Asyncssh

--------------------------

* Fixed SCP server to send back an exit status when closing the SSH
channel, since the OpenSSH scp client returns this status to the
shell which executed it. Thanks go to girtsf for catching this.

* Fixed listeners created by forward_local_port(), forward_local_path(),
and forward_socks() to automatically close when the SSH connection
closes, unblocking any wait_closed() calls which are in progress.
Thanks go to rmawatson for catching this.

* Fixed a potential exception that could trigger when the SSH
connection is closed while authentication is in progress.

* Fixed tunnel connect code to properly clean up an implicitly created
tunnel when a failure occurs in trying to open a connection over
that tunnel.

---------------------------

* Added support for accessing keys through a PKCS11 provider, allowing
keys on PIV security tokens to be used directly by AsyncSSH without
the need to run an SSH agent. X.509 certificates can also be retrieved
from the security token and used with SSH servers which support that.

* Added support for using Ed25519 and Ed448 keys in X.509 certificates,
and the corresponding SSH certificate and signature algorithms.
Certificates can use these keys as either subject keys or signing keys,
and certificates can be generated by either AsyncSSH or by OpenSSL
version 1.1.1 or later.

* Added support for feed_data() and feed_eof() methods in SSHReader,
mirroring methods of the same name in asyncio's StreamReader to
improve interoperability between the two APIs. Thanks go to Mikhail
Terekhov for suggesting this and providing an example implementation.

* Updated unit tests to test interoperability with OpenSSL 1.1.1 when
reading and writing Ed25519 and Ed448 public and private key files.
Previously, due to lack of support in OpenSSL, AsyncSSH could only
test against OpenSSH, and only in OpenSSH key formats. With OpenSSL
1.1.1, testing is now also done using PKCS8 format.

* Fixed config file parser to properly ignore all comment lines, even
if the lines contain unbalanced quotes.

* Removed a note about the lack of a timeout parameter in the AsyncSSH
connect() method, now that it supports a login_timeout argument.
Thanks go to Tomasz Drożdż for catching this.

---------------------------

* Added initial support for reading configuration from OpenSSH-compatible
config files, when present. Both client and server configuration files
are supported, but not all config options are supported. See the
AsyncSSH documentation for the latest list of what client and server
options are supported, as well as what match conditions and percent
substitutions are understood.

* Added support for the concept of only a subset of supported algorithms
being enabled by default, and for the ability to use wildcards when
specifying algorithm names. Also, OpenSSH's syntax of prefixing the
list with '^', '+', or '-' is supported for incrementally adjusting
the list of algorithms starting from the default set.

* Added support for specifying a preferred list of client authentication
methods, in order of preference. Previously, the order of preference
was hard-coded into AsyncSSH.

* Added the ability to use AsyncSSH's "password" argument on servers
which are using keyboard-interactive authentication to prompt for a
"passcode". Previously, this was only supported when the prompt was
for a "password".

* Added support for providing separate lists of private keys and
certificates, rather than requiring them to be specifying together as
a tuple. When this new option is used, AsyncSSH will automatically
associate the private keys with their corresponding certificates if
matching certificates are present in the list.

* Added support for the "known_hosts" argument to accept a list of known
host files, rather than just a single file. Known hosts can also be
specified using the GlobalKnownHostFile and UserKnownHostFile config
file options, each of which can take multiple filenames.

* Added new "request_tty" option to provide finer grained control over
whether AsyncSSH will request a TTY when opening new sessions. The
default is to still tie this to whether a "term_type" is specified,
but now that can be overridden. Supported options of "yes", "no",
"force", and "auto" match the values supported by OpenSSH.

* Added new "rdns_lookup" option to control whether the server does a
reverse DNS of client addresses to allow matching of clients based
on hostname in authorized keys and config files. When this option
is disabled (the default), matches can only be based on client IP.

* Added new "send_env" argument when opening a session to forward local
environment variables using their existing values, augmenting the
"env" argument that lets you specify remote environment variables to
set and their corresponding values.

* Added new "tcp_keepalive" option to control whether TCP-level
keepalives are enabled or not on SSH connections. Previously, TCP
keepalives were enabled unconditionally and this is still the default,
but the new option provides a way to disable them.

* Added support for sending and parsing client EXT_INFO messages, and
for sending the "global-requests-ok" option in these messages when
AsyncSSH is acting as a client.

* Added support for expansion of '~' home directory expansion when
specifying arguments which contain filenames.

* Added support for time intervals and byte counts to optionally be
specified as string values with units, allowing for values such as
"1.5h" or "1h30m" instead of having to specify that as 5400 seconds.
Similarly, a byte count of "1g" can be passed to indicate 1 gigabyte,
rather than specifying 1073741824 bytes.

* Enhanced logging to report lists of sent and received algorithms when
no matching algorithm is found. Thanks go to Jeremy Schulman for
suggesting this.

* Fixed an interoperability issue with PKIXSSH when attempting to use
X.509 certificates with a signature algorithm of "x509v3-rsa2048-sha256".

* Fixed an issue with some links not working in the ReadTheDocs sidebar.
Thanks go to Christoph Giese for reporting this issue.

* Fixed keepalive handler to avoid leaking a timer object in some cases.
Thanks go to Tom van Neerijnen for reporting this issue.

---------------------------

* Added optional timeout parameter to SSHClientProcess.wait() and
SSHClientConnection.run() methods.

* Created subclasses for SFTPError exceptions, allowing applications
to more easily have distinct exception handling for different errors.

* Fixed an issue in SFTP parallel I/O related to handling low-level
connection failures. Thanks go to Mikhail Terekhov for reporting
this issue.

* Fixed an issue with SFTP file copy where a local file could sometimes
be left open if an attempt to close a remote file failed.

* Fixed an issue in the handling of boolean return values when
SSHServer.server_requested() returns a coroutine. Thanks go to
Tom van Neerijnen for contributing this fix.

* Fixed an issue with passing tuples to the SFTP copy functions. Thanks
go to Marc Gagné for reporting this and doing the initial analysis.

---------------------------

* Added support for U2F/FIDO2 security keys, with the following capabilities:

* ECDSA (NISTP256) and Ed25519 key algorithms
* Key generation, including control over the application and user the
key is associated with and whether touch is required when using the key
* Certificate generation, both as a key being signed and a CA key
* Resident keys, allowing security keys to be used on multiple machines
without any information being stored outside of the key
* Access to and management of keys loaded in an OpenSSH ssh-agent
* Support for both user and host keys and certificates
* Support for "no-touch-required" option in authorized_keys files
* Support for "no-touch-required" option in OpenSSH certificates
* Compatibility with security key support added in OpenSSH version 8.2

* Added login timeout client option and limits on the length and number
of banner lines AsyncSSH will accept prior to the SSH version header.

* Improved load_keypairs() to read public key files, confirming that they
are consistent with their associated private key when they are present.

* Fixed issues in the SCP server related to handling filenames with spaces.

* Fixed an issue with resuming reading after readuntil() returns an
incomplete read.

* Fixed a potential issue related to asyncio not reporting sockname/peername
when a connection is closed immediately after it is opened.

* Made SSHConnection a subclass of asyncio.Protocol to please type checkers.

---------------------------

* Added support in the SSHProcess redirect mechanism to accept asyncio
StreamReader and StreamWriter objects, allowing asyncio streams to
be plugged in as stdin/stdout/stderr in an SSHProcess.

* Added support for key handlers in the AsyncSSH line editor to trigger
signals being delivered when certain "hot keys" are hit while reading
input.

* Improved cleanup of unreturned connection objects when an error occurs
or the connection request is canceled or times out.

* Improved cleanup of SSH agent client objects to avoid triggering a false
positive warning in Python 3.8.

* Added an example to the documentation for how to create reverse-direction
SSH client and server connections.

* Made check of session objects against None explicit to avoid confusion
on user-defined sessions that implement __len__ or __bool__. Thanks go
to Lars-Dominik Braun for contributing this improvement!