks to Paul Kapp for the patch.
- :support:`1012` (via :issue:`1016`) Enhance documentation around the new
`SFTP.posix_rename <paramiko.sftp_client.SFTPClient.posix_rename>` method so
it's referenced in the 'standard' ``rename`` method for increased visibility.