Asyncssh

----------------------------

* Implemented "strict kex" support and other countermeasures to
protect against the Terrapin Attack described in `CVE-2023-48795
<https://github.com/advisories/GHSA-hfmc-7525-mj55>`_. Thanks once
again go to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk for
identifying and reporting this vulnerability and providing detailed
analysis and suggestions about proposed fixes.

* Fixed config parser to properly an optional equals delimiter in all
config arguments. Thanks go to Fawaz Orabi for reporting this issue.

* Fixed TCP send error handling to avoid race condition when receiving
incoming disconnect message.

* Improved type signature in SSHConnection async context manager. Thanks
go to Pieter-Jan Briers for providing this.

---------------------------

* Hardened AsyncSSH state machine against potential message
injection attacks, described in more detail in `CVE-2023-46445
<https://github.com/advisories/GHSA-cfc2-wr2v-gxm5>`_ and `CVE-2023-46446
<https://github.com/advisories/GHSA-c35q-ffpf-5qpm>`_. Thanks go to
Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk for identifying
and reporting these vulnerabilities and providing detailed analysis
and suggestions about the proposed fixes.

* Added support for passing in a regex in readuntil in SSHReader,
contributed by Oded Engel.

* Added support for get_addresses() and get_port() methods on
SSHAcceptor. Thanks go to Allison Karlitskaya for suggesting
this feature.

* Fixed an issue with AsyncFileWriter potentially writing data
out of order. Thanks go to Chan Chun Wai for reporting this
issue and providing code to reproduce it.

* Updated testing to include Python 3.12.

* Updated readthedocs integration to use YAML config file.

----------------------------

* Added support for a new accept_handler argument when setting up
local port forwarding, allowing the client host and port to be
validated and/or logged for each new forwarded connection. An
accept handler can also be returned from the server_requested
function to provide this functionality when acting as a server.
Thanks go to GitHub user zgxkbtl for suggesting this feature.

* Added an option to disable expensive RSA private key checks when
using OpenSSL 3.x. Functions that read private keys have been
modified to include a new unsafe_skip_rsa_key_validation argument
which can be used to avoid these additional checks, if you are
loading keys from a trusted source.

* Added host information into AsyncSSH exceptions when host key
validation fails, and a few other improvements related to X.509
certificate validation errors. Thanks go to Peter Moore for
suggesting this and providing an example.

* Fixed a regression which prevented keys loaded into an SSH agent
with a certificate from working correctly beginning in AsyncSSH
after version 2.5.0. Thanks go to GitHub user htol for reporting
this issue and suggesting the commit which caused the problem.

* Fixed an issue which was triggering an internal exception when
shutting down server sessions with the line editor enabled which
could cause some output to be lost on exit, especially when running
on Windows. Thanks go to GitHub user jerrbe for reporting this issue.

* Fixed an issue in a unit test seen in Python 3.12 beta. Thanks go
to Georg Sauthoff for providing this fix.

* Fixed a documentation error in SSHClientConnectionOptions and
SSHServerConnectionOptions. Thanks go to GitHub user bowenerchen
for reporting this issue.

----------------------------

* Fixed an issue with host-based authentication when using proxy_command,
allowing it to be used if the caller explicitly specifies client_host.
Thanks go to GitHub user yuqingm7 for reporting this issue.

* Improved handling of signature algorithms for OpenSSH certificates
so that RSA SHA-2 signatures will work with both older and newer
versions of OpenSSH.

* Worked around an issue with some Cisco SSH implementations generating
invalid "ignore" packets. Thanks go to Jost Luebbe for reporting and
helping to debug this issue.

* Fixed unit tests to avoid errors when cryptography's version of
OpenSSL disables support for SHA-1 signatures.

* Fixed unit tests to avoid errors when the filesystem enforces that
filenames be valid UTF-8 strings. Thanks go to Robert Schütz and
Martin Weinelt for reporting this issue.

* Added documentation about which config options apply when passing
a string as a tunnel argument.

----------------------------

* Updated type definitions for mypy 1.0.0, removing a dependency on
implicit Optional types, and working around an issue that could
trigger a mypy internal error.

* Updated unit tests to avoid calculation of SHA-1 signatures, which
are no longer allowed in cryptography 39.0.0.

----------------------------

* Updated testing and coverage to drop Python 3.6 and add Python 3.11.
Thanks go to GitHub user hexchain for maintaining the GitHub workflows
supporting this!

* Added new "recv_eof" option to not pass an EOF from a channel to a
redirected target, allowing output from multiple SSH sessions to be
sent and mixed with other direct output to that target. This is meant
to be similar to the existing "send_eof" option which controls whether
EOF on a redirect source is passed through to the SSH channel. Thanks
go to Stuart Reynolds for inspiring this idea.

* Added new methods to make it easy to perform forwarding between TCP
ports and UNIX domain sockets. Thanks go to Alex Rogozhnikov for
suggesting this use case.

* Added a workaround for a problem seen on a Huawei SFTP server where
it sends an invalid combination of file attribute flags. In cases where
the flags are otherwise valid and the right amount of attribute data is
available, AsyncSSH will ignore the invalid flags and proceed.

* Fixed an issue with copying files to SFTP servers that don't support
random access I/O. The potential to trigger this failyre goes back
several releases, but a change in AsyncSSH 2.12 made out-of-order writes
much more likely. This fix returns AsyncSSH to its previous behavior
where out-of-order writes are unlikely even when taking advantage of
parallel reads. Thanks go to Patrik Lindgren and Stefan Walkner for
reporting this issue and helping to identify the source of the problem.

* Fixed an issue when requesting remote port forwarding on a dynamically
allocated port. Thanks go to Daniel Shimon for reporting this and
proposing a fix.

* Fixed an issue where readexactly could block indefinitely when a signal
is delivered in the stream before the requested number of bytes are
available. Thanks go to Artem Bezborodko for reporting this and
providing a fix.

* Fixed an interoperability issue with OpenSSH when using SSH certificates
with RSA keys with a SHA-2 signature. Thanks go to Łukasz Siudut for
reporting this.

* Fixed an issue with handling "None" in ProxyCommand, GlobalKnownHostsFile,
and UserKnownHostsFile config file options. Thanks go to GitHub user
dtrifiro for reporting this issue and suggesting a fix.