Asyncssh

---------------------------

* Hardened AsyncSSH state machine against potential message
injection attacks, described in more detail in `CVE-2023-46445
<https://github.com/advisories/GHSA-cfc2-wr2v-gxm5>`_ and `CVE-2023-46446
<https://github.com/advisories/GHSA-c35q-ffpf-5qpm>`_. Thanks go to
Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk for identifying
and reporting these vulnerabilities and providing detailed analysis
and suggestions about the proposed fixes.

* Added support for passing in a regex in readuntil in SSHReader,
contributed by Oded Engel.

* Added support for get_addresses() and get_port() methods on
SSHAcceptor. Thanks go to Allison Karlitskaya for suggesting
this feature.

* Fixed an issue with AsyncFileWriter potentially writing data
out of order. Thanks go to Chan Chun Wai for reporting this
issue and providing code to reproduce it.

* Updated testing to include Python 3.12.

* Updated readthedocs integration to use YAML config file.

----------------------------

* Added support for a new accept_handler argument when setting up
local port forwarding, allowing the client host and port to be
validated and/or logged for each new forwarded connection. An
accept handler can also be returned from the server_requested
function to provide this functionality when acting as a server.
Thanks go to GitHub user zgxkbtl for suggesting this feature.

* Added an option to disable expensive RSA private key checks when
using OpenSSL 3.x. Functions that read private keys have been
modified to include a new unsafe_skip_rsa_key_validation argument
which can be used to avoid these additional checks, if you are
loading keys from a trusted source.

* Added host information into AsyncSSH exceptions when host key
validation fails, and a few other improvements related to X.509
certificate validation errors. Thanks go to Peter Moore for
suggesting this and providing an example.

* Fixed a regression which prevented keys loaded into an SSH agent
with a certificate from working correctly beginning in AsyncSSH
after version 2.5.0. Thanks go to GitHub user htol for reporting
this issue and suggesting the commit which caused the problem.

* Fixed an issue which was triggering an internal exception when
shutting down server sessions with the line editor enabled which
could cause some output to be lost on exit, especially when running
on Windows. Thanks go to GitHub user jerrbe for reporting this issue.

* Fixed an issue in a unit test seen in Python 3.12 beta. Thanks go
to Georg Sauthoff for providing this fix.

* Fixed a documentation error in SSHClientConnectionOptions and
SSHServerConnectionOptions. Thanks go to GitHub user bowenerchen
for reporting this issue.

----------------------------

* Fixed an issue with host-based authentication when using proxy_command,
allowing it to be used if the caller explicitly specifies client_host.
Thanks go to GitHub user yuqingm7 for reporting this issue.

* Improved handling of signature algorithms for OpenSSH certificates
so that RSA SHA-2 signatures will work with both older and newer
versions of OpenSSH.

* Worked around an issue with some Cisco SSH implementations generating
invalid "ignore" packets. Thanks go to Jost Luebbe for reporting and
helping to debug this issue.

* Fixed unit tests to avoid errors when cryptography's version of
OpenSSL disables support for SHA-1 signatures.

* Fixed unit tests to avoid errors when the filesystem enforces that
filenames be valid UTF-8 strings. Thanks go to Robert Schütz and
Martin Weinelt for reporting this issue.

* Added documentation about which config options apply when passing
a string as a tunnel argument.

----------------------------

* Updated type definitions for mypy 1.0.0, removing a dependency on
implicit Optional types, and working around an issue that could
trigger a mypy internal error.

* Updated unit tests to avoid calculation of SHA-1 signatures, which
are no longer allowed in cryptography 39.0.0.

----------------------------

* Updated testing and coverage to drop Python 3.6 and add Python 3.11.
Thanks go to GitHub user hexchain for maintaining the GitHub workflows
supporting this!

* Added new "recv_eof" option to not pass an EOF from a channel to a
redirected target, allowing output from multiple SSH sessions to be
sent and mixed with other direct output to that target. This is meant
to be similar to the existing "send_eof" option which controls whether
EOF on a redirect source is passed through to the SSH channel. Thanks
go to Stuart Reynolds for inspiring this idea.

* Added new methods to make it easy to perform forwarding between TCP
ports and UNIX domain sockets. Thanks go to Alex Rogozhnikov for
suggesting this use case.

* Added a workaround for a problem seen on a Huawei SFTP server where
it sends an invalid combination of file attribute flags. In cases where
the flags are otherwise valid and the right amount of attribute data is
available, AsyncSSH will ignore the invalid flags and proceed.

* Fixed an issue with copying files to SFTP servers that don't support
random access I/O. The potential to trigger this failyre goes back
several releases, but a change in AsyncSSH 2.12 made out-of-order writes
much more likely. This fix returns AsyncSSH to its previous behavior
where out-of-order writes are unlikely even when taking advantage of
parallel reads. Thanks go to Patrik Lindgren and Stefan Walkner for
reporting this issue and helping to identify the source of the problem.

* Fixed an issue when requesting remote port forwarding on a dynamically
allocated port. Thanks go to Daniel Shimon for reporting this and
proposing a fix.

* Fixed an issue where readexactly could block indefinitely when a signal
is delivered in the stream before the requested number of bytes are
available. Thanks go to Artem Bezborodko for reporting this and
providing a fix.

* Fixed an interoperability issue with OpenSSH when using SSH certificates
with RSA keys with a SHA-2 signature. Thanks go to Łukasz Siudut for
reporting this.

* Fixed an issue with handling "None" in ProxyCommand, GlobalKnownHostsFile,
and UserKnownHostsFile config file options. Thanks go to GitHub user
dtrifiro for reporting this issue and suggesting a fix.

----------------------------

* Added top-level functions run_client() and run_server() which allow
you to begin running an SSH client or server on an already-connected
socket. This capability is also available via a new "sock" argument
in the existing connect(), connect_reverse(), get_server_host_key(),
and get_server_auth_methods() functions.

* Added "sock" argument to listen() and listen_reverse() functions
which takes an already-bound listening socket instead of a host
and port to bind a new socket to.

* Added support for forwarding break, signal, and terminal size updates
when redirection of stdin is set up between two SSHProcess instances.

* Added support for sntrup761x25519-sha512openssh.com post-quantum
key exchange algorithm. For this to be available, the Open Quantum
Safe (liboqs) dynamic library must be installed.

* Added "sig_alg" argument to set a signature algorithm when creating
OpenSSH certificates, allowing a choice between ssh-rsa, rsa-sha2-256,
and rsa-sha2-512 for certificates signed by RSA keys.

* Added new read_parallel() method in SFTPClientFile which allows
parallel reads to be performed from a remote file, delivering
incremental results as these reads complete. Previously, large
reads would automatically be parallelized, but a result was only
returned after all reads completed.

* Added definition of __all__ for public symbols in AsyncSSH to make
pyright autocompletion work better. Thanks go to Nicolas Riebesel
for providing this change.

* Updated SFTP and SCP glob and copy functions to use scandir() instead
of listdir() to improve efficiency.

* Updated default for "ignore_encrypted" client connection option to
ignore encrypted keys specified in an OpenSSH config file when no
passphrase is provided, similar to what was previously done for
keys with default names.

* Fixed an issue when using an SSH agent with RSA keys and an X.509
certificate while requesting SHA-2 signatures.

* Fixed an issue with use of expanduser() in unit tests on newer versions
of Python. Thanks go to Georg Sauthoff for providing an initial version
of this fix.

* Fixed an issue with fallback to a Pageant agent not working properly
on Windows when no agent_path or SSH_AUTH_SOCK was set.

* Fixed improper escaping in readuntil(), causing certain punctuation in
separator to not match properly. Thanks go to Github user MazokuMaxy
for reporting this issue.

* Fixed the connection close handler to properly mark channels as fully
closed when the peer unexpected closes the connection, allowing
exceptions to fire if an application continues to try and use
the channel. Thanks go to Taha Jahangir for reporting this issue and
suggesting a possible fix.

* Eliminated unit testing against OpenSSH for tests involving DSA and
RSA keys using SHA-1 signatures, since this support is being dropped
in some distributions of OpenSSH. These tests are still performed, but
using only AsyncSSH code. Thanks go to Ken Dreyer and Georg Sauthoff
for reporting this issue and helping me to reproduce it.