CVS commit: pkgsrc/security/py-paramiko

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/py-paramiko
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Tue, 18 Jul 2023 15:54:44 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Tue Jul 18 15:54:43 UTC 2023

Modified Files:
        pkgsrc/security/py-paramiko: Makefile PLIST distinfo

Log Message:
py-paramiko: updated to 3.2.0

3.2.0 2023-05-25
[Feature]: PKey grew a new .fingerprint property which emits a fingerprint string matching the SHA256+Base64 values printed by various OpenSSH tooling (eg ssh-add -l, ssh -v). This is intended to 
help troubleshoot Paramiko-vs-OpenSSH behavior and will eventually replace the venerable get_fingerprint method.

[Feature]: PKey grew a new .algorithm_name property which displays the key algorithm; this is typically derived from the value of get_name. For example, ED25519 keys have a get_name of ssh-ed25519 
(the SSH protocol key type field value), and now have a algorithm_name of ED25519.

[Feature]: PKey now offers convenience “meta-constructors”, static methods that simplify the process of instantiating the correct subclass for a given key input.

For example, PKey.from_path can load a file path without knowing a priori what type of key it is (thanks to some handy methods within our cryptography dependency). Going forwards, we expect this to 
be the primary method of loading keys by user code that runs on “human time” (i.e. where some minor efficiencies are worth the convenience).

In addition, PKey.from_type_string now exists, and is being used in some internals to load ssh-agent keys.

As part of these changes, PKey and friends grew an identifiers classmethod; this is inspired by the supported_key_format_identifiers classmethod (which now refers to the new method.) This also 
includes adding a .name attribute to most key classes (which will eventually replace .get_name().

[Feature]: Enhanced AgentKey with new attributes, such as:

Added a comment attribute (and constructor argument); Agent.get_keys() now uses this kwarg to store any comment field sent over by the agent. The original version of the agent feature inexplicably 
did not store the comment anywhere.
Agent-derived keys now attempt to instantiate a copy of the appropriate key class for access to other algorithm-specific members (eg key size). This is available as the .inner_key attribute.
Note
This functionality is now in use in Fabric’s new --list-agent-keys feature, as well as in Paramiko’s debug logging.
[Feature] Users of SSHClient can now configure the authentication logic Paramiko uses when connecting to servers; this functionality is intended for advanced users and higher-level libraries such as 
Fabric. See auth_strategy for details.

Fabric’s co-temporal release includes a proof-of-concept use of this feature, implementing an auth flow much closer to that of the OpenSSH client (versus Paramiko’s legacy behavior). It is strongly 
recommended that if this interests you, investigate replacing any direct use of SSHClient with Fabric’s Connection.

Warning
This feature is EXPERIMENTAL; please see its docs for details.
[Feature]: Implement _fields() on AgentKey so that it may be compared (via ==) with other PKey instances.

[Bug]: AgentKey had a dangling Python 3 incompatible __str__ method returning bytes. This method has been removed, allowing the superclass’ (PKey) method to run instead.

[Bug] Since its inception, Paramiko has (for reasons lost to time) implemented authentication as a side effect of handling affirmative replies to MSG_SERVICE_REQUEST protocol messages. What this 
means is Paramiko makes one such request before every MSG_USERAUTH_REQUEST, i.e. every auth attempt.

OpenSSH doesn’t care if clients send multiple service requests, but other server implementations are often stricter in what they accept after an initial service request (due to the RFCs not being 
clear). This can result in odd behavior when a user doesn’t authenticate successfully on the very first try (for example, when the right key for a target host is the third in one’s ssh-agent).

This version of Paramiko now contains an opt-in Transport subclass, ServiceRequestingTransport, which more-correctly implements service request handling in the Transport, and uses an auth-handler 
subclass internally which has been similarly adapted. Users wanting to try this new experimental code path may hand this class to SSHClient.connect as its transport_factory kwarg.

Warning
This feature is EXPERIMENTAL and its code may be subject to change.

In addition:
minor backwards incompatible changes exist in the new code paths, most notably the removal of the (inconsistently applied and rarely used) event arguments to the auth_xxx methods.
GSSAPI support has only been partially implemented, and is untested.
Note
Some minor backwards-compatible changes were made to the existing Transport and AuthHandler classes to facilitate the new code. For example, Transport._handler_table and 
AuthHandler._client_handler_table are now properties instead of raw attributes.
[Bug] The server-sig-algs and RSA-SHA2 features added around Paramiko 2.9 or so, had the annoying side effect of not working with servers that don’t support either of those feature sets, requiring 
use of disabled_algorithms to forcibly disable the SHA2 algorithms on Paramiko’s end.

The experimental ServiceRequestingTransport (noted in its own entry in this changelog) includes a fix for this issue, specifically by falling back to the same algorithm as the in-use pubkey if it’s 
in the algorithm list (leaving the “first algorithm in said list” as an absolute final fallback).

[Bug]: Fixed a very sneaky bug found at the apparently rarely-traveled intersection of RSA-SHA2 keys, certificates, SSH agents, and stricter-than-OpenSSH server targets. This manifested as yet 
another “well, if we turn off SHA2 at one end or another, everything works again” problem, for example with version 12 of the Teleport server endpoint.

This has been fixed; Paramiko tweaked multiple aspects of how it requests agent signatures, and the agent appears to do the right thing now.


To generate a diff of this commit:
cvs rdiff -u -r1.48 -r1.49 pkgsrc/security/py-paramiko/Makefile
cvs rdiff -u -r1.18 -r1.19 pkgsrc/security/py-paramiko/PLIST
cvs rdiff -u -r1.31 -r1.32 pkgsrc/security/py-paramiko/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/py-paramiko/Makefile
diff -u pkgsrc/security/py-paramiko/Makefile:1.48 pkgsrc/security/py-paramiko/Makefile:1.49
--- pkgsrc/security/py-paramiko/Makefile:1.48   Mon Nov 14 09:28:16 2022
+++ pkgsrc/security/py-paramiko/Makefile        Tue Jul 18 15:54:43 2023
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.48 2022/11/14 09:28:16 adam Exp $
+# $NetBSD: Makefile,v 1.49 2023/07/18 15:54:43 adam Exp $
 
-DISTNAME=      paramiko-2.12.0
+DISTNAME=      paramiko-3.2.0
 PKGNAME=       ${PYPKGPREFIX}-${DISTNAME}
 CATEGORIES=    security python
 MASTER_SITES=  ${MASTER_SITE_PYPI:=p/paramiko/}
@@ -10,15 +10,18 @@ HOMEPAGE=   https://www.paramiko.org/
 COMMENT=       SSH2 protocol library
 LICENSE=       gnu-lgpl-v2.1
 
-DEPENDS+=      ${PYPKGPREFIX}-bcrypt>=3.1.3:../../security/py-bcrypt
-DEPENDS+=      ${PYPKGPREFIX}-nacl>=1.0.1:../../security/py-nacl
-DEPENDS+=      ${PYPKGPREFIX}-six-[0-9]*:../../lang/py-six
+DEPENDS+=      ${PYPKGPREFIX}-bcrypt>=3.2:../../security/py-bcrypt
+DEPENDS+=      ${PYPKGPREFIX}-nacl>=1.5:../../security/py-nacl
+TEST_DEPENDS+= ${PYPKGPREFIX}-icecream-[0-9]*:../../misc/py-icecream
+TEST_DEPENDS+= ${PYPKGPREFIX}-invoke>=2.0:../../sysutils/py-invoke
 TEST_DEPENDS+= ${PYPKGPREFIX}-mock>=2.0.0:../../devel/py-mock
 TEST_DEPENDS+= ${PYPKGPREFIX}-test>=4.4.2:../../devel/py-test
 TEST_DEPENDS+= ${PYPKGPREFIX}-test-relaxed>=1.1.5:../../devel/py-test-relaxed
 TEST_DEPENDS+= ${PYPKGPREFIX}-test-xdist>=1.28.0:../../devel/py-test-xdist
 
-PYTHON_VERSIONS_INCOMPATIBLE=  27 # py-bcrypt
+USE_LANGUAGES= # none
+
+PYTHON_VERSIONS_INCOMPATIBLE=  27
 
 do-test:
        cd ${WRKSRC} && ${SETENV} ${TEST_ENV} pytest-${PYVERSSUFFIX} tests

Index: pkgsrc/security/py-paramiko/PLIST
diff -u pkgsrc/security/py-paramiko/PLIST:1.18 pkgsrc/security/py-paramiko/PLIST:1.19
--- pkgsrc/security/py-paramiko/PLIST:1.18      Thu May  5 17:59:35 2022
+++ pkgsrc/security/py-paramiko/PLIST   Tue Jul 18 15:54:43 2023
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.18 2022/05/05 17:59:35 adam Exp $
+@comment $NetBSD: PLIST,v 1.19 2023/07/18 15:54:43 adam Exp $
 ${PYSITELIB}/${EGG_INFODIR}/PKG-INFO
 ${PYSITELIB}/${EGG_INFODIR}/SOURCES.txt
 ${PYSITELIB}/${EGG_INFODIR}/dependency_links.txt
@@ -19,6 +19,9 @@ ${PYSITELIB}/paramiko/agent.pyo
 ${PYSITELIB}/paramiko/auth_handler.py
 ${PYSITELIB}/paramiko/auth_handler.pyc
 ${PYSITELIB}/paramiko/auth_handler.pyo
+${PYSITELIB}/paramiko/auth_strategy.py
+${PYSITELIB}/paramiko/auth_strategy.pyc
+${PYSITELIB}/paramiko/auth_strategy.pyo
 ${PYSITELIB}/paramiko/ber.py
 ${PYSITELIB}/paramiko/ber.pyc
 ${PYSITELIB}/paramiko/ber.pyo
@@ -94,9 +97,6 @@ ${PYSITELIB}/paramiko/primes.pyo
 ${PYSITELIB}/paramiko/proxy.py
 ${PYSITELIB}/paramiko/proxy.pyc
 ${PYSITELIB}/paramiko/proxy.pyo
-${PYSITELIB}/paramiko/py3compat.py
-${PYSITELIB}/paramiko/py3compat.pyc
-${PYSITELIB}/paramiko/py3compat.pyo
 ${PYSITELIB}/paramiko/rsakey.py
 ${PYSITELIB}/paramiko/rsakey.pyc
 ${PYSITELIB}/paramiko/rsakey.pyo

Index: pkgsrc/security/py-paramiko/distinfo
diff -u pkgsrc/security/py-paramiko/distinfo:1.31 pkgsrc/security/py-paramiko/distinfo:1.32
--- pkgsrc/security/py-paramiko/distinfo:1.31   Mon Nov 14 09:28:16 2022
+++ pkgsrc/security/py-paramiko/distinfo        Tue Jul 18 15:54:43 2023
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.31 2022/11/14 09:28:16 adam Exp $
+$NetBSD: distinfo,v 1.32 2023/07/18 15:54:43 adam Exp $
 
-BLAKE2s (paramiko-2.12.0.tar.gz) = 9043d48ee89caf26b93491154419a98156687e9e72edd38938ea0dcafcc38a51
-SHA512 (paramiko-2.12.0.tar.gz) = 2d51d4fb7a4011cbbe67f78ca5a8cb2e316562dff314c07827af7d701c64fd6a42edb8d358d701aa95f3ae1326277a23e264fcf6bdbc4c9491f81320143f3671
-Size (paramiko-2.12.0.tar.gz) = 1076369 bytes
+BLAKE2s (paramiko-3.2.0.tar.gz) = ec76b2040e44b63cd14735fd9826690e1c43c2359fd44d09b7810130375f7616
+SHA512 (paramiko-3.2.0.tar.gz) = c1ec9607415d143c9cb29e44938514abb1434be814d53ac60948b0b52f426a760f549ba533961e050655df184278f526f5b7762def2b68f1ee2f575fdea15366
+Size (paramiko-3.2.0.tar.gz) = 1258331 bytes

Prev by Date: CVS commit: pkgsrc/devel/py-test-relaxed
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/devel/py-test-relaxed
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index