summaryrefslogtreecommitdiff
path: root/sites/www/changelog.rst
blob: 87c5faf2c9f24079df30ec9b47cb91d908fb8010 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
=========
Changelog
=========

- :bug:`1822` (via, and relating to, far too many other issues to mention here)
  Update `~paramiko.client.SSHClient` so it explicitly closes its wrapped
  socket object upon encountering socket errors at connection time. This should
  help somewhat with certain classes of memory leaks, resource warnings, and/or
  errors (though we hasten to remind everyone that Client and Transport have
  their own ``.close()`` methods for use in non-error situations!). Patch
  courtesy of ``@YoavCohen``.
- bug:`1637` (via :issue:`1599`) Raise `SSHException` explicitly when blank
  private key data is loaded, instead of the natural result of ``IndexError``.
  This should help more bits of Paramiko or Paramiko-adjacent codebases to
  correctly handle this class of error. Credit: Nicholas Dietz.
- :release:`2.11.0 <2022-05-16>`
- :release:`2.10.5 <2022-05-16>`
- :release:`2.9.5 <2022-05-16>`
- :bug:`1933` Align signature verification algorithm with OpenSSH re:
  zero-padding signatures which don't match their nominal size/length. This
  shouldn't affect most users, but will help Paramiko-implemented SSH servers
  handle poorly behaved clients such as PuTTY. Thanks to Jun Omae for catch &
  patch.
- :bug:`2017` OpenSSH 7.7 and older has a bug preventing it from understanding
  how to perform SHA2 signature verification for RSA certificates (specifically
  certs - not keys), so when we added SHA2 support it broke all clients using
  RSA certificates with these servers. This has been fixed in a manner similar
  to what OpenSSH's own client does: a version check is performed and the
  algorithm used is downgraded if needed. Reported by Adarsh Chauhan, with fix
  suggested by Jun Omae.
- :support:`2038` (via :issue:`2039`) Recent versions of Cryptography have
  deprecated Blowfish algorithm support; in lieu of an easy method for users to
  remove it from the list of algorithms Paramiko tries to import and use, we've
  decided to remove it from our "preferred algorithms" list. This will both
  discourage use of a weak algorithm, and avoid warnings. Credit for
  report/patch goes to Mike Roest.
- :bug:`2008` (via :issue:`2010`) Windows-native SSH agent support as merged in
  2.10 could encounter ``Errno 22`` ``OSError`` exceptions in some scenarios
  (eg server not cleanly closing a relevant named pipe). This has been worked
  around and should be less problematic. Reported by Danilo Campana Fuchs and
  patched by Jun Omae.
- :release:`2.10.4 <2022-04-25>`
- :release:`2.9.4 <2022-04-25>`
- :support:`1838 backported` (via :issue:`1870`/:issue:`2028`) Update
  ``camelCase`` method calls against the ``threading`` module to be
  ``snake_case``; this and related tweaks should fix some deprecation warnings
  under Python 3.10. Thanks to Karthikeyan Singaravelan for the report,
  ``@Narendra-Neerukonda`` for the patch, and to Thomas Grainger and Jun Omae
  for patch workshopping.
- :feature:`1951` Add SSH config token expansion (eg ``%h``, ``%p``) when
  parsing ``ProxyJump`` directives. Patch courtesy of Bruno Inec.
- :bug:`1964` (via :issue:`2024` as also reported in :issue:`2023`)
  `~paramiko.pkey.PKey` instances' ``__eq__`` did not have the usual safety
  guard in place to ensure they were being compared to another ``PKey`` object,
  causing occasional spurious ``BadHostKeyException`` (among other things).
  This has been fixed. Thanks to Shengdun Hua for the original report/patch and
  to Christopher Papke for the final version of the fix.
- :support:`2004` (via :issue:`2011`) Apply unittest ``skipIf`` to tests
  currently using SHA1 in their critical path, to avoid failures on systems
  starting to disable SHA1 outright in their crypto backends (eg RHEL 9).
  Report & patch via Paul Howarth.
- :bug:`2035` Servers offering certificate variants of hostkey algorithms (eg
  ``ssh-rsa-cert-v01@openssh.com``) could not have their host keys verified by
  Paramiko clients, as it only ever considered non-cert key types for that part
  of connection handshaking. This has been fixed.
- :release:`2.10.3 <2022-03-18>`
- :release:`2.9.3 <2022-03-18>`
- :bug:`1963` (via :issue:`1977`) Certificate-based pubkey auth was
  inadvertently broken when adding SHA2 support; this has been fixed. Reported
  by Erik Forsberg and fixed by Jun Omae.
- :bug:`2002` (via :issue:`2003`) Switch from module-global to thread-local
  storage when recording thread IDs for a logging helper; this should avoid one
  flavor of memory leak for long-running processes. Catch & patch via Richard
  Kojedzinszky.
- :release:`2.10.2 <2022-03-14>`
- :bug:`2001` Fix Python 2 compatibility breakage introduced in 2.10.1. Spotted
  by Christian Hammond.

  .. warning::
      This is almost certainly the last time we will fix Python 2 related
      errors! Please see `the roadmap
      <https://bitprophet.org/projects/#roadmap>`_.

- :release:`2.10.1 <2022-03-11>`
- :bug:`-` (`CVE-2022-24302
  <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24302>`_) Creation
  of new private key files using `~paramiko.pkey.PKey` subclasses was subject
  to a race condition between file creation & mode modification, which could be
  exploited by an attacker with knowledge of where the Paramiko-using code
  would write out such files.

  This has been patched by using `os.open` and `os.fdopen` to ensure new files
  are opened with the correct mode immediately. We've left the subsequent
  explicit ``chmod`` in place to minimize any possible disruption, though it
  may get removed in future backwards-incompatible updates.

  Thanks to Jan Schejbal for the report & feedback on the solution, and to
  Jeremy Katz at Tidelift for coordinating the disclosure.
- :release:`2.10.0 <2022-03-11>`
- :feature:`1976` Add support for the ``%C`` token when parsing SSH config
  files. Foundational PR submitted by ``@jbrand42``.
- :feature:`1509` (via :issue:`1868`, :issue:`1837`) Add support for OpenSSH's
  Windows agent as a fallback when Putty/WinPageant isn't available or
  functional. Reported by ``@benj56`` with patches/PRs from ``@lewgordon`` and
  Patrick Spendrin.
- :bug:`892 major` Significantly speed up low-level read/write actions on
  `~paramiko.sftp_file.SFTPFile` objects by using `bytearray`/`memoryview`.
  This is unlikely to change anything for users of the higher level methods
  like `SFTPClient.get <paramiko.sftp_client.SFTPClient.get>` or
  `SFTPClient.getfo <paramiko.sftp_client.SFTPClient.getfo>`, but users of
  `SFTPClient.open <paramiko.sftp_client.SFTPClient.open>` will likely see
  orders of magnitude improvements for files larger than a few megabytes in
  size.

  Thanks to ``@jkji`` for the original report and to Sevastian Tchernov for the
  patch.
- :support:`1985` Add ``six`` explicitly to install-requires; it snuck into
  active use at some point but has only been indicated by transitive dependency
  on ``bcrypt`` until they somewhat-recently dropped it. This will be
  short-lived until we `drop Python 2
  support <https://bitprophet.org/projects/#roadmap>`_. Thanks to Sondre
  Lillebø Gundersen for catch & patch.
- :release:`2.9.2 <2022-01-08>`
- :bug:`-` Connecting to servers which support ``server-sig-algs`` but which
  have no overlap between that list and what a Paramiko client supports, now
  raise an exception instead of defaulting to ``rsa-sha2-512`` (since the use
  of ``server-sig-algs`` allows us to know what the server supports).
- :bug:`-` Enhanced log output when connecting to servers that do not support
  ``server-sig-algs`` extensions, making the new-as-of-2.9 defaulting to SHA2
  pubkey algorithms more obvious when it kicks in.
- :release:`2.9.1 <2021-12-24>`
- :bug:`1955` Server-side support for ``rsa-sha2-256`` and ``ssh-rsa`` wasn't
  fully operable after 2.9.0's release (signatures for RSA pubkeys were always
  run through ``rsa-sha2-512`` instead). Report and early stab at a fix
  courtesy of Jun Omae.
- :release:`2.9.0 <2021-12-23>`
- :feature:`1643` (also :issue:`1925`, :issue:`1644`, :issue:`1326`) Add
  support for SHA-2 variants of RSA key verification algorithms (as described
  in :rfc:`8332`) as well as limited SSH extension negotiation (:rfc:`8308`).

  .. warning::
    This change is slightly backwards incompatible, insofar as action is
    required if your target systems do not support either RSA2 or the
    ``server-sig-algs`` protocol extension.

    Specifically, you need to specify ``disabled_algorithms={'keys':
    ['rsa-sha2-256', 'rsa-sha2-512']}`` in either `SSHClient
    <paramiko.client.SSHClient.__init__>` or `Transport
    <paramiko.transport.Transport.__init__>`. See below for details on why.

  How SSH servers/clients decide when and how to use this functionality can be
  complicated; Paramiko's support is as follows:

  - Client verification of server host key during key exchange will now prefer
    ``rsa-sha2-512``, ``rsa-sha2-256``, and legacy ``ssh-rsa`` algorithms, in
    that order, instead of just ``ssh-rsa``.

      - Note that the preference order of other algorithm families such as
        ``ed25519`` and ``ecdsa`` has not changed; for example, those two
        groups are still preferred over RSA.

  - Server mode will now offer all 3 RSA algorithms for host key verification
    during key exchange, similar to client mode, if it has been configured with
    an RSA host key.
  - Client mode key exchange now sends the ``ext-info-c`` flag signaling
    support for ``MSG_EXT_INFO``, and support for parsing the latter
    (specifically, its ``server-sig-algs`` flag) has been added.
  - Client mode, when performing public key authentication with an RSA key or
    cert, will act as follows:

    - In all cases, the list of algorithms to consider is based on the new
      ``preferred_pubkeys`` list (see below) and ``disabled_algorithms``
      (specifically, its ``pubkeys`` key); this list, like with host keys,
      prefers SHA2-512, SHA2-256 and SHA1, in that order.
    - When the server does not send ``server-sig-algs``, Paramiko will attempt
      the first algorithm in the above list. Clients connecting to legacy
      servers should thus use ``disabled_algorithms`` to turn off SHA2.
    - When the server does send ``server-sig-algs``, the first algorithm
      supported by both ends is used, or if there is none, it falls back to the
      previous behavior.

  - SSH agent support grew the ability to specify algorithm flags when
    requesting private key signatures; this is now used to forward SHA2
    algorithms when appropriate.
  - Server mode is now capable of pubkey auth involving SHA-2 signatures from
    clients, provided one's server implementation actually provides for doing
    so.

    - This includes basic support for sending ``MSG_EXT_INFO`` (containing
      ``server-sig-algs`` only) to clients advertising ``ext-info-c`` in their
      key exchange list.

  In order to implement the above, the following API additions were made:

  - `PKey.sign_ssh_data <paramiko.pkey.PKey>`: Grew an extra, optional
    ``algorithm`` keyword argument (defaulting to ``None`` for most subclasses,
    and to ``"ssh-rsa"`` for `~paramiko.rsakey.RSAKey`).
  - A new `~paramiko.ssh_exception.SSHException` subclass was added,
    `~paramiko.ssh_exception.IncompatiblePeer`, and is raised in all spots
    where key exchange aborts due to algorithmic incompatibility.

    - Like all other exceptions in that module, it inherits from
      ``SSHException``, and as we did not change anything else about the
      raising (i.e. the attributes and message text are the same) this change
      is backwards compatible.

  - `~paramiko.transport.Transport` grew a ``_preferred_pubkeys`` attribute and
    matching ``preferred_pubkeys`` property to match the other, kex-focused,
    such members. This allows client pubkey authentication to honor the
    ``disabled_algorithms`` feature.

  Thanks to Krisztián Kovács for the report and an early stab at a patch, as
  well as the numerous users who submitted feedback on the issue, including but
  not limited to: Christopher Rabotin, Sam Bull, and Manfred Kaiser.

- :release:`2.8.1 <2021-11-28>`
- :bug:`985` (via :issue:`992`) Fix listdir failure when server uses a locale.
  Now on Python 2.7 `SFTPAttributes <paramiko.sftp_attr.SFTPAttributes>` will
  decode abbreviated month names correctly rather than raise
  ``UnicodeDecodeError```. Patch courtesy of Martin Packman.
- :bug:`1024` Deleting items from `~paramiko.hostkeys.HostKeys` would
  incorrectly raise `KeyError` even for valid keys, due to a logic bug. This
  has been fixed. Report & patch credit: Jia Zhang.
- :bug:`1257` (also :issue:`1266`) Update RSA and ECDSA key decoding
  subroutines to correctly catch exception types thrown by modern
  versions of Cryptography (specifically ``TypeError`` and
  its internal ``UnsupportedAlgorithm``). These exception classes will now
  become `~paramiko.ssh_exception.SSHException` instances instead of bubbling
  up. Thanks to Ignat Semenov for the report and ``@tylergarcianet`` for an
  early patch.
- :bug:`-` (also :issue:`908`) Update `~paramiko.pkey.PKey` and subclasses to
  compare (``__eq__``) via direct field/attribute comparison instead of hashing
  (while retaining the existing behavior of ``__hash__`` via a slight
  refactor). Big thanks to Josh Snyder and Jun Omae for the reports, and to
  Josh Snyder for reproduction details & patch.

  .. warning::
    This fixes a security flaw! If you are running Paramiko on 32-bit systems
    with low entropy (such as any 32-bit Python 2, or a 32-bit Python 3 which
    is running with ``PYTHONHASHSEED=0``) it is possible for an attacker to
    craft a new keypair from an exfiltrated public key, which Paramiko would
    consider equal to the original key.

    This could enable attacks such as, but not limited to, the following:

    - Paramiko server processes would incorrectly authenticate the attacker
      (using their generated private key) as if they were the victim. We see
      this as the most plausible attack using this flaw.
    - Paramiko client processes would incorrectly validate a connected server
      (when host key verification is enabled) while subjected
      to a man-in-the-middle attack. This impacts more users than the
      server-side version, but also carries higher requirements for the
      attacker, namely successful DNS poisoning or other MITM techniques.

- :release:`2.8.0 <2021-10-09>`
- :support:`-` Administrivia overhaul, including but not limited to:

  - Migrate CI to CircleCI
  - Primary dev branch is now ``main`` (renamed)
  - Many README edits for clarity, modernization etc; including a bunch more
    (and consistent) status badges & unification with main project site index
  - PyPI page much more fleshed out (long_description is now filled in with the
    README; sidebar links expanded; etc)
  - flake8, pytest configs split out of setup.cfg into their own files
  - Invoke/invocations (used by maintainers/contributors) upgraded to modern
    versions

- :bug:`1462 major` (via :issue:`1882`) Newer server-side key exchange
  algorithms not intended to use SHA1 (``diffie-hellman-group14-sha256``,
  ``diffie-hellman-group16-sha512``) were incorrectly using SHA1 after all, due
  to a bug causing them to ignore the ``hash_algo`` class attribute. This has
  been corrected. Big thanks to ``@miverson`` for the report and to Benno Rice
  for the patch.
- :feature:`1846` Add a ``prefetch`` keyword argument to `SFTPClient.get <paramiko.sftp_client.SFTPClient.get>`/`SFTPClient.getfo <paramiko.sftp_client.SFTPClient.getfo>`
  so users who need to skip SFTP prefetching are able to conditionally turn it
  off. Thanks to Github user ``@h3ll0r`` for the PR.
- :release:`2.7.2 <2020-08-30>`
- :support:`- backported` Update our CI to catch issues with sdist generation,
  installation and testing.
- :support:`1727 backported` Add missing test suite fixtures directory to
  MANIFEST.in, reinstating the ability to run Paramiko's tests from an sdist
  tarball. Thanks to Sandro Tosi for reporting the issue and to Blazej Michalik
  for the PR.
- :support:`1722 backported` Remove leading whitespace from OpenSSH RSA test
  suite static key fixture, to conform better to spec. Credit: Alex Gaynor.
- :bug:`-` Fix incorrect string formatting causing unhelpful error message
  annotation when using Kerberos/GSSAPI. (Thanks, newer version of flake8!)
- :bug:`1723` Fix incorrectly swapped order of ``p`` and ``q`` numbers when
  loading OpenSSH-format RSA private keys. At minimum this should address a
  slowdown when using such keys, and it also means Paramiko works with
  Cryptography 3.1 and above (which complains strenuously when this problem
  appears). Thanks to Alex Gaynor for the patch.
- :release:`2.7.1 <2019-12-09>`
- :bug:`1567` The new-style private key format (added in 2.7) suffered from an
  unpadding bug which had been fixed earlier for Ed25519 (as that key type has
  always used the newer format). That fix has been refactored and applied to
  the base key class, courtesy of Pierce Lopez.
- :bug:`1565` (via :issue:`1566`) Fix a bug in support for ECDSA keys under the
  newly supported OpenSSH key format. Thanks to Pierce Lopez for the patch.
- :release:`2.7.0 <2019-12-03>`
- :feature:`602` (via :issue:`1343`, :issue:`1313`, :issue:`618`) Implement
  support for OpenSSH 6.5-style private key files (typically denoted as having
  ``BEGIN OPENSSH PRIVATE KEY`` headers instead of PEM format's ``BEGIN RSA
  PRIVATE KEY`` or similar). If you were getting any sort of weird auth error
  from "modern" keys generated on newer operating system releases (such as
  macOS Mojave), this is the first update to try.

  Major thanks to everyone who contributed or tested versions of the patch,
  including but not limited to: Kevin Abel, Michiel Tiller, Pierce Lopez, and
  Jared Hobbs.
- :bug:`- major` ``ssh_config`` :ref:`token expansion <TOKENS>` used a
  different method of determining the local username (``$USER`` env var),
  compared to what the (much older) client connection code does
  (``getpass.getuser``, which includes ``$USER`` but may check other variables
  first, and is generally much more comprehensive). Both modules now use
  ``getpass.getuser``.
- :feature:`-` A couple of outright `~paramiko.config.SSHConfig` parse errors
  were previously represented as vanilla ``Exception`` instances; as part of
  recent feature work a more specific exception class,
  `~paramiko.ssh_exception.ConfigParseError`, has been created. It is now also
  used in those older spots, which is naturally backwards compatible.
- :feature:`717` Implement support for the ``Match`` keyword in ``ssh_config``
  files. Previously, this keyword was simply ignored & keywords inside such
  blocks were treated as if they were part of the previous block. Thanks to
  Michael Leinartas for the initial patchset.

  .. note::
    This feature adds a new :doc:`optional install dependency </installing>`,
    `Invoke <https://www.pyinvoke.org>`_, for managing ``Match exec``
    subprocesses.

- :support:`-` Additional :doc:`installation </installing>` ``extras_require``
  "flavors" (``ed25519``, ``invoke``, and ``all``) have been added to
  our packaging metadata; see the install docs for details.
- :bug:`- major` Paramiko's use of ``subprocess`` for ``ProxyCommand`` support
  is conditionally imported to prevent issues on limited interpreter platforms
  like Google Compute Engine. However, any resulting ``ImportError`` was lost
  instead of preserved for raising (in the rare cases where a user tried
  leveraging ``ProxyCommand`` in such an environment). This has been fixed.
- :bug:`- major` Perform deduplication of ``IdentityFile`` contents during
  ``ssh_config`` parsing; previously, if your config would result in the same
  value being encountered more than once, ``IdentityFile`` would contain that
  many copies of the same string.
- :feature:`897` Implement most 'canonical hostname' ``ssh_config``
  functionality (``CanonicalizeHostname``, ``CanonicalDomains``,
  ``CanonicalizeFallbackLocal``, and ``CanonicalizeMaxDots``;
  ``CanonicalizePermittedCNAMEs`` has **not** yet been implemented). All were
  previously silently ignored. Reported by Michael Leinartas.
- :support:`-` Explicitly document :ref:`which ssh_config features we
  currently support <ssh-config-support>`. Previously users just had to guess,
  which is simply no good.
- :feature:`-` Add new convenience classmethod constructors to
  `~paramiko.config.SSHConfig`: `~paramiko.config.SSHConfig.from_text`,
  `~paramiko.config.SSHConfig.from_file`, and
  `~paramiko.config.SSHConfig.from_path`. No more annoying two-step process!
- :release:`2.6.0 <2019-06-23>`
- :feature:`1463` Add a new keyword argument to `SSHClient.connect
  <paramiko.client.SSHClient.connect>` and `~paramiko.transport.Transport`,
  ``disabled_algorithms``, which allows selectively disabling one or more
  kex/key/cipher/etc algorithms. This can be useful when disabling algorithms
  your target server (or client) does not support cleanly, or to work around
  unpatched bugs in Paramiko's own implementation thereof.
- :release:`2.5.1 <2019-06-23>`
- :release:`2.4.3 <2019-06-23>`
- :bug:`1306` (via :issue:`1400`) Fix Ed25519 key handling so certain key
  comment lengths don't cause ``SSHException("Invalid key")`` (this was
  technically a bug in how padding, or lack thereof, is
  calculated/interpreted). Thanks to ``@parke`` for the bug report & Pierce
  Lopez for the patch.
- :support:`1440` (with initial fixes via :issue:`1460`) Tweak many exception
  classes so their string representations are more human-friendly; this also
  includes incidental changes to some ``super()`` calls.

  The definitions of exceptions' ``__init__`` methods have *not* changed, nor
  have any log messages been altered, so this should be backwards compatible
  for everything except the actual exceptions' ``__str__()`` outputs.

  Thanks to Fabian Büchler for original report & Pierce Lopez for the
  foundational patch.
- :support:`1311` (for :issue:`584`, replacing :issue:`1166`) Add
  backwards-compatible support for the ``gssapi`` GSSAPI library, as the
  previous backend (``python-gssapi``) has since become defunct. This change
  also includes tests for the GSSAPI functionality.

  Big thanks to Anselm Kruis for the patch and to Sebastian Deiß (author of our
  initial GSSAPI functionality) for review.

  .. note::
     This feature also adds ``setup.py`` 'extras' support for installing
     Paramiko as ``paramiko[gssapi]``, which pulls in the optional
     dependencies you had to get by hand previously.

  .. note::
    To be very clear, this patch **does not** remove support for the older
    ``python-gssapi`` library. We *may* remove that support in a later release,
    but for now, either library will work. Please upgrade to ``gssapi`` when
    you can, however, as ``python-gssapi`` is no longer maintained upstream.

- :bug:`322 major` `SSHClient.exec_command
  <paramiko.client.SSHClient.exec_command>` previously returned a naive
  `~paramiko.channel.ChannelFile` object for its ``stdin`` value; such objects
  don't know to properly shut down the remote end's stdin when they
  ``.close()``. This lead to issues (such as hangs) when running remote
  commands that read from stdin.

  A new subclass, `~paramiko.channel.ChannelStdinFile`, has been created which
  closes remote stdin when it itself is closed.
  `~paramiko.client.SSHClient.exec_command` has been updated to use that class
  for its ``stdin`` return value.

  Thanks to Brandon Rhodes for the report & steps to reproduce.
- :release:`2.5.0 <2019-06-09>`
- :feature:`1233` (also :issue:`1229`, :issue:`1332`) Add support for
  encrypt-then-MAC (ETM) schemes (``hmac-sha2-256-etm@openssh.com``,
  ``hmac-sha2-512-etm@openssh.com``) and two newer Diffie-Hellman group key
  exchange algorithms (``group14``, using SHA256; and ``group16``, using
  SHA512). Patch courtesy of Edgar Sousa.
- :feature:`532` (via :issue:`1384` and :issue:`1258`) Add support for
  Curve25519 key exchange (aka ``curve25519-sha256@libssh.org``). Thanks to
  Alex Gaynor and Dan Fuhry for supplying patches.
- :support:`1379` (also :issue:`1369`) Raise Cryptography dependency
  requirement to version 2.5 (from 1.5) and update some deprecated uses of its
  API.

  This removes a bunch of warnings of the style
  ``CryptographyDeprecationWarning: encode_point has been deprecated on
  EllipticCurvePublicNumbers and will be removed in a future version. Please
  use EllipticCurvePublicKey.public_bytes to obtain both compressed and
  uncompressed point encoding`` and similar, which users who had eventually
  upgraded to Cryptography 2.x would encounter.

  .. warning::
    This change is backwards incompatible **if** you are unable to upgrade your
    version of Cryptography. Please see `Cryptography's own changelog
    <https://cryptography.io/en/latest/changelog/>`_ for details on what may
    change when you upgrade; for the most part the only changes involved
    dropping older Python versions (such as 2.6, 3.3, or some PyPy editions)
    which Paramiko itself has already dropped.

- :support:`1378 backported` Add support for the modern (as of Python 3.3)
  import location of ``MutableMapping`` (used in host key management) to avoid
  the old location becoming deprecated in Python 3.8. Thanks to Josh Karpel for
  catch & patch.
- :release:`2.4.2 <2018-09-18>`
- :release:`2.3.3 <2018-09-18>`
- :release:`2.2.4 <2018-09-18>`
- :release:`2.1.6 <2018-09-18>`
- :release:`2.0.9 <2018-09-18>`
- :bug:`-` Modify protocol message handling such that ``Transport`` does not
  respond to ``MSG_UNIMPLEMENTED`` with its own ``MSG_UNIMPLEMENTED``. This
  behavior probably didn't cause any outright errors, but it doesn't seem to
  conform to the RFCs and could cause (non-infinite) feedback loops in some
  scenarios (usually those involving Paramiko on both ends).
- :bug:`1283` Fix exploit (CVE-2018-1000805) in Paramiko's server mode (**not**
  client mode) where hostile clients could trick the server into thinking they
  were authenticated without actually submitting valid authentication.

  Specifically, steps have been taken to start separating client and server
  related message types in the message handling tables within ``Transport`` and
  ``AuthHandler``; this work is not complete but enough has been performed to
  close off this particular exploit (which was the only obvious such exploit
  for this particular channel).

  Thanks to Daniel Hoffman for the detailed report.
- :support:`1292 backported (<2.4)` Backport changes from :issue:`979` (added
  in Paramiko
  2.3) to Paramiko 2.0-2.2, using duck-typing to preserve backwards
  compatibility. This allows these older versions to use newer Cryptography
  sign/verify APIs when available, without requiring them (as is the case with
  Paramiko 2.3+).

  Practically speaking, this change prevents spamming of
  ``CryptographyDeprecationWarning`` notices which pop up in the above scenario
  (older Paramiko, newer Cryptography).

  .. note::
    This is a no-op for Paramiko 2.3+, which have required newer Cryptography
    releases since they were released.

- :support:`1291 backported (<2.4)` Backport pytest support and application of
  the ``black`` code formatter (both of which previously only existed in the
  2.4 branch and above) to everything 2.0 and newer. This makes back/forward
  porting bugfixes significantly easier.
- :support:`1262 backported` Add ``*.pub`` files to the MANIFEST so distributed
  source packages contain some necessary test assets. Credit: Alexander
  Kapshuna.
- :feature:`1212` Updated `SSHConfig.lookup <paramiko.config.SSHConfig.lookup>`
  so it returns a new, type-casting-friendly dict subclass
  (`~paramiko.config.SSHConfigDict`) in lieu of dict literals. This ought to be
  backwards compatible, and allows an easier way to check boolean or int type
  ``ssh_config`` values. Thanks to Chris Rose for the patch.
- :support:`1191` Update our install docs with (somewhat) recently added
  additional dependencies; we previously only required Cryptography, but the
  docs never got updated after we incurred ``bcrypt`` and ``pynacl``
  requirements for Ed25519 key support.

  Additionally, ``pyasn1`` was never actually hard-required; it was necessary
  during a development branch, and is used by the optional GSSAPI support, but
  is not required for regular installation. Thus, it has been removed from our
  ``setup.py`` and its imports in the GSSAPI code made optional.

  Credit to ``@stevenwinfield`` for highlighting the outdated install docs.
- :release:`2.4.1 <2018-03-12>`
- :release:`2.3.2 <2018-03-12>`
- :release:`2.2.3 <2018-03-12>`
- :release:`2.1.5 <2018-03-12>`
- :release:`2.0.8 <2018-03-12>`
- :release:`1.18.5 <2018-03-12>`
- :release:`1.17.6 <2018-03-12>`
- :bug:`1175 (1.17+)` Fix a security flaw (CVE-2018-7750) in Paramiko's server
  mode (emphasis on **server** mode; this does **not** impact *client* use!)
  where authentication status was not checked before processing channel-open
  and other requests typically only sent after authenticating. Big thanks to
  Matthijs Kooijman for the report.
- :bug:`1168` Add newer key classes for Ed25519 and ECDSA to
  ``paramiko.__all__`` so that code introspecting that attribute, or using
  ``from paramiko import *`` (such as some IDEs) sees them. Thanks to
  ``@patriksevallius`` for the patch.
- :bug:`1039` Ed25519 auth key decryption raised an unexpected exception when
  given a unicode password string (typical in python 3). Report by Theodor van
  Nahl and fix by Pierce Lopez.
- :release:`2.4.0 <2017-11-14>`
- :feature:`-` Add a new ``passphrase`` kwarg to `SSHClient.connect
  <paramiko.client.SSHClient.connect>` so users may disambiguate key-decryption
  passphrases from password-auth passwords. (This is a backwards compatible
  change; ``password`` will still pull double duty as a passphrase when
  ``passphrase`` is not given.)
- :support:`-` Update ``tearDown`` of client test suite to avoid hangs due to
  eternally blocking ``accept()`` calls on the internal server thread (which
  can occur when test code raises an exception before actually connecting to
  the server.)
- :bug:`1108 (1.17+)` Rename a private method keyword argument (which was named
  ``async``) so that we're compatible with the upcoming Python 3.7 release
  (where ``async`` is a new keyword.) Thanks to ``@vEpiphyte`` for the report.
- :support:`1100` Updated the test suite & related docs/metadata/config to be
  compatible with pytest instead of using the old, custom, crufty
  unittest-based ``test.py``.

  This includes marking known-slow tests (mostly the SFTP ones) so they can be
  filtered out by ``inv test``'s default behavior; as well as other minor
  tweaks to test collection and/or display (for example, GSSAPI tests are
  collected, but skipped, instead of not even being collected by default as in
  ``test.py``.)
- :support:`- backported` Include LICENSE file in wheel archives.
- :support:`1070` Drop Python 2.6 and Python 3.3 support; now only 2.7 and 3.4+
  are supported. If you're unable to upgrade from 2.6 or 3.3, please stick to
  the Paramiko 2.3.x (or below) release lines.
- :release:`2.3.1 <2017-09-22>`
- :bug:`1071` Certificate support broke the no-certificate case for Ed25519
  keys (symptom is an ``AttributeError`` about ``public_blob``.) This went
  uncaught due to cert autoload behavior (i.e. our test suite never actually
  ran the no-cert case, because the cert existed!) Both issues have been fixed.
  Thanks to John Hu for the report.
- :release:`2.3.0 <2017-09-18>`
- :release:`2.2.2 <2017-09-18>`
- :release:`2.1.4 <2017-09-18>`
- :release:`2.0.7 <2017-09-18>`
- :release:`1.18.4 <2017-09-18>`
- :bug:`1065` Add rekeying support to GSSAPI connections, which was erroneously
  missing. Without this fix, any attempt to renegotiate the transport keys for
  a ``gss-kex``-authed `~paramiko.transport.Transport` would cause a MIC
  failure and terminate the connection. Thanks to Sebastian Deiß and Anselm
  Kruis for the patch.
- :feature:`1063` Add a ``gss_trust_dns`` option to ``Client`` and
  ``Transport`` to allow explicitly setting whether or not DNS canonicalization
  should occur when using GSSAPI. Thanks to Richard E. Silverman for the report
  & Sebastian Deiß for initial patchset.
- :bug:`1061` Clean up GSSAPI authentication procedures so they do not prevent
  normal fallback to other authentication methods on failure. (In other words,
  presence of GSSAPI functionality on a target server precluded use of _any_
  other auth type if the user was unable to pass GSSAPI auth.) Patch via Anselm
  Kruis.
- :bug:`1060` Fix key exchange (kex) algorithm list for GSSAPI authentication;
  previously, the list used solely out-of-date algorithms, and now contains
  newer ones listed preferentially before the old. Credit: Anselm Kruis.
- :bug:`1055 (1.17+)` (also :issue:`1056`, :issue:`1057`, :issue:`1058`,
  :issue:`1059`) Fix up host-key checking in our GSSAPI support, which was
  previously using an incorrect API call. Thanks to Anselm Kruis for the
  patches.
- :bug:`945 (1.18+)` (backport of :issue:`910` and re: :issue:`865`) SSHClient
  now requests the type of host key it has (e.g. from known_hosts) and does not
  consider a different type to be a "Missing" host key. This fixes a common
  case where an ECDSA key is in known_hosts and the server also has an RSA host
  key. Thanks to Pierce Lopez.
- :support:`979` Update how we use `Cryptography <https://cryptography.io>`_'s
  signature/verification methods so we aren't relying on a deprecated API.
  Thanks to Paul Kehrer for the patch.

  .. warning::
    This bumps the minimum Cryptography version from 1.1 to 1.5. Such an
    upgrade should be backwards compatible and easy to do. See `their changelog
    <https://cryptography.io/en/latest/changelog/>`_ for additional details.
- :support:`-` Ed25519 keys never got proper API documentation support; this
  has been fixed.
- :feature:`1026` Update `~paramiko.ed25519key.Ed25519Key` so its constructor
  offers the same ``file_obj`` parameter as its sibling key classes. Credit:
  Michal Kuffa.
- :feature:`1013` Added pre-authentication banner support for the server
  interface (`ServerInterface.get_banner
  <paramiko.server.ServerInterface.get_banner>` plus related support in
  ``Transport/AuthHandler``.) Patch courtesy of Dennis Kaarsemaker.
- :bug:`60 major` (via :issue:`1037`) Paramiko originally defaulted to zlib
  compression level 9 (when one connects with ``compression=True``; it defaults
  to off.) This has been found to be quite wasteful and tends to cause much
  longer transfers in most cases, than is necessary.

  OpenSSH defaults to compression level 6, which is a much more reasonable
  setting (nearly identical compression characteristics but noticeably,
  sometimes significantly, faster transmission); Paramiko now uses this value
  instead.

  Thanks to Damien Dubé for the report and ``@DrNeutron`` for investigating &
  submitting the patch.
- :support:`-` Display exception type and message when logging auth-rejection
  messages (ones reading ``Auth rejected: unsupported or mangled public key``);
  previously this error case had a bare except and did not display exactly why
  the key failed. It will now append info such as ``KeyError:
  'some-unknown-type-string'`` or similar.
- :feature:`1042` (also partially :issue:`531`) Implement basic client-side
  certificate authentication (as per the OpenSSH vendor extension.)

  The core implementation is `PKey.load_certificate
  <paramiko.pkey.PKey.load_certificate>` and its corresponding ``.public_blob``
  attribute on key objects, which is honored in the auth and transport modules.
  Additionally, `SSHClient.connect <paramiko.client.SSHClient.connect>` will
  now automatically load certificate data alongside private key data when one
  has appropriately-named cert files (e.g. ``id_rsa-cert.pub``) - see its
  docstring for details.

  Thanks to Jason Rigby for a first draft (:issue:`531`) and to Paul Kapp for
  the second draft, upon which the current functionality has been based (with
  modifications.)

  .. note::
    This support is client-focused; Paramiko-driven server code is capable of
    handling cert-bearing pubkey auth packets, *but* it does not interpret any
    cert-specific fields, so the end result is functionally identical to a
    vanilla pubkey auth process (and thus requires e.g. prepopulated
    authorized-keys data.) We expect full server-side cert support to follow
    later.

- :support:`1041` Modify logic around explicit disconnect
  messages, and unknown-channel situations, so that they rely on centralized
  shutdown code instead of running their own. This is at worst removing some
  unnecessary code, and may help with some situations where Paramiko hangs at
  the end of a session. Thanks to Paul Kapp for the patch.
- :support:`1012` (via :issue:`1016`) Enhance documentation around the new
  `SFTP.posix_rename <paramiko.sftp_client.SFTPClient.posix_rename>` method so
  it's referenced in the 'standard' ``rename`` method for increased visibility.
  Thanks to Marius Flage for the report.
- :release:`2.2.1 <2017-06-13>`
- :bug:`993` Ed25519 host keys were not comparable/hashable, causing an
  exception if such a key existed in a ``known_hosts`` file. Thanks to Oleh
  Prypin for the report and Pierce Lopez for the fix.
- :bug:`990` The (added in 2.2.0) ``bcrypt`` dependency should have been on
  version 3.1.3 or greater (was initially set to 3.0.0 or greater.) Thanks to
  Paul Howarth for the report.
- :release:`2.2.0 <2017-06-09>`
- :release:`2.1.3 <2017-06-09>`
- :release:`2.0.6 <2017-06-09>`
- :release:`1.18.3 <2017-06-09>`
- :release:`1.17.5 <2017-06-09>`
- :bug:`865` SSHClient now requests the type of host key it has (e.g. from
  known_hosts) and does not consider a different type to be a "Missing" host
  key. This fixes a common case where an ECDSA key is in known_hosts and the
  server also has an RSA host key. Thanks to Pierce Lopez.
- :support:`906 (1.18+)` Clean up a handful of outdated imports and related
  tweaks. Thanks to Pierce Lopez.
- :bug:`984` Enhance default cipher preference order such that
  ``aes(192|256)-cbc`` are preferred over ``blowfish-cbc``. Thanks to Alex
  Gaynor.
- :bug:`971 (1.17+)` Allow any type implementing the buffer API to be used with
  `BufferedFile <paramiko.file.BufferedFile>`, `Channel
  <paramiko.channel.Channel>`, and `SFTPFile <paramiko.sftp_file.SFTPFile>`.
  This resolves a regression introduced in 1.13 with the Python 3 porting
  changes, when using types such as ``memoryview``. Credit: Martin Packman.
- :bug:`741` (also :issue:`809`, :issue:`772`; all via :issue:`912`) Writing
  encrypted/password-protected private key files was silently broken since 2.0
  due to an incorrect API call; this has been fixed.

  Includes a directly related fix, namely adding the ability to read
  ``AES-256-CBC`` ciphered private keys (which is now what we tend to write out
  as it is Cryptography's default private key cipher.)

  Thanks to ``@virlos`` for the original report, Chris Harris and ``@ibuler``
  for initial draft PRs, and ``@jhgorrell`` for the final patch.
- :feature:`65` (via :issue:`471`) Add support for OpenSSH's SFTP
  ``posix-rename`` protocol extension (section 3.3 of `OpenSSH's protocol
  extension document
  <http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL?rev=1.31>`_),
  via a new ``posix_rename`` method in `SFTPClient
  <paramiko.sftp_client.SFTPClient.posix_rename>` and `SFTPServerInterface
  <paramiko.sftp_si.SFTPServerInterface.posix_rename>`. Thanks to Wren Turkal
  for the initial patch & Mika Pflüger for the enhanced, merged PR.
- :feature:`869` Add an ``auth_timeout`` kwarg to `SSHClient.connect
  <paramiko.client.SSHClient.connect>` (default: 30s) to avoid hangs when the
  remote end becomes unresponsive during the authentication step. Credit to
  ``@timsavage``.

  .. note::
    This technically changes behavior, insofar as very slow auth steps >30s
    will now cause timeout exceptions instead of completing. We doubt most
    users will notice; those affected can simply give a higher value to
    ``auth_timeout``.

- :support:`921` Tighten up the ``__hash__`` implementation for various key
  classes; less code is good code. Thanks to Francisco Couzo for the patch.
- :support:`956 backported (1.17+)` Switch code coverage service from
  coveralls.io to codecov.io (& then disable the latter's auto-comments.)
  Thanks to Nikolai Røed Kristiansen for the patch.
- :bug:`983` Move ``sha1`` above the now-arguably-broken ``md5`` in the list of
  preferred MAC algorithms, as an incremental security improvement for users
  whose target systems offer both. Credit: Pierce Lopez.
- :bug:`667` The RC4/arcfour family of ciphers has been broken since version
  2.0; but since the algorithm is now known to be completely insecure, we are
  opting to remove support outright instead of fixing it. Thanks to Alex Gaynor
  for catch & patch.
- :feature:`857` Allow `SSHClient.set_missing_host_key_policy
  <paramiko.client.SSHClient.set_missing_host_key_policy>` to accept policy
  classes _or_ instances, instead of only instances, thus fixing a
  long-standing gotcha for unaware users.
- :feature:`951` Add support for ECDH key exchange (kex), specifically the
  algorithms ``ecdh-sha2-nistp256``, ``ecdh-sha2-nistp384``, and
  ``ecdh-sha2-nistp521``. They now come before the older ``diffie-hellman-*``
  family of kex algorithms in the preferred-kex list. Thanks to Shashank
  Veerapaneni for the patch & Pierce Lopez for a follow-up.
- :support:`- backported` A big formatting pass to clean up an enormous number
  of invalid Sphinx reference links, discovered by switching to a modern,
  rigorous nitpicking doc-building mode.
- :bug:`900` (via :issue:`911`) Prefer newer ``ecdsa-sha2-nistp`` keys over RSA
  and DSA keys during host key selection. This improves compatibility with
  OpenSSH, both in terms of general behavior, and also re: ability to properly
  leverage OpenSSH-modified ``known_hosts`` files. Credit: ``@kasdoe`` for
  original report/PR and Pierce Lopez for the second draft.
- :bug:`794` (via :issue:`981`) Prior support for ``ecdsa-sha2-nistp(384|521)``
  algorithms didn't fully extend to covering host keys, preventing connection
  to hosts which only offer these key types and no others. This is now fixed.
  Thanks to ``@ncoult`` and ``@kasdoe`` for reports and Pierce Lopez for the
  patch.
- :feature:`325` (via :issue:`972`) Add Ed25519 support, for both host keys
  and user authentication. Big thanks to Alex Gaynor for the patch.

  .. note::
    This change adds the ``bcrypt`` and ``pynacl`` Python libraries as
    dependencies. No C-level dependencies beyond those previously required (for
    Cryptography) have been added.

- :support:`974 backported` Overhaul the codebase to be PEP-8, etc, compliant
  (i.e. passes the maintainer's preferred `flake8 <http://flake8.pycqa.org/>`_
  configuration) and add a ``flake8`` step to the Travis config. Big thanks to
  Dorian Pula!
- :bug:`949 (1.17+)` SSHClient and Transport could cause a memory leak if
  there's a connection problem or protocol error, even if ``Transport.close()``
  is called. Thanks Kyle Agronick for the discovery and investigation, and
  Pierce Lopez for assistance.
- :bug:`683 (1.17+)` Make ``util.log_to_file`` append instead of replace.
  Thanks to ``@vlcinsky`` for the report.
- :release:`2.1.2 <2017-02-20>`
- :release:`2.0.5 <2017-02-20>`
- :release:`1.18.2 <2017-02-20>`
- :release:`1.17.4 <2017-02-20>`
- :bug:`853 (1.17+)` Tweak how `RSAKey.__str__ <paramiko.rsakey.RSAKey>`
  behaves so it doesn't cause ``TypeError`` under Python 3. Thanks to Francisco
  Couzo for the report.
- :bug:`862 (1.17+)` (via :issue:`863`) Avoid test suite exceptions on
  platforms lacking ``errno.ETIME`` (which seems to be some FreeBSD and some
  Windows environments.) Thanks to Sofian Brabez.
- :bug:`44 (1.17+)` (via :issue:`891`) `SSHClient <paramiko.client.SSHClient>`
  now gives its internal `Transport <paramiko.transport.Transport>` a handle on
  itself, preventing garbage collection of the client until the session is
  closed. Without this, some code which returns stream or transport objects
  without the client that generated them, would result in premature session
  closure when the client was GCd. Credit: ``@w31rd0`` for original report,
  Omer Anson for the patch.
- :bug:`713 (<2.0)` (via :issue:`714` and :issue:`889`) Don't pass
  initialization vectors to PyCrypto when dealing with counter-mode ciphers;
  newer PyCrypto versions throw an exception otherwise (older ones simply
  ignored this parameter altogether). Thanks to ``@jmh045000`` for report &
  patches.
- :bug:`895 (1.17+)` Fix a bug in server-mode concerning multiple interactive
  auth steps (which were incorrectly responded to). Thanks to Dennis
  Kaarsemaker for catch & patch.
- :support:`866 backported (1.17+)` (also :issue:`838`) Remove an old
  test-related file we don't support, and add PyPy to Travis-CI config. Thanks
  to Pierce Lopez for the final patch and Pedro Rodrigues for an earlier
  edition.
- :release:`2.1.1 <2016-12-12>`
- :release:`2.0.4 <2016-12-12>`
- :release:`1.18.1 <2016-12-12>`
- :bug:`859 (1.18+)` (via :issue:`860`) A tweak to the original patch
  implementing :issue:`398` was not fully applied, causing calls to
  `~paramiko.client.SSHClient.invoke_shell` to fail with ``AttributeError``.
  This has been fixed. Patch credit: Kirk Byers.
- :bug:`-` Accidentally merged the new features from 1.18.0 into the
  2.0.x bugfix-only branch. This included merging a bug in one of those new
  features (breaking `~paramiko.client.SSHClient.invoke_shell` with an
  ``AttributeError``.) The offending code has been stripped out of the 2.0.x
  line (but of course, remains in 2.1.x and above.)
- :bug:`859` (via :issue:`860`) A tweak to the original patch implementing
  :issue:`398` was not fully applied, causing calls to
  `~paramiko.client.SSHClient.invoke_shell` to fail with ``AttributeError``.
  This has been fixed. Patch credit: Kirk Byers.
- :release:`2.1.0 <2016-12-09>`
- :release:`2.0.3 <2016-12-09>`
- :release:`1.18.0 <2016-12-09>`
- :release:`1.17.3 <2016-12-09>`
- :bug:`802 (1.17+)` (via :issue:`804`) Update our vendored Windows API module
  to address errors of the form ``AttributeError: 'module' object has no
  attribute 'c_ssize_t'``. Credit to Jason R. Coombs.
- :bug:`824 (1.17+)` Fix the implementation of ``PKey.write_private_key_file``
  (this method is only publicly defined on subclasses; the fix was in the
  private real implementation) so it passes the correct params to ``open()``.
  This bug apparently went unnoticed and unfixed for 12 entire years. Congrats
  to John Villalovos for noticing & submitting the patch!
- :support:`801 backported (1.17+)` Skip a Unix-only test when on Windows;
  thanks to Gabi Davar.
- :support:`792 backported (1.17+)` Minor updates to the README and demos;
  thanks to Alan Yee.
- :feature:`780 (1.18+)` (also :issue:`779`, and may help users affected by
  :issue:`520`) Add an optional ``timeout`` parameter to
  `Transport.start_client <paramiko.transport.Transport.start_client>` (and
  feed it the value of the configured connection timeout when used within
  `SSHClient <paramiko.client.SSHClient>`.) This helps prevent situations where
  network connectivity isn't timing out, but the remote server is otherwise
  unable to service the connection in a timely manner. Credit to
  ``@sanseihappa``.
- :bug:`742` (also re: :issue:`559`) Catch ``AssertionError`` thrown by
  Cryptography when attempting to load bad ECDSA keys, turning it into an
  ``SSHException``. This moves the behavior in line with other "bad keys"
  situations, re: Paramiko's main auth loop. Thanks to MengHuan Yu for the
  patch.
- :bug:`789 (1.17+)` Add a missing ``.closed`` attribute (plus ``._closed``
  because reasons) to `ProxyCommand <paramiko.proxy.ProxyCommand>` so the
  earlier partial fix for :issue:`520` works in situations where one is
  gatewaying via ``ProxyCommand``.
- :bug:`334 (1.17+)` Make the ``subprocess`` import in ``proxy.py`` lazy so
  users on platforms without it (such as Google App Engine) can import Paramiko
  successfully. (Relatedly, make it easier to tweak an active socket check
  timeout  [in `Transport <paramiko.transport.Transport>`] which was previously
  hardcoded.) Credit: Shinya Okano.
- :support:`854 backported (1.17+)` Fix incorrect docstring/param-list for
  `Transport.auth_gssapi_keyex
  <paramiko.transport.Transport.auth_gssapi_keyex>` so it matches the real
  signature. Caught by ``@Score_Under``.
- :bug:`681 (1.17+)` Fix a Python3-specific bug re: the handling of read
  buffers when using ``ProxyCommand``. Thanks to Paul Kapp for catch & patch.
- :feature:`398 (1.18+)` Add an ``environment`` dict argument to
  `Client.exec_command <paramiko.client.SSHClient.exec_command>` (plus the
  lower level `Channel.update_environment
  <paramiko.channel.Channel.update_environment>` and
  `Channel.set_environment_variable
  <paramiko.channel.Channel.set_environment_variable>` methods) which
  implements the ``env`` SSH message type. This means the remote shell
  environment can be set without the use of ``VARNAME=value`` shell tricks,
  provided the server's ``AcceptEnv`` lists the variables you need to set.
  Thanks to Philip Lorenz for the pull request.
- :support:`819 backported (>=1.15,<2.0)` Document how lacking ``gmp`` headers
  at install time can cause a significant performance hit if you build PyCrypto
  from source. (Most system-distributed packages already have this enabled.)
- :release:`2.0.2 <2016-07-25>`
- :release:`1.17.2 <2016-07-25>`
- :release:`1.16.3 <2016-07-25>`
- :bug:`673 (1.16+)` (via :issue:`681`) Fix protocol banner read errors
  (``SSHException``) which would occasionally pop up when using
  ``ProxyCommand`` gatewaying. Thanks to ``@Depado`` for the initial report and
  Paul Kapp for the fix.
- :bug:`774 (1.16+)` Add a ``_closed`` private attribute to
  `~paramiko.channel.Channel` objects so that they continue functioning when
  used as proxy sockets under Python 3 (e.g. as ``direct-tcpip`` gateways for
  other Paramiko connections.)
- :bug:`758 (1.16+)` Apply type definitions to ``_winapi`` module from
  `jaraco.windows <https://github.com/jaraco/jaraco.windows>`_ 3.6.1. This
  should address issues on Windows platforms that often result in errors like
  ``ArgumentError: [...] int too long to convert``. Thanks to ``@swohlerLL``
  for the report and Jason R. Coombs for the patch.
- :release:`2.0.1 <2016-06-21>`
- :release:`1.17.1 <2016-06-21>`
- :release:`1.16.2 <2016-06-21>`
- :bug:`520 (1.16+)` (Partial fix) Fix at least one instance of race condition
  driven threading hangs at end of the Python interpreter session. (Includes a
  docs update as well - always make sure to ``.close()`` your clients!)
- :bug:`537 (1.16+)` Fix a bug in `BufferedPipe.set_event
  <paramiko.buffered_pipe.BufferedPipe.set_event>` which could cause
  deadlocks/hangs when one uses `select.select` against
  `~paramiko.channel.Channel` objects (or otherwise calls `Channel.fileno
  <paramiko.channel.Channel.fileno>` after the channel has closed). Thanks to
  Przemysław Strzelczak for the report & reproduction case, and to Krzysztof
  Rusek for the fix.
- :release:`2.0.0 <2016-04-28>`
- :release:`1.17.0 <2016-04-28>`
- :release:`1.16.1 <2016-04-28>`
- :release:`1.15.5 <2016-04-28>`
- :feature:`731` (working off the earlier :issue:`611`) Add support for 384-
  and 512-bit elliptic curve groups in ECDSA key types (aka
  ``ecdsa-sha2-nistp384`` / ``ecdsa-sha2-nistp521``). Thanks to Michiel Tiller
  and ``@CrazyCasta`` for the patches.
- :bug:`670` Due to an earlier bugfix, less-specific ``Host`` blocks'
  ``ProxyCommand`` values were overriding ``ProxyCommand none`` in
  more-specific ``Host`` blocks. This has been fixed in a backwards compatible
  manner (i.e. ``ProxyCommand none`` continues to appear as a total lack of any
  ``proxycommand`` key in parsed config structures). Thanks to Pat Brisbin for
  the catch.
- :bug:`676` (via :issue:`677`) Fix a backwards incompatibility issue that
  cropped up in `SFTPFile.prefetch <paramiko.sftp_file.SFTPFile.prefetch>` re:
  the erroneously non-optional ``file_size`` parameter. Should only affect
  users who manually call ``prefetch``. Thanks to ``@stevevanhooser`` for catch
  & patch.
- :feature:`394` Replace PyCrypto with the Python Cryptographic Authority
  (PyCA) 'Cryptography' library suite. This improves security, installability,
  and performance; adds PyPy support; and much more.

  There aren't enough ways to thank Alex Gaynor for all of his work on this,
  and then his patience while the maintainer let his PR grow moss for a year
  and change. Paul Kehrer came in with an assist, and I think I saw Olle
  Lundberg, ``@techtonik`` and ``@johnthagen`` supplying backup as well. Thanks
  to all!

  .. warning::
    **This is a backwards incompatible change.**

    However, **it should only affect installation** requirements; **no API
    changes are intended or expected**. Please report any such breakages as
    bugs.

    See our updated :doc:`installation docs <installing>` for details on what
    is now required to install Paramiko; many/most users should be able to
    simply ``pip install -U paramiko`` (especially if you **upgrade to pip
    8**).

- :bug:`577` (via :issue:`578`; should also fix :issue:`718`, :issue:`560`) Fix
  stalled/hung SFTP downloads by cleaning up some threading lock issues. Thanks
  to Stephen C. Pope for the patch.
- :bug:`716` Fix a Python 3 compatibility issue when handling two-factor
  authentication. Thanks to Mateusz Kowalski for the catch & original patch.
- :support:`729 backported (>=1.15,<2.0)` Clean up ``setup.py`` to always use
  ``setuptools``, not doing so was a historical artifact from bygone days.
  Thanks to Alex Gaynor.
- :bug:`649 major (==1.17)` Update the module in charge of handling SSH moduli
  so it's consistent with OpenSSH behavior re: prime number selection. Thanks
  to Damien Tournoud for catch & patch.
- :bug:`617` (aka `fabric/fabric#1429
  <https://github.com/fabric/fabric/issues/1429>`_; via :issue:`679`; related:
  :issue:`678`, :issue:`685`, :issue:`615` & :issue:`616`) Fix up
  `~paramiko.ssh_exception.NoValidConnectionsError` so it pickles correctly,
  and fix a related Python 3 compatibility issue. Thanks to Rebecca Schlussel
  for the report & Marius Gedminas for the patch.
- :bug:`613` (via :issue:`619`) Update to ``jaraco.windows`` 3.4.1 to fix some
  errors related to ``ctypes`` on Windows platforms. Credit to Jason R. Coombs.
- :support:`621 backported (>=1.15,<2.0)` Annotate some public attributes on
  `~paramiko.channel.Channel` such as ``.closed``. Thanks to Sergey Vasilyev
  for the report.
- :bug:`632` Fix logic bug in the SFTP client's callback-calling functionality;
  previously there was a chance the given callback would fire twice at the end
  of a transfer. Thanks to ``@ab9-er`` for catch & original patch.
- :support:`612 backported (>=1.15,<2.0)` Identify & work around a race
  condition in the test for handshake timeouts, which was causing frequent test
  failures for a subset of contributors as well as Travis-CI (usually, but not
  always, limited to Python 3.5). Props to Ed Kellett for assistance during
  some of the troubleshooting.
- :support:`697 backported (>=1.15,<2.0)` Remove whitespace in our
  ``setup.py``'s ``install_requires`` as it triggers occasional bugs in some
  versions of ``setuptools``. Thanks to Justin Lecher for catch & original
  patch.
- :bug:`499` Strip trailing/leading whitespace from lines when parsing SSH
  config files - this brings things in line with OpenSSH behavior. Thanks to
  Alfredo Esteban for the original report and Nick Pillitteri for the patch.
- :bug:`652` Fix behavior of ``gssapi-with-mic`` auth requests so they fail
  gracefully (allowing followup via other auth methods) instead of raising an
  exception. Patch courtesy of ``@jamercee``.
- :feature:`588 (==1.17)` Add missing file-like object methods for
  `~paramiko.file.BufferedFile` and `~paramiko.sftp_file.SFTPFile`. Thanks to
  Adam Meily for the patch.
- :support:`636 backported (>=1.15,<2.0)` Clean up and enhance the README (and
  rename it to ``README.rst`` from just ``README``). Thanks to ``@LucasRMehl``.
- :release:`1.16.0 <2015-11-04>`
- :bug:`194 major` (also :issue:`562`, :issue:`530`, :issue:`576`) Streamline
  use of ``stat`` when downloading SFTP files via `SFTPClient.get
  <paramiko.sftp_client.SFTPClient.get>`; this avoids triggering bugs in some
  off-spec SFTP servers such as IBM Sterling. Thanks to ``@muraleee`` for the
  initial report and to Torkil Gustavsen for the patch.
- :feature:`467` (also :issue:`139`, :issue:`412`) Fully enable two-factor
  authentication (e.g. when a server requires ``AuthenticationMethods
  pubkey,keyboard-interactive``). Thanks to ``@perryjrandall`` for the patch
  and to ``@nevins-b`` and Matt Robenolt for additional support.
- :bug:`502 major` Fix 'exec' requests in server mode to use ``get_string``
  instead of ``get_text`` to avoid ``UnicodeDecodeError`` on non-UTF-8 input.
  Thanks to Anselm Kruis for the patch & discussion.
- :bug:`401` Fix line number reporting in log output regarding invalid
  ``known_hosts`` line entries. Thanks to Dylan Thacker-Smith for catch &
  patch.
- :support:`525 backported` Update the vendored Windows API addon to a more
  recent edition. Also fixes :issue:`193`, :issue:`488`, :issue:`498`. Thanks
  to Jason Coombs.
- :release:`1.15.4 <2015-11-02>`
- :release:`1.14.3 <2015-11-02>`
- :release:`1.13.4 <2015-11-02>`
- :bug:`366` Fix `~paramiko.sftp_attr.SFTPAttributes` so its string
  representation doesn't raise exceptions on empty/initialized instances. Patch
  by Ulrich Petri.
- :bug:`359` Use correct attribute name when trying to use Python 3's
  ``int.bit_length`` method; prior to fix, the Python 2 custom fallback
  implementation was always used, even on Python 3. Thanks to Alex Gaynor.
- :support:`594 backported` Correct some post-Python3-port docstrings to
  specify ``bytes`` type instead of ``str``. Credit to ``@redixin``.
- :bug:`565` Don't explode with ``IndexError`` when reading private key files
  lacking an ``-----END <type> PRIVATE KEY-----`` footer. Patch courtesy of
  Prasanna Santhanam.
- :feature:`604` Add support for the ``aes192-ctr`` and ``aes192-cbc`` ciphers.
  Thanks to Michiel Tiller for noticing it was as easy as tweaking some key
  sizes :D
- :feature:`356` (also :issue:`596`, :issue:`365`, :issue:`341`, :issue:`164`,
  :issue:`581`, and a bunch of other duplicates besides) Add support for SHA-2
  based key exchange (kex) algorithm ``diffie-hellman-group-exchange-sha256``
  and (H)MAC algorithms ``hmac-sha2-256`` and ``hmac-sha2-512``.

  This change includes tweaks to debug-level logging regarding
  algorithm-selection handshakes; the old all-in-one log line is now multiple
  easier-to-read, printed-at-handshake-time log lines.

  Thanks to the many people who submitted patches for this functionality and/or
  assisted in testing those patches. That list includes but is not limited to,
  and in no particular order: Matthias Witte, Dag Wieers, Ash Berlin, Etienne
  Perot, Gert van Dijk, ``@GuyShaanan``, Aaron Bieber, ``@cyphase``, and Eric
  Brown.
- :release:`1.15.3 <2015-10-02>`
- :support:`554 backported` Fix inaccuracies in the docstring for the ECDSA key
  class. Thanks to Jared Hance for the patch.
- :support:`516 backported` Document `~paramiko.agent.AgentRequestHandler`.
  Thanks to ``@toejough`` for report & suggestions.
- :bug:`496 (1.15+)` Fix a handful of small but critical bugs in Paramiko's
  GSSAPI support (note: this includes switching from PyCrypo's Random to
  `os.urandom`). Thanks to Anselm Kruis for catch & patch.
- :bug:`491` (combines :issue:`62` and :issue:`439`) Implement timeout
  functionality to address hangs from dropped network connections and/or failed
  handshakes. Credit to ``@vazir`` and ``@dacut`` for the original patches and
  to Olle Lundberg for reimplementation.
- :bug:`490` Skip invalid/unparseable lines in ``known_hosts`` files, instead
  of raising `~paramiko.ssh_exception.SSHException`. This brings Paramiko's
  behavior more in line with OpenSSH, which silently ignores such input. Catch
  & patch courtesy of Martin Topholm.
- :bug:`404` Print details when displaying
  `~paramiko.ssh_exception.BadHostKeyException` objects (expected vs received
  data) instead of just "hey shit broke". Patch credit: Loic Dachary.
- :bug:`469` (also :issue:`488`, :issue:`461` and like a dozen others) Fix a
  typo introduced in the 1.15 release which broke WinPageant support. Thanks to
  everyone who submitted patches, and to Steve Cohen who was the lucky winner
  of the cherry-pick lottery.
- :bug:`353` (via :issue:`482`) Fix a bug introduced in the Python 3 port
  which caused ``OverFlowError`` (and other symptoms) in SFTP functionality.
  Thanks to ``@dboreham`` for leading the troubleshooting charge, and to
  Scott Maxwell for the final patch.
- :support:`582` Fix some old ``setup.py`` related helper code which was
  breaking ``bdist_dumb`` on Mac OS X. Thanks to Peter Odding for the patch.
- :bug:`22 major` Try harder to connect to multiple network families (e.g. IPv4
  vs IPv6) in case of connection issues; this helps with problems such as hosts
  which resolve both IPv4 and IPv6 addresses but are only listening on IPv4.
  Thanks to Dries Desmet for original report and Torsten Landschoff for the
  foundational patchset.
- :bug:`402` Check to see if an SSH agent is actually present before trying to
  forward it to the remote end. This replaces what was usually a useless
  ``TypeError`` with a human-readable
  `~paramiko.ssh_exception.AuthenticationException`. Credit to Ken Jordan for
  the fix and Yvan Marques for original report.
- :release:`1.15.2 <2014-12-19>`
- :release:`1.14.2 <2014-12-19>`
- :release:`1.13.3 <2014-12-19>`
- :bug:`413` (also :issue:`414`, :issue:`420`, :issue:`454`) Be significantly
  smarter about polling & timing behavior when running proxy commands, to avoid
  unnecessary (often 100%!) CPU usage. Major thanks to Jason Dunsmore for
  report & initial patchset and to Chris Adams & John Morrissey for followup
  improvements.
- :bug:`455` Tweak packet size handling to conform better to the OpenSSH RFCs;
  this helps address issues with interactive program cursors. Courtesy of Jeff
  Quast.
- :bug:`428` Fix an issue in `~paramiko.file.BufferedFile` (primarily used in
  the SFTP modules) concerning incorrect behavior by
  `~paramiko.file.BufferedFile.readlines` on files whose size exceeds the
  buffer size. Thanks to ``@achapp`` for catch & patch.
- :bug:`415` Fix ``ssh_config`` parsing to correctly interpret ``ProxyCommand
  none`` as the lack of a proxy command, instead of as a literal command string
  of ``"none"``. Thanks to Richard Spiers for the catch & Sean Johnson for the
  fix.
- :support:`431 backported` Replace handrolled ``ssh_config`` parsing code with
  use of the ``shlex`` module. Thanks to Yan Kalchevskiy.
- :support:`422 backported` Clean up some unused imports. Courtesy of Olle
  Lundberg.
- :support:`421 backported` Modernize threading calls to use newer API. Thanks
  to Olle Lundberg.
- :support:`419 backported` Modernize a bunch of the codebase internals to
  leverage decorators. Props to ``@beckjake`` for realizing we're no longer on
  Python 2.2 :D
- :bug:`266` Change numbering of `~paramiko.transport.Transport` channels to
  start at 0 instead of 1 for better compatibility with OpenSSH & certain
  server implementations which break on 1-indexed channels. Thanks to
  ``@egroeper`` for catch & patch.
- :bug:`459` Tighten up agent connection closure behavior to avoid spurious
  ``ResourceWarning`` display in some situations. Thanks to ``@tkrapp`` for the
  catch.
- :bug:`429` Server-level debug message logging was overlooked during the
  Python 3 compatibility update; Python 3 clients attempting to log SSH debug
  packets encountered type errors. This is now fixed. Thanks to ``@mjmaenpaa``
  for the catch.
- :bug:`320` Update our win_pageant module to be Python 3 compatible. Thanks to
  ``@sherbang`` and ``@adamkerz`` for the patches.
- :release:`1.15.1 <2014-09-22>`
- :bug:`399` SSH agent forwarding (potentially other functionality as
  well) would hang due to incorrect values passed into the new window size
  arguments for `~paramiko.transport.Transport` (thanks to a botched merge).
  This has been corrected. Thanks to Dylan Thacker-Smith for the report &
  patch.
- :feature:`167` Add `~paramiko.config.SSHConfig.get_hostnames` for easier
  introspection of a loaded SSH config file or object. Courtesy of Søren
  Løvborg.
- :release:`1.15.0 <2014-09-18>`
- :support:`393` Replace internal use of PyCrypto's ``SHA.new`` with the
  stdlib's ``hashlib.sha1``. Thanks to Alex Gaynor.
- :feature:`267` (also :issue:`250`, :issue:`241`, :issue:`228`) Add GSS-API /
  SSPI (e.g. Kerberos) key exchange and authentication support
  (:ref:`installation docs here <gssapi>`). Mega thanks to Sebastian Deiß, with
  assist by Torsten Landschoff.

  .. note::
      Unix users should be aware that the ``python-gssapi`` library (a
      requirement for using this functionality) only appears to support
      Python 2.7 and up at this time.

- :bug:`346 major` Fix an issue in private key files' encryption salts that
  could cause tracebacks and file corruption if keys were re-encrypted. Credit
  to Xavier Nunn.
- :feature:`362` Allow users to control the SSH banner timeout. Thanks to Cory
  Benfield.
- :feature:`372` Update default window & packet sizes to more closely adhere to
  the pertinent RFC; also expose these settings in the public API so they may
  be overridden by client code. This should address some general speed issues
  such as :issue:`175`. Big thanks to Olle Lundberg for the update.
- :bug:`373 major` Attempt to fix a handful of issues (such as :issue:`354`)
  related to infinite loops and threading deadlocks. Thanks to Olle Lundberg as
  well as a handful of community members who provided advice & feedback via
  IRC.
- :support:`374` (also :issue:`375`) Old code cleanup courtesy of Olle
  Lundberg.
- :support:`377` Factor `~paramiko.channel.Channel` openness sanity check into
  a decorator. Thanks to Olle Lundberg for original patch.
- :bug:`298 major` Don't perform point validation on ECDSA keys in
  ``known_hosts`` files, since a) this can cause significant slowdown when such
  keys exist, and b) ``known_hosts`` files are implicitly trustworthy. Thanks
  to Kieran Spear for catch & patch.

  .. note::
    This change bumps up the version requirement for the ``ecdsa`` library to
    ``0.11``.

- :bug:`234 major` Lower logging levels for a few overly-noisy log messages
  about secure channels. Thanks to David Pursehouse for noticing & contributing
  the fix.
- :feature:`218` Add support for ECDSA private keys on the client side. Thanks
  to ``@aszlig`` for the patch.
- :bug:`335 major` Fix ECDSA key generation (generation of brand new ECDSA keys
  was broken previously). Thanks to ``@solarw`` for catch & patch.
- :feature:`184` Support quoted values in SSH config file parsing. Credit to
  Yan Kalchevskiy.
- :feature:`131` Add a `~paramiko.sftp_client.SFTPClient.listdir_iter` method
  to `~paramiko.sftp_client.SFTPClient` allowing for more efficient,
  async/generator based file listings. Thanks to John Begeman.
- :support:`378 backported` Minor code cleanup in the SSH config module
  courtesy of Olle Lundberg.
- :support:`249 backported` Consolidate version information into one spot.
  Thanks to Gabi Davar for the reminder.
- :release:`1.14.1 <2014-08-25>`
- :release:`1.13.2 <2014-08-25>`
- :bug:`376` Be less aggressive about expanding variables in ``ssh_config``
  files, which results in a speedup of SSH config parsing. Credit to Olle
  Lundberg.
- :support:`324 backported` A bevvy of documentation typo fixes, courtesy of Roy
  Wellington.
- :bug:`312` `paramiko.transport.Transport` had a bug in its ``__repr__`` which
  surfaces during errors encountered within its ``__init__``, causing
  problematic tracebacks in such situations. Thanks to Simon Percivall for
  catch & patch.
- :bug:`272` Fix a bug where ``known_hosts`` parsing hashed the input hostname
  as well as the hostnames from the ``known_hosts`` file, on every comparison.
  Thanks to ``@sigmunau`` for final patch and ``@ostacey`` for the original
  report.
- :bug:`239` Add Windows-style CRLF support to SSH config file parsing. Props
  to Christopher Swenson.
- :support:`229 backported` Fix a couple of incorrectly-copied docstrings' ``..
  versionadded::`` RST directives. Thanks to Aarni Koskela for the catch.
- :support:`169 backported` Minor refactor of
  `paramiko.sftp_client.SFTPClient.put` thanks to Abhinav Upadhyay.
- :bug:`285` (also :issue:`352`) Update our Python 3 ``b()`` compatibility shim
  to handle ``buffer`` objects correctly; this fixes a frequently reported
  issue affecting many users, including users of the ``bzr`` software suite.
  Thanks to ``@basictheprogram`` for the initial report, Jelmer Vernooij for
  the fix and Andrew Starr-Bochicchio & Jeremy T. Bouse (among others) for
  discussion & feedback.
- :support:`371` Add Travis support & docs update for Python 3.4. Thanks to
  Olle Lundberg.
- :release:`1.14.0 <2014-05-07>`
- :release:`1.13.1 <2014-05-07>`
- :release:`1.12.4 <2014-05-07>`
- :release:`1.11.6 <2014-05-07>`
- :bug:`-` `paramiko.file.BufferedFile.read` incorrectly returned text strings
  after the Python 3 migration, despite bytes being more appropriate for file
  contents (which may be binary or of an unknown encoding.) This has been
  addressed.

  .. note::
      `paramiko.file.BufferedFile.readline` continues to return strings, not
      bytes, as "lines" only make sense for textual data. It assumes UTF-8 by
      default.

  This should fix `this issue raised on the Obnam mailing list
  <http://comments.gmane.org/gmane.comp.sysutils.backup.obnam/252>`_.  Thanks
  to Antoine Brenner for the patch.
- :bug:`-` Added self.args for exception classes. Used for unpickling. Related
  to (`Fabric #986 <https://github.com/fabric/fabric/issues/986>`_, `Fabric
  #714 <https://github.com/fabric/fabric/issues/714>`_). Thanks to Alex
  Plugaru.
- :bug:`-` Fix logging error in sftp_client for filenames containing the '%'
  character. Thanks to Antoine Brenner.
- :bug:`308` Fix regression in dsskey.py that caused sporadic signature
  verification failures. Thanks to Chris Rose.
- :support:`299` Use deterministic signatures for ECDSA keys for improved
  security. Thanks to Alex Gaynor.
- :support:`297` Replace PyCrypto's ``Random`` with `os.urandom` for improved
  speed and security. Thanks again to Alex.
- :support:`295` Swap out a bunch of PyCrypto hash functions with use of
  `hashlib`. Thanks to Alex Gaynor.
- :support:`290` (also :issue:`292`) Add support for building universal
  (Python 2+3 compatible) wheel files during the release process. Courtesy of
  Alex Gaynor.
- :support:`284` Add Python language trove identifiers to ``setup.py``. Thanks
  to Alex Gaynor for catch & patch.
- :bug:`235` Improve string type testing in a handful of spots (e.g. ``s/if
  type(x) is str/if isinstance(x, basestring)/g``.) Thanks to ``@ksamuel`` for
  the report.
- :release:`1.13.0 <2014-03-13>`
- :release:`1.12.3 <2014-03-13>`
- :release:`1.11.5 <2014-03-13>`
- :release:`1.10.7 <2014-03-13>`
- :feature:`16` **Python 3 support!** Our test suite passes under Python 3, and
  it (& Fabric's test suite) continues to pass under Python 2. **Python 2.5 is
  no longer supported with this change!**

  The merged code was built on many contributors' efforts, both code &
  feedback. In no particular order, we thank Daniel Goertzen, Ivan Kolodyazhny,
  Tomi Pieviläinen, Jason R. Coombs, Jan N. Schulze, ``@Lazik``, Dorian Pula,
  Scott Maxwell, Tshepang Lekhonkhobe, Aaron Meurer, and Dave Halter.
- :support:`256 backported` Convert API documentation to Sphinx, yielding a new
  API docs website to replace the old Epydoc one. Thanks to Olle Lundberg for
  the initial conversion work.
- :bug:`-` Use constant-time hash comparison operations where possible, to
  protect against `timing-based attacks
  <http://codahale.com/a-lesson-in-timing-attacks/>`_. Thanks to Alex Gaynor
  for the patch.
- :release:`1.12.2 <2014-02-14>`
- :release:`1.11.4 <2014-02-14>`
- :release:`1.10.6 <2014-02-14>`
- :feature:`58` Allow client code to access the stored SSH server banner via
  `Transport.get_banner <paramiko.transport.Transport.get_banner>`. Thanks to
  ``@Jhoanor`` for the patch.
- :bug:`252` (`Fabric #1020 <https://github.com/fabric/fabric/issues/1020>`_)
  Enhanced the implementation of ``ProxyCommand`` to avoid a deadlock/hang
  condition that frequently occurs at ``Transport`` shutdown time. Thanks to
  Mateusz Kobos, Matthijs van der Vleuten and Guillaume Zitta for the original
  reports and to Marius Gedminas for helping test nontrivial use cases.
- :bug:`268` Fix some missed renames of ``ProxyCommand`` related error classes.
  Thanks to Marius Gedminas for catch & patch.
- :bug:`34` (PR :issue:`35`) Fix SFTP prefetching incompatibility with some
  SFTP servers regarding request/response ordering. Thanks to Richard
  Kettlewell.
- :bug:`193` (and its attentant PRs :issue:`230` & :issue:`253`) Fix SSH agent
  problems present on Windows. Thanks to David Hobbs for initial report and to
  Aarni Koskela & Olle Lundberg for the patches.
- :release:`1.12.1 <2014-01-08>`
- :release:`1.11.3 <2014-01-08>`
- :release:`1.10.5 <2014-01-08>`
- :bug:`225 (1.12+)` Note ecdsa requirement in README. Thanks to Amaury
  Rodriguez for the catch.
- :bug:`176` Fix AttributeError bugs in known_hosts file (re)loading. Thanks
  to Nathan Scowcroft for the patch & Martin Blumenstingl for the initial test
  case.
- :release:`1.12.0 <2013-09-27>`
- :release:`1.11.2 <2013-09-27>`
- :release:`1.10.4 <2013-09-27>`
- :feature:`152` Add tentative support for ECDSA keys. **This adds the ecdsa
  module as a new dependency of Paramiko.** The module is available at
  `warner/python-ecdsa on Github <https://github.com/warner/python-ecdsa>`_ and
  `ecdsa on PyPI <https://pypi.python.org/pypi/ecdsa>`_.

    * Note that you might still run into problems with key negotiation --
      Paramiko picks the first key that the server offers, which might not be
      what you have in your known_hosts file.
    * Mega thanks to Ethan Glasser-Camp for the patch.

- :feature:`136` Add server-side support for the SSH protocol's 'env' command.
  Thanks to Benjamin Pollack for the patch.
- :bug:`156 (1.11+)` Fix potential deadlock condition when using Channel
  objects as sockets (e.g. when using SSH gatewaying). Thanks to Steven Noonan
  and Frank Arnold for catch & patch.
- :bug:`179` Fix a missing variable causing errors when an ssh_config file has
  a non-default AddressFamily set. Thanks to Ed Marshall & Tomaz Muraus for
  catch & patch.
- :bug:`200` Fix an exception-causing typo in ``demo_simple.py``. Thanks to Alex
  Buchanan for catch & Dave Foster for patch.
- :bug:`199` Typo fix in the license header cross-project. Thanks to Armin
  Ronacher for catch & patch.
- :release:`1.11.1 <2013-09-20>`
- :release:`1.10.3 <2013-09-20>`
- :bug:`162` Clean up HMAC module import to avoid deadlocks in certain uses of
  SSHClient. Thanks to Gernot Hillier for the catch & suggested fix.
- :bug:`36` Fix the port-forwarding demo to avoid file descriptor errors.
  Thanks to Jonathan Halcrow for catch & patch.
- :bug:`168` Update config handling to properly handle multiple 'localforward'
  and 'remoteforward' keys. Thanks to Emre Yılmaz for the patch.
- :release:`1.11.0 <2013-07-26>`
- :release:`1.10.2 <2013-07-26>`
- :bug:`98 major` On Windows, when interacting with the PuTTY PAgeant, Paramiko
  now creates the shared memory map with explicit Security Attributes of the
  user, which is the same technique employed by the canonical PuTTY library to
  avoid permissions issues when Paramiko is running under a different UAC
  context than the PuTTY Ageant process. Thanks to Jason R. Coombs for the
  patch.
- :support:`100` Remove use of PyWin32 in ``win_pageant`` module. Module was
  already dependent on ctypes for constructing appropriate structures and had
  ctypes implementations of all functionality. Thanks to Jason R. Coombs for
  the patch.
- :bug:`87 major` Ensure updates to ``known_hosts`` files account for any
  updates to said files after Paramiko initially read them. (Includes related
  fix to guard against duplicate entries during subsequent ``known_hosts``
  loads.) Thanks to ``@sunweaver`` for the contribution.
- :bug:`153` (also :issue:`67`) Warn on parse failure when reading known_hosts
  file.  Thanks to ``@glasserc`` for patch.
- :bug:`146` Indentation fixes for readability. Thanks to Abhinav Upadhyay for
  catch & patch.
- :release:`1.10.1 <2013-04-05>`
- :bug:`142` (`Fabric #811 <https://github.com/fabric/fabric/issues/811>`_)
  SFTP put of empty file will still return the attributes of the put file.
  Thanks to Jason R. Coombs for the patch.
- :bug:`154` (`Fabric #876 <https://github.com/fabric/fabric/issues/876>`_)
  Forwarded SSH agent connections left stale local pipes lying around, which
  could cause local (and sometimes remote or network) resource starvation when
  running many agent-using remote commands. Thanks to Kevin Tegtmeier for catch
  & patch.
- :release:`1.10.0 <2013-03-01>`
- :feature:`66` Batch SFTP writes to help speed up file transfers. Thanks to
  Olle Lundberg for the patch.
- :bug:`133 major` Fix handling of window-change events to be on-spec and not
  attempt to wait for a response from the remote sshd; this fixes problems with
  less common targets such as some Cisco devices. Thanks to Phillip Heller for
  catch & patch.
- :feature:`93` Overhaul SSH config parsing to be in line with ``man
  ssh_config`` (& the behavior of ``ssh`` itself), including addition of parameter
  expansion within config values. Thanks to Olle Lundberg for the patch.
- :feature:`110` Honor SSH config ``AddressFamily`` setting when looking up
  local host's FQDN. Thanks to John Hensley for the patch.
- :feature:`128` Defer FQDN resolution until needed, when parsing SSH config
  files.  Thanks to Parantapa Bhattacharya for catch & patch.
- :bug:`102 major` Forego random padding for packets when running under
  ``*-ctr`` ciphers.  This corrects some slowdowns on platforms where random
  byte generation is inefficient (e.g. Windows). Thanks to  ``@warthog618`` for
  catch & patch, and Michael van der Kolff for code/technique review.
- :feature:`127` Turn ``SFTPFile`` into a context manager. Thanks to Michael
  Williamson for the patch.
- :feature:`116` Limit ``Message.get_bytes`` to an upper bound of 1MB to protect
  against potential DoS vectors. Thanks to ``@mvschaik`` for catch & patch.
- :feature:`115` Add convenience ``get_pty`` kwarg to ``Client.exec_command`` so
  users not manually controlling a channel object can still toggle PTY
  creation. Thanks to Michael van der Kolff for the patch.
- :feature:`71` Add ``SFTPClient.putfo`` and ``.getfo`` methods to allow direct
  uploading/downloading of file-like objects. Thanks to Eric Buehl for the
  patch.
- :feature:`113` Add ``timeout`` parameter to ``SSHClient.exec_command`` for
  easier setting of the command's internal channel object's timeout. Thanks to
  Cernov Vladimir for the patch.
- :support:`94` Remove duplication of SSH port constant. Thanks to Olle
  Lundberg for the catch.
- :feature:`80` Expose the internal "is closed" property of the file transfer
  class ``BufferedFile`` as ``.closed``, better conforming to Python's file
  interface.  Thanks to ``@smunaut`` and James Hiscock for catch & patch.