./security/py-paramiko, SSH2 protocol library

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ]

Branch: CURRENT, Version: 5.0.0, Package name: py313-paramiko-5.0.0, Maintainer: pkgsrc-users

paramiko is a module for python 2.2 (or higher) that implements the SSH2
protocol for secure (encrypted and authenticated) connections to remote
machines. unlike SSL (aka TLS), SSH2 protocol does not require hierarchical
certificates signed by a powerful central authority. you may know SSH2 as
the protocol that replaced telnet and rsh for secure access to remote shells,
but the protocol also includes the ability to open arbitrary channels to
remote services across the encrypted tunnel (this is how sftp works,
for example).


Required to run:
[devel/py-setuptools] [security/py-cryptography] [security/py-bcrypt] [security/py-nacl] [lang/python37]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 1512.291 KB

Version history: (Expand)

CVS history: (Expand)


   2026-05-24 08:17:51 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-paramiko: updated to 5.0.0

5.0.0

[Feature]: Added a new, optional file_format keyword argument to \ 
PKey.write_private_key and PKey.write_private_key_file to allow writing out \ 
OpenSSH-style private key files in addition to the legacy PEM format.

Warning
While the default format remains PEM in Paramiko 5, future major releases are \ 
likely to change that default to the OpenSSH format. We recommend updating any \ 
key-writing code you have to be explicit now, to insulate yourself from such an \ 
update.
[Bug]: Added a password kwarg to PKey.from_type_string so it can handle \ 
encrypted keys like most other PKey constructors already could.

[Bug]: Fix Ed25519Key’s internals such that it no longer throws AttributeError \ 
during calls to __repr__ when only partly initialized. This isn’t a normal \ 
runtime problem (it only happens inside error handling for fatal errors like \ 
“not a valid private key”) but was perennially complicating test failure \ 
diagnosis and similar scenarios.

[Support]: Removed the demos/ folder; they’ve become too big a support burden \ 
and we’ve wanted to remove them for years.

Users who enjoyed the client-side demos should look at our wrapper library, Fabric.

We suspect the most-used demo was demos/demo-server.py and may consider adding a \ 
variant of it to the actual Python package in future.

[Support]: Renamed PKey.from_path’s passphrase argument to password so it’s \ 
consistent with all the other methods of instantiating PKey objects.

Warning
This change is backwards incompatible if you were using this relatively new \ 
constructor + were doing so to load encrypted keys.
[Support]: Removed support for verifying/signing with RSA keys using SHA-1 \ 
hashing. Generally, this means most cases where "ssh-rsa" was used as \ 
an algorithm identifier (as opposed to a key material identifier) will no longer \ 
accept that string as valid, and the relevant code that actually used eg \ 
hashes.SHA1 no longer does.

Warning
This change is backwards incompatible if you are stuck supporting legacy systems \ 
with Paramiko that are unable to use SHA2-based signatures with RSA keys (or \ 
other workarounds, such as switching from RSA keys to Ed25519 ones).
[Support]: Removed support for key exchange using SHA-1, meaning the kex methods \ 
diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, and \ 
diffie-hellman-group1-sha1 are now gone. Implementing classes have been \ 
removed/merged/shuffled as required.

Warning
This change is backwards incompatible if you were still supporting old systems \ 
that don’t implement sha256/sha512 DH kex (or ECDH kex).
[Support]: Removed GSSAPI support, as the current (buggy, no longer easily \ 
testable in CI, poorly understood and not used by the core team) implementation \ 
is SHA-1 based and no SHA-256 upgrade appeared to be forthcoming from \ 
contributors.

We don’t like removing functionality, but this feature has been on the rocks \ 
for years and it makes sense to remove it as an insecure support burden. We will \ 
definitely consider merging a SHA256-based replacement in the future if a \ 
high-quality one appears.

Side note: the GSS related constants in paramiko/common.py have been left in \ 
place as they are essentially mapping out known protocol numbers.

Warning
This change is backwards incompatible if you require GSS.
[Support]: Raised the minimum modulus size in \ 
diffie-hellman-group-exchange-sha256 key exchange from 1024 (the original \ 
spec’s minimum) to 2048 (the contemporary minimum according to RFC 9142, and \ 
matching a similar change by OpenSSH ten years ago in 7.2 / 2016).

Warning
This change may be backwards incompatible if you were targeting servers \ 
supporting only this kex method and whose own maximum modulus size for \ 
group-exchange was lower than 2048.
[Support]: The PKey class family tree reorganized the write_private_key and \ 
write_private_key_file methods; with other recent changes, having individual \ 
implementations on the child classes made no sense, so key writing is now \ 
implemented in PKey itself and the included child classes such as ECDSAKey no \ 
longer define their own such methods, instead simply exposing their underlying \ 
cryptographic private key objects as .private_key.
   2025-10-09 09:58:14 by Thomas Klausner | Files touched by this commit (442) 
Log message:
*: remove reference to (removed) Python 3.9
   2025-08-22 09:27:47 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
py-paramiko: updated to 4.0.0

4.0.0

[Support] Removed support for the DSA (aka DSS) key algorithm, as it has been \ 
badly outdated and insecure for a decade or more at this point, and was recently \ 
completely removed from OpenSSH as well.

If you were still using DSA out of sheer inertia: we strongly recommend \ 
upgrading to Ed25519 (or maybe ECDSA).

If you were still using DSA because of target hosts you do not control: please \ 
continue using Paramiko 3.x.

[Support]: Administrivia update:

dropped support for Python <3.9
migrated packaging metadata and practices to use pyproject.toml
removed the now-vestigial ed25519 packaging ‘extra’ (support for this \ 
hasn’t required additional dependencies in a number of releases now, just the \ 
core ones)
moved Invoke requirement to core dependencies, and removed paramiko[invoke] from \ 
extras
with those two changes, paramiko[all] becomes much less useful, and has itself \ 
been axed
removed the very old and wizened setup_helper.py which was only needed on \ 
ancient (for this century) versions of macOS.
removed paramiko.__all__, as it was redundant (guessing it dated back to some \ 
very old Python versions; anyone using import * these days - shame! - should \ 
still be fine as we never had any ‘private’ members in __all__ and AFAICT \ 
that was the only reason ever to use it in the first place (as import * skips \ 
names like _private).
   2025-07-05 13:44:20 by Thomas Klausner | Files touched by this commit (116) 
Log message:
*: some more recursive Python restrictions on Python 3.11+

Reported in SmartOS bulk build
   2025-04-14 07:17:12 by Adam Ciarcinski | Files touched by this commit (20) | Package updated
Log message:
Fix PLIST after py-setuptools update; bump depends and revision
   2025-02-18 16:06:06 by Thomas Klausner | Files touched by this commit (1) 
Log message:
py-paramiko: bump PKGREVISION for bcrypt rust/non-rust support
   2025-02-18 16:05:41 by Thomas Klausner | Files touched by this commit (1) 
Log message:
py-paramiko: Switch to bcrypt versioned dependency.

From Jonathan Perkin <[email protected]>
via drecklypkg commit f68e441dd3510f8f8e3e6dcfeb81f101b5239c3a
   2025-02-04 09:47:28 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
py-paramiko: updated to 3.5.1

3.5.1 2025-02-03
[Bug] 2490: Private key material is now explicitly ‘unpadded’ during \ 
decryption, removing a reliance on some lax OpenSSL behavior & making us \ 
compatible with future Cryptography releases. Patch courtesy of Alex Gaynor.