Friday 24th December 2021
Fedora Project
Updated perl-DateTime to 1.55 in Rawhide:
Another documentation fix release; this fixes some mistakes, fixes some broken links, and removes all references to the long-dead datetime.perl.org site
Updated python-paramiko to 2.9.0 in Rawhide:
Add support for SHA-2 variants of RSA key verification algorithms (as described in RFC 8332) as well as limited SSH extension negotiation (RFC 8308) (GH#1326, GH#1643, GH#1644, GH#1925)
- How SSH servers/clients decide when and how to use this functionality can be complicated; Paramiko's support is as follows:
Client verification of server host key during key exchange will now prefer rsa-sha2-512, rsa-sha2-256, and legacy ssh-rsa algorithms, in that order, instead of just ssh-rsa
Note that the preference order of other algorithm families such as ed25519 and ecdsa has not changed; for example, those two groups are still preferred over RSA
- Server mode will now offer all 3 RSA algorithms for host key verification during key exchange, similar to client mode, if it has been configured with an RSA host key
Client mode key exchange now sends the ext-info-c flag, signalling support for MSG_EXT_INFO, and support for parsing the latter (specifically, its server-sig-algs flag) has been added
- Client mode, when performing public key authentication with an RSA key or cert, will act as follows:
In all cases, the list of algorithms to consider is based on the new preferred_pubkeys list and disabled_algorithms; this list, like with host keys, prefers SHA2-512, SHA2-256 and SHA1, in that order
When the server does not send server-sig-algs, Paramiko will attempt the first algorithm in the above list; clients connecting to legacy servers should thus use disabled_algorithms to turn off SHA2
When the server does send server-sig-algs, the first algorithm supported by both ends is used, or if there is none, it falls back to the previous behaviour
SSH agent support grew the ability to specify algorithm flags when requesting private key signatures; this is now used to forward SHA2 algorithms when appropriate
Server mode is now capable of pubkey auth involving SHA-2 signatures from clients, provided one's server implementation actually provides for doing so; this includes basic support for sending MSG_EXT_INFO (containing server-sig-algs only) to clients advertising ext-info-c in their key exchange list
- In order to implement the above, the following API additions were made:
'PKey.sign_ssh_data <paramiko.pkey.PKey>': Grew an extra, optional 'algorithm' keyword argument (defaulting to 'None' for most subclasses, and to "ssh-rsa" for '~paramiko.rsakey.RSAKey')
A new '~paramiko.ssh_exception.SSHException' subclass was added, '~paramiko.ssh_exception.IncompatiblePeer', and is raised in all spots where key exchange aborts due to algorithmic incompatibility; like all other exceptions in that module, it inherits from 'SSHException', and as nothing else was changed about the raising (i.e. the attributes and message text are the same) this change is backwards compatible
'~paramiko.transport.Transport' grew a '_preferred_pubkeys' attribute and matching 'preferred_pubkeys' property to match the other, kex-focused, such members; this allows client pubkey authentication to honour the 'disabled_algorithms' feature
Branched and built perl-Class-Load (0.25) for EPEL-9
Branched and built perl-Class-Load-XS (0.10) for EPEL-9
Branched and built perl-Module-CPANTS-Analyse (1.01) for EPEL-9
Branched and built perl-Test-Kwalitee (1.28) for EPEL-9
Local Packages
Updated perl-DateTime to 1.55 as per the Fedora version