Radssh

Features
- New module for host key handling and validation, closer to the functionality of OpenSSH. Significantly improved performance when operating with very large known_hosts files.
- Now relies on standard OpenSSH config file settings for options related to connection, host key validation, and user authentiction. Many, but not all options are supported.

Connection Options Supported

Hostname, Port, LogLevel, ConnectTimeout, Ciphers, KexAlgorithms, Macs, ProxyCommand, LocalCommand, PermitLocalCommand

Hostkey Validation Options Supported

GlobalKnownHostsFile, UserKnownHostsFile, StrictHostKeyChecking, HostKeyAlias, HostKeyAlgorithms, HashKnownHosts, CheckHostIP

User Authentication Options Supported

User, PreferredAuthentications, KbdInteractiveAuthentiction, PasswordAuthentication, PubkeyAuthentication, NumberOfPasswordPrompts, IdentityFile, IdentitiesOnly, BatchMode
- Added support for ECDSA key files for user authentication.
- Now supports for Paramiko version 2.0, and cryptography.io. Installations using Paramiko 1.X can continue to be used along with the unmaintained PyCrypto module.
- Improved support for specifying explicit port and username with URI style formatting (userhost:port).

Issues Fixed
- A missing _plugins_ directory is no longer a fatal runtime error.
- StreamBuffer closing is no longer vulnerable to **Queue.Full** exception.
- Fix thread contention issue when prompting user for passwords and accepting new host keys concurrently.
- Ordered output mode fixed under Python3. [ Fixed in 1.1.1 ]
- Improve behavior when connection is dropped by server during authentication. [ Fixed in 1.1.1 ]

Enhancements
- Reworded user prompt when encountering a restricted command.
- Command result summary explicitly lists return codes and hosts when any host returns a non-zero status.
- Formerly deprecated configuration options are now categorized as "obsolete", since attempts to use them are ignored.
- New "obsolete" configuration options, and their corresponding SSH Config option names:

| Obsolete RadSSH Option | Current SSH Option |
| --- | --- |
| hostkey.verify | StrictHostKeyChecking |
| hostkey.known_hosts | UserKnownHostsFile |
| ssh_identity | IdentityFile |
| ssh_agent | IdentitiesOnly |
- Added new config option **ssh_config** to allow overriding the default location of the user SSH Config file (~/.ssh/config).

Plugin Enhancements
- ***enable** now includes explicit count of hosts when all hosts enabled.
- ***drop** with no arguments will now drop hosts that are not connected/authenticated.
- ***add** now handles URI style (userhost:port) format; lists summary of connections added to cluster.
- Now supports shell alias definitions with escaped single quotes are supported.
- ***result** can include > and >> to save/append to local file [ Added in 1.1.1 ]
- ***history** added to alias plugin, with support for `!nnn` replay of command by history number [ Added in 1.1.1 ]
- ***tty** should no longer be prone to "Resource temporarily unavailable" exceptions. [ Fixed in 1.1.1 ]

API Changes
- hostkey module will be removed in 2.0 release in favor of the new known_hosts module.
- AuthManager will no longer support parameters **include_agent** or **include_userkeys**. Settings are now controlled by the OpenSSH configuration options.

Known Issues
- Paramiko ProxyCommand may not function correctly under Python3 (https://github.com/paramiko/paramiko/issues/673)
- ~~Ability to mix & match hostnames and IP addresses leads to many sorting issues under Python3 (21)~~ [ Fixed in 1.1.1 ]

Additional Notes
- **PyCrypto** identified as an unmaintained module. **Paramiko** 2.0 has transitioned to using **cryptography**. RadSSH usage will prefer to use **cryptography**, but will continue to work with **PyCrypto** and **Paramiko** 1.X. Installations are strongly recommended to upgrade to using **cryptography** (and **Paramiko** 2.0) from **PyCrypto**. When RadSSH is unable to load the preferred **cryptography** module and reverts to using **PyCrypto**, a warning will be issued encouraging users to install **cryptography**.
- **Paramiko** library does not include support for OpenSSH configuration _Match_ blocks, so currently these are not supported for RadSSH configuration options as well.
- Python 2.6 and Python 3.2 will continue to be supported by RadSSH 1.1.0, even though these Python versions are no longer being actively maintained. Future releases of RadSSH may not continue focus or effort on compatibility with these python versions.

Features
- New module for host key handling and validation, closer to the functionality of OpenSSH. Significantly improved performance when operating with very large known_hosts files.
- Now relies on standard OpenSSH config file settings for options related to connection, host key validation, and user authentiction. Many, but not all options are supported.

Connection Options Supported

Hostname, Port, LogLevel, ConnectTimeout, Ciphers, KexAlgorithms, Macs, ProxyCommand, LocalCommand, PermitLocalCommand

Hostkey Validation Options Supported

GlobalKnownHostsFile, UserKnownHostsFile, StrictHostKeyChecking, HostKeyAlias, HostKeyAlgorithms, HashKnownHosts, CheckHostIP

User Authentication Options Supported

User, PreferredAuthentications, KbdInteractiveAuthentiction, PasswordAuthentication, PubkeyAuthentication, NumberOfPasswordPrompts, IdentityFile, IdentitiesOnly, BatchMode
- Added support for ECDSA key files for user authentication.
- Now supports for Paramiko version 2.0, and cryptography.io. Installations using Paramiko 1.X can continue to be used along with the unmaintained PyCrypto module.

Issues Fixed
- A missing _plugins_ directory is no longer a fatal runtime error.
- StreamBuffer closing is no longer vulnerable to **Queue.Full** exception.
- Fix thread contention issue when prompting user for passwords and accepting new host keys concurrently.

Enhancements
- Reworded user prompt when encountering a restricted command.
- Command result summary explicitly lists return codes and hosts when any host returns a non-zero status.
- Formerly deprecated configuration options are now categorized as "obsolete", since attempts to use them are ignored.
- New "obsolete" configuration options, and their corresponding SSH Config option names:

| Obsolete RadSSH Option | Current SSH Option |
| --- | --- |
| hostkey.verify | StrictHostKeyChecking |
| hostkey.known_hosts | UserKnownHostsFile |
| ssh_identity | IdentityFile |
| ssh_agent | IdentitiesOnly |
- Added new config option **ssh_config** to allow overriding the default location of the user SSH Config file (~/.ssh/config).

Plugin Enhancements
- ***enable** now includes explicit count of hosts when all hosts enabled.
- ***drop** with no arguments will now drop hosts that are not connected/authenticated
- Now supports shell alias definitions with escaped single quotes are supported.

API Changes
- hostkey module will be removed in 2.0 release in favor of the new known_hosts module.
- AuthManager will no longer support parameters **include_agent** or **include_userkeys**. Settings are now controlled by the OpenSSH configuration options.

Known Issues
- Paramiko ProxyCommand may not function correctly under Python3 (https://github.com/paramiko/paramiko/issues/673)
- Ability to mix & match hostnames and IP addresses leads to many sorting issues under Python3 (21)

Additional Notes
- **PyCrypto** identified as an unmaintained module. **Paramiko** 2.0 has transitioned to using **cryptography**. RadSSH usage will prefer to use **cryptography**, but will continue to work with **PyCrypto** and **Paramiko** 1.X. Installations are strongly recommended to upgrade to using **cryptography** (and **Paramiko** 2.0) from **PyCrypto**. When RadSSH is unable to load the preferred **cryptography** module and reverts to using **PyCrypto**, a warning will be issued encouraging users to install **cryptography**.
- **Paramiko** library does not include support for OpenSSH configuration _Match_ blocks, so currently these are not supported for RadSSH configuration options as well.
- Python 2.6 and Python 3.2 will continue to be supported by RadSSH 1.1.0, even though these Python versions are no longer being actively maintained. Future releases of RadSSH may not continue focus or effort on compatibility with these python versions.

Issues Fixed
- 15 - Config option (**stalled_job_buffer**) to save off most recent lines of output (per host). Initial **Ctrl-C** interrupt will output to console the recent output from the potentially stalled nodes, which may originally have occurred hundreds or thousands of lines above the current console position.
- 16 - Misuse of catching **AttributeError** when calling plugin `lookup()` function. Now use `hasattr()` call to pre-screen, and if plugin `lookup()` call raises **AttributeError**, it gets logged as with any other exception.
- 17 & 11 - Better detection of remote host "going away". Paramiko keepalive doesn't check for responses, so request packets just wind up getting queued. Implement a keepalive system that can detect lack of responses.

Enhancements
- Better internal handling of byte data versus character data (Unicode). Initial Python3 port effort wound up breaking all handling of output that was not 7-bit clean ASCII. While there may still be gremlins lurking, this should make things a whole lot better for both Python2 and Python3. Override default of **sys.stdout.encoding** with config option **character_encoding**.
- Include per-host connection status in radssh.log file.

Plugin Enhancements
- New plugin: **alias**
Permits local shell aliases to be used within remote clusters. Alias definitions may be sourced from `~/.bash_profile`, `~/.bashrc` or `~/.profile` (sh), on a first-found basis. Also permits **!!** and **!$** to be interpreted.
- New plugin: **tar**
Allows quick collection of logfile or config file directories, using ***tar** (or ***tgz** / ***tbz**) to invoke tar (and compress) on remote nodes with subsequent command line args as the files or directories to gather.
- ***tty** Would report that it was skipping hosts, without actually skipping them.

Release Version 1.0.5 - Fixes and Enhancements

Issues Fixed:
- 12 Confusing Status when starting RadSSH
- 13 Deferred Key Loading breaks when using SSHAgent Keys
- 9 Connections to flaky servers can cause infinite STALLED loop
- 14 ***run** command breaks on servers mounting /tmp with **noexec** option

Enhancements:
- Initial adoption of Python logging module for logging and error reporting. This release drops support for **verbose** and **paramiko_log_level** settings in favor of a unified **loglevel** setting, which can be set to any of the symbolic names defined in the Python logging module (**CRITICAL**, **ERROR**, **WARNING**, **INFO**, **DEBUG**)
- **logdir** setting can now be set to a blank value. This will cause all logging messages to be sent to the console on the stderr stream, as well as disable the command output saving to individual log files.
- Messages about the success or failure of loading plugins is now exclusively handled by logging, and not print statements.
- Better handling of SSH keys for authentication. Better support for recognizing keys that can not be used, and better handling of deferred key loading and passphrase prompting (up to 3 attempts permitted).
- PKCS entries in auth_file are now base64 decoded at load time, rather than at decryption time. Possibly malformed entries are detected earlier.

Plugin Enhancements:
- User configuration settings can be supported by plugin code. Plugin modules with a **settings** dictionary coded for default values will be updated by radish.shell when the plugin is loaded from the RadSSH defaults dictionary, for user settings with names starting with "plugin.<module_name>.".
- ***sftp** plugin module now has user configurable settings for **temp_dir** and **script_exec**, to control where and how script files are placed and run by the ***run** command.

1.0.1 - Minor bug fixes and enhancements.

Issues Addressed:
- 3 - Host lookups with non-standard ports now use same format as OpenSSH.
- 4 - Allow plugin ***commands** to customize the TAB completion. Change ***run** and ***sftp** to resolve first argument from **local** filesystem path instead of remote filesystem.
- 5 - Better handling of auth-none and auth-keyboard-interactive options from remote hosts
- 7 - Include stderr output when considering ***grep**, ***match**, and ***nomatch**.
- 8 - Improve features for genders plugin, but also remove it from core distribution since it has additional dependencies that should be optional. Still included with source distribution.