Asyncssh

----------------------------

* Added support for WebAuthN authentication with U2F security keys,
allowing non-admin Windows users to use these keys for authentication.
Previously, authentication with U2F keys worked on Windows, but only
for admin users.

* Added support for hostname canonicalization, compatible with the
configuration parameters used in OpenSSH, as well as support for the
"canonical" and "final" match keywords and negation support for
match. Thanks go to GitHub user commonism who suggested this and
provided a proposed implementation for negation.

* Added client and server support for SFTP copy-data extension and
a new SFTP remote_copy() function which allows data to be moved
between two remote files without downloading and re-uploading the
data. Thanks go to Ali Khosravi for suggesting this addition.

* Moved project metadata from setup.py to pyproject.toml. Thanks go to
Marc Mueller for contributing this.

* Updated SSH connection to keep strong references to outstanding
tasks, to avoid potential issues with the garbage collector while
the connection is active. Thanks go to GitHub user Birnendampf for
pointing out this potential issue and suggesting a simple fix.

* Fixed some issues with block_size argument in SFTP copy functions.
Thanks go to Krzysztof Kotlenga for finding and reporting these issues.

* Fixed an import error when fido2 package wasn't available. Thanks go
to GitHub user commonism for reporting this issue.

----------------------------

* Added support for post-quantum ML-KEM key exchange algorithms,
interoperable with OpenSSH 9.9.

* Added support for the OpenSSH "limits" extension, allowing the
client to query server limits such as the maximum supported read
and write sizes. The client will automatically default to the reported
maximum size on servers that support this extension.

* Added more ways to specify environment variables via the `env` option.
Sequences of either 'key=value' strings or (key, value) tuples are now
supported, in addition to a dict.

* Added support for getting/setting environment variables as byte strings
on platforms which support it. Previously, only Unicode strings were
accepted and they were always encoded on the wire using UTF-8.

* Added support for non-TCP sockets (such as a socketpair) as the `sock`
parameter in connect calls. Thanks go to Christian Wendt for reporting
this problem and proposing a fix.

* Changed compression to be disabled by default to avoid it becoming a
performance bottleneck on high-bandwidth connections. This now also
matches the OpenSSH default.

* Improved speed of parallelized SFTP reads when read-ahead goes beyond
the end of the file. Thanks go to Maximilian Knespel for reporting
this issue and providing performance measurements on the code before
and after the change.

* Improved cancellation handling during SCP transfers.

* Improved support for selecting the currently available security key
when the application lists multiple keys to try. Thanks go to GitHub
user zanda8893 for reporting the issue and helping to work out the
details of the problem.

* Improved handling of reverse DNS failures in host-based authentication.
Thanks go to GitHub user xBiggs for suggesting this change.

* Improved debug logging of byte strings with non-printable characters.

* Switched to using an executor on GSSAPI calls to avoid blocking the
event loop.

* Fixed handling of "UserKnownHostsFile none" in config files. This
previously caused it to use the default known hosts, rather than
disabling known host checking.

* Fixed a runtime warning about not awaiting a coroutine in unit tests.

* Fixed a unit test failure on Windows when calling abort on a transport.

* Fixed a problem where a "MAC verification failed" error was sometimes
sent on connection close.

* Fixed SSHClientProcess code to not raise a runtime exception when
waiting more than once for a process to finish. Thanks go to GitHub
user starflows for reporting this issue.

* Handled an error when attempting to import older verions of pyOpenSSL.
Thanks go to Maximilian Knespel for reporting this issue and testing
the fix.

* Updated simple_server example code to switch from crypt to bcrypt,
since crypt has been removed in Python 3.13. Thanks go to Colin
Watson for providing this update.

---------------------------

* Added support for specifying a per-connection credential store for GSSAPI
authentication. Thanks go to GitHub user zarganum for suggesting this
feature and proposing a detailed design.

* Fixed a regression introduced in AsyncSSH 2.15.0 which could cause
connections to be closed with an uncaught exception when a session
on the connection was closed. Thanks go to Wilson Conley for being
the first to help reproduce this issue, and others who also helped
to confirm the fix.

* Added a workaround where getaddrinfo() on some systems may return duplicate
entries, causing bind() to fail when opening a listener. Thanks go to
Colin Watson for reporting this issue and suggesting a fix.

* Relaxed padding length check on OpenSSH private keys to provide better
compatibility with keys generated by PuTTYgen.

* Improved documentation on SSHClient and SSHServer classes to explain
when they are created and their relationship to the SSHClientConnection
and SSHServerConnection classes.

* Updated examples to use Python 3.7 and made some minor improvements.

----------------------------

* Added client and server support for the OpenSSH "hostkeys" extension.
When using known_hosts, clients can provide a handler which will be
called with the changes between the keys currently trusted in the
client's known hosts and those available on the server. On the server
side, an application can choose whether or not to enable the sending
of this host key information. Thanks go to Matthijs Kooijman for
getting me to take another look at how this might be supported.

* Related to the above, AsyncSSH now allows the configuration of multiple
server host keys of the same type when the send_server_host_keys option
is enabled. Only the first key of each type will be used in the SSH
handshake, but the others can appear in the list of supported host keys
for clients to begin trusting, allowing for smoother key rotation.

* Fixed logging and typing issues in SFTP high-level copy functions.
A mix of bytes, str, and PurePath entries are now supported in places
where a list of file paths is allowed, and the type signatures have
been updated to reflect that the functions accept either a single
path or a list of paths. Thanks go to GitHub user eyalgolan1337 for
reporting these issues.

* Improved typing on SFTP listdir() function. Thanks go to Tim Stumbaugh
for contributing this change.

* Reworked the config file parser to improve on a previous fix related
to handling key/value pairs with an equals delimiter.

* Improved handling of ciphers deprecated in cryptography 43.0.0.
Thanks go to Guillaume Mulocher for reporting this issue.

* Improved support for use of Windows pathnames in ProxyCommand.
Thanks go to GitHub user chipolux for reporting this issue and
investigating the existing OpenSSH parsing behavior.

---------------------------

* Added experimental support for tunneling of TUN/TAP network interfaces
on Linux and macOS, allowing for either automatic packet forwarding or
explicit reading and writing of packets sent through the tunnel by the
application. Both callback and stream APIs are available.

* Added support for forwarding terminal size and terminal size changes
when stdin on an SSHServerProcess is redirected to a local TTY.

* Added support for multiple tunnel/ProxyJump hosts. Thanks go to Adam
Martin for suggesting this enhancement and proposing a solution.

* Added support for OpenSSH lsetstat SFTP extension to set attributes
on symbolic links on platforms which support that and use it to
improve symlink handling in the SFTP get, put, and copy methods.
In addition, a follow_symlinks option has been added on various
SFTPClient methods which get and set these attributes. Thanks go to
GitHub user eyalgolan1337 for reporting this issue.

* Added support for password and passphrase arguments to be a callable
or awaitable, called when performing authentication or loading
encrypted private keys. Thanks go to GitHub user goblin for
suggesting this enhancement.

* Added support for proper flow control when using AsyncFileWriter or
StreamWriter classes to do SSH process redirection. Thanks go to Benjy
Wiener for reporting this issue and providing feedback on the fix.

* Added is_closed() method SSHClientConnection/SSHServerConnection to
return whether the associated network connection is closed or not.

* Added support for setting and matching tags in OpenSSH config files.

* Added an example of using "await" in addition to "async with" when
opening a new SSHClientConnection. Thanks go to Michael Davis for
suggesting this added documentation.

* Improved handling CancelledError in SCP, avoiding an issue where
AsyncSSH could sometimes get stuck waiting for the channel to close.
Thanks go to Max Orlov for reporting the problem and providing code
to reproduce it.

* Fixed a regression from 2.14.1 related to rekeying an SSH connection
when there's acitivty on the connection in the middle of rekeying.
Thanks go to GitHub user eyalgolan1337 for helping to narrow down
this problem and test the fix.

* Fixed a problem with process redirection when a close is received
without a preceding EOF. Thanks go to GitHub user xuoguoto who helped
to provide sample scripts and ran tests to help track this down.

* Fixed the processing of paths in SFTP client symlink requests. Thanks
go to André Glüpker for reporting the problem and providing test code
to demonstrate it.

* Fixed an OpenSSH config file parsing issue. Thanks go to Siddh Raman
Pant for reporting this issue.

* Worked around a bug in a user auth banner generated by the cryptlib
library. Thanks go to GitHub user mmayomoar for reporting this issue
and suggesting a fix.

----------------------------

* Implemented "strict kex" support and other countermeasures to
protect against the Terrapin Attack described in `CVE-2023-48795
<https://github.com/advisories/GHSA-hfmc-7525-mj55>`_. Thanks once
again go to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk for
identifying and reporting this vulnerability and providing detailed
analysis and suggestions about proposed fixes.

* Fixed config parser to properly an optional equals delimiter in all
config arguments. Thanks go to Fawaz Orabi for reporting this issue.

* Fixed TCP send error handling to avoid race condition when receiving
incoming disconnect message.

* Improved type signature in SSHConnection async context manager. Thanks
go to Pieter-Jan Briers for providing this.