asyncssh 2.21.0__tar.gz → 2.22.0__tar.gz

{asyncssh-2.21.0 → asyncssh-2.22.0}/.github/workflows/run_tests.yml

@@ -1,27 +1,20 @@
 name: Run tests
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   run-tests:
     name: Run tests
+    permissions:
+      contents: read
+      actions: write
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        python-version: ["3.8", "3.9", "3.10", "3.11", "3.12", "3.13"]
-        include:
-          - os: macos-latest
-            python-version: "3.10"
-            openssl-version: "3"
-          - os: macos-latest
-            python-version: "3.11"
-            openssl-version: "3"
-          - os: macos-latest
-            python-version: "3.12"
-            openssl-version: "3"
-          - os: macos-latest
-            python-version: "3.13"
-            openssl-version: "3"
+        python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
 
     runs-on: ${{ matrix.os }}
     env:
@@ -50,6 +43,19 @@ jobs:
             asyncssh/setup.py
             asyncssh/tox.ini
 
+      - name: Fix modules path for OpenSSL on Windows
+        if: ${{ runner.os == 'Windows' }}
+        shell: pwsh
+        run: |
+          $openssl_path = ((Get-Command openssl).Path | Split-Path -Parent)
+          echo "OPENSSL_MODULES=$openssl_path" >> $env:GITHUB_ENV
+
+      - name: Verify legacy provider can be enabled in OpenSSL on Windows
+        if: ${{ runner.os == 'Windows' }}
+        shell: pwsh
+        run: |
+          openssl list -provider default -provider legacy -providers
+
       - name: Set up ccache for liboqs (Linux)
         uses: hendrikmuhs/ccache-action@v1.2
         if: ${{ runner.os == 'Linux' }}
@@ -60,15 +66,11 @@ jobs:
         if: ${{ runner.os == 'Linux' }}
         run: |
           sudo apt update
-          sudo apt install -y --no-install-recommends libnettle8 libsodium-dev libssl-dev libkrb5-dev ssh cmake ninja-build
+          sudo apt install -y --no-install-recommends libnettle8 libssl-dev libkrb5-dev ssh cmake ninja-build
 
       - name: Install macOS dependencies
         if: ${{ runner.os == 'macOS' }}
-        run: brew install nettle liboqs libsodium openssl
-
-      - name: Provide OpenSSL 3
-        if: ${{ runner.os == 'macOS' && matrix.openssl-version == '3' }}
-        run: echo "/usr/local/opt/openssl@3/bin" >> $GITHUB_PATH
+        run: brew install nettle liboqs
 
       - name: Install nettle (Windows)
         if: ${{ runner.os == 'Windows' }}
@@ -124,6 +126,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: run-tests
     if: ${{ always() }}
+    permissions:
+      actions: write
     steps:
       - name: Merge coverage
         uses: actions/upload-artifact/merge@v4
@@ -137,6 +141,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: merge-coverage
     if: ${{ always() }}
+    permissions:
+      contents: read
+      actions: read
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5

{asyncssh-2.21.0/asyncssh.egg-info → asyncssh-2.22.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: asyncssh
-Version: 2.21.0
+Version: 2.22.0
 Summary: AsyncSSH: Asynchronous SSHv2 client and server library
 Author-email: Ron Frederick <ronf@timeheart.net>
 License: EPL-2.0 OR GPL-2.0-or-later
@@ -14,17 +14,16 @@ Classifier: Intended Audience :: Developers
 Classifier: License :: OSI Approved
 Classifier: Operating System :: MacOS :: MacOS X
 Classifier: Operating System :: POSIX
-Classifier: Programming Language :: Python :: 3.8
-Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
 Classifier: Topic :: Internet
 Classifier: Topic :: Security :: Cryptography
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
 Classifier: Topic :: System :: Networking
-Requires-Python: >=3.6
+Requires-Python: >=3.10
 Description-Content-Type: text/x-rst
 License-File: LICENSE
 Requires-Dist: cryptography>=39.0
@@ -32,7 +31,7 @@ Requires-Dist: typing_extensions>=4.0.0
 Provides-Extra: bcrypt
 Requires-Dist: bcrypt>=3.1.3; extra == "bcrypt"
 Provides-Extra: fido2
-Requires-Dist: fido2>=0.9.2; extra == "fido2"
+Requires-Dist: fido2>=2; extra == "fido2"
 Provides-Extra: gssapi
 Requires-Dist: gssapi>=1.2.0; extra == "gssapi"
 Provides-Extra: libnacl
@@ -58,7 +57,7 @@ AsyncSSH: Asynchronous SSH for Python
 =====================================
 
 AsyncSSH is a Python package which provides an asynchronous client and
-server implementation of the SSHv2 protocol on top of the Python 3.6+
+server implementation of the SSHv2 protocol on top of the Python 3.10+
 asyncio framework.
 
 .. code:: python
@@ -148,7 +147,7 @@ License
 
 This package is released under the following terms:
 
-  Copyright (c) 2013-2024 by Ron Frederick <ronf@timeheart.net> and others.
+  Copyright (c) 2013-2025 by Ron Frederick <ronf@timeheart.net> and others.
 
   This program and the accompanying materials are made available under
   the terms of the Eclipse Public License v2.0 which accompanies this
@@ -173,8 +172,8 @@ Prerequisites
 
 To use AsyncSSH 2.0 or later, you need the following:
 
-* Python 3.6 or later
-* cryptography (PyCA) 3.1 or later
+* Python 3.10 or later
+* cryptography (PyCA) 39.0 or later
 
 Installation
 ------------
@@ -207,12 +206,6 @@ functionality:
   if you want support for the OpenSSH post-quantum key exchange
   algorithms based on ML-KEM and SNTRUP.
 
-* Install libsodium from https://github.com/jedisct1/libsodium
-  and libnacl from https://pypi.python.org/pypi/libnacl if you have
-  a version of OpenSSL older than 1.1.1b installed and you want
-  support for Curve25519 key exchange, Ed25519 keys and certificates,
-  or the Chacha20-Poly1305 cipher.
-
 * Install libnettle from http://www.lysator.liu.se/~nisse/nettle/
   if you want support for UMAC cryptographic hashes.
 
@@ -229,28 +222,26 @@ easy to install any or all of these dependencies:
   | bcrypt
   | fido2
   | gssapi
-  | libnacl
   | pkcs11
   | pyOpenSSL
   | pywin32
 
-For example, to install bcrypt, fido2, gssapi, libnacl, pkcs11, and
-pyOpenSSL on UNIX, you can run:
+For example, to install bcrypt, fido2, gssapi, pkcs11, and pyOpenSSL
+on UNIX, you can run:
 
   ::
 
-    pip install 'asyncssh[bcrypt,fido2,gssapi,libnacl,pkcs11,pyOpenSSL]'
+    pip install 'asyncssh[bcrypt,fido2,gssapi,pkcs11,pyOpenSSL]'
 
-To install bcrypt, fido2, libnacl, pkcs11, pyOpenSSL, and pywin32 on
-Windows, you can run:
+To install bcrypt, fido2, pkcs11, pyOpenSSL, and pywin32 on Windows,
+you can run:
 
   ::
 
-    pip install 'asyncssh[bcrypt,fido2,libnacl,pkcs11,pyOpenSSL,pywin32]'
+    pip install 'asyncssh[bcrypt,fido2,pkcs11,pyOpenSSL,pywin32]'
 
-Note that you will still need to manually install the libsodium library
-listed above for libnacl to work correctly and/or libnettle for UMAC
-support. Unfortunately, since liboqs, libsodium, and libnettle are not
+Note that you will still need to manually install the libnettle library
+for UMAC support. Unfortunately, since liboqs and libnettle are not
 Python packages, they cannot be directly installed using pip.
 
 Installing the development branch

{asyncssh-2.21.0 → asyncssh-2.22.0}/README.rst

@@ -11,7 +11,7 @@ AsyncSSH: Asynchronous SSH for Python
 =====================================
 
 AsyncSSH is a Python package which provides an asynchronous client and
-server implementation of the SSHv2 protocol on top of the Python 3.6+
+server implementation of the SSHv2 protocol on top of the Python 3.10+
 asyncio framework.
 
 .. code:: python
@@ -101,7 +101,7 @@ License
 
 This package is released under the following terms:
 
-  Copyright (c) 2013-2024 by Ron Frederick <ronf@timeheart.net> and others.
+  Copyright (c) 2013-2025 by Ron Frederick <ronf@timeheart.net> and others.
 
   This program and the accompanying materials are made available under
   the terms of the Eclipse Public License v2.0 which accompanies this
@@ -126,8 +126,8 @@ Prerequisites
 
 To use AsyncSSH 2.0 or later, you need the following:
 
-* Python 3.6 or later
-* cryptography (PyCA) 3.1 or later
+* Python 3.10 or later
+* cryptography (PyCA) 39.0 or later
 
 Installation
 ------------
@@ -160,12 +160,6 @@ functionality:
   if you want support for the OpenSSH post-quantum key exchange
   algorithms based on ML-KEM and SNTRUP.
 
-* Install libsodium from https://github.com/jedisct1/libsodium
-  and libnacl from https://pypi.python.org/pypi/libnacl if you have
-  a version of OpenSSL older than 1.1.1b installed and you want
-  support for Curve25519 key exchange, Ed25519 keys and certificates,
-  or the Chacha20-Poly1305 cipher.
-
 * Install libnettle from http://www.lysator.liu.se/~nisse/nettle/
   if you want support for UMAC cryptographic hashes.
 
@@ -182,28 +176,26 @@ easy to install any or all of these dependencies:
   | bcrypt
   | fido2
   | gssapi
-  | libnacl
   | pkcs11
   | pyOpenSSL
   | pywin32
 
-For example, to install bcrypt, fido2, gssapi, libnacl, pkcs11, and
-pyOpenSSL on UNIX, you can run:
+For example, to install bcrypt, fido2, gssapi, pkcs11, and pyOpenSSL
+on UNIX, you can run:
 
   ::
 
-    pip install 'asyncssh[bcrypt,fido2,gssapi,libnacl,pkcs11,pyOpenSSL]'
+    pip install 'asyncssh[bcrypt,fido2,gssapi,pkcs11,pyOpenSSL]'
 
-To install bcrypt, fido2, libnacl, pkcs11, pyOpenSSL, and pywin32 on
-Windows, you can run:
+To install bcrypt, fido2, pkcs11, pyOpenSSL, and pywin32 on Windows,
+you can run:
 
   ::
 
-    pip install 'asyncssh[bcrypt,fido2,libnacl,pkcs11,pyOpenSSL,pywin32]'
+    pip install 'asyncssh[bcrypt,fido2,pkcs11,pyOpenSSL,pywin32]'
 
-Note that you will still need to manually install the libsodium library
-listed above for libnacl to work correctly and/or libnettle for UMAC
-support. Unfortunately, since liboqs, libsodium, and libnettle are not
+Note that you will still need to manually install the libnettle library
+for UMAC support. Unfortunately, since liboqs and libnettle are not
 Python packages, they cannot be directly installed using pip.
 
 Installing the development branch

{asyncssh-2.21.0 → asyncssh-2.22.0}/asyncssh/channel.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2013-2024 by Ron Frederick <ronf@timeheart.net> and others.
+# Copyright (c) 2013-2025 by Ron Frederick <ronf@timeheart.net> and others.
 #
 # This program and the accompanying materials are made available under
 # the terms of the Eclipse Public License v2.0 which accompanies this
@@ -1125,10 +1125,12 @@ class SSHClientChannel(SSHChannel, Generic[AnyStr]):
     _read_datatypes = {EXTENDED_DATA_STDERR}
 
     def __init__(self, conn: 'SSHClientConnection',
-                 loop: asyncio.AbstractEventLoop, encoding: Optional[str],
-                 errors: str, window: int, max_pktsize: int):
+                 loop: asyncio.AbstractEventLoop, utf8_decode_errors: str,
+                 encoding: Optional[str], errors: str, window: int,
+                 max_pktsize: int):
         super().__init__(conn, loop, encoding, errors, window, max_pktsize)
 
+        self._utf8_decode_errors = utf8_decode_errors
         self._exit_status: Optional[int] = None
         self._exit_signal: Optional[_ExitSignal] = None
 
@@ -1299,7 +1301,7 @@ class SSHClientChannel(SSHChannel, Generic[AnyStr]):
 
         try:
             signal = signal_bytes.decode('ascii')
-            msg = msg_bytes.decode('utf-8')
+            msg = msg_bytes.decode('utf-8', self._utf8_decode_errors)
             lang = lang_bytes.decode('ascii')
         except UnicodeDecodeError:
             raise ProtocolError('Invalid exit signal request') from None

{asyncssh-2.21.0 → asyncssh-2.22.0}/asyncssh/client.py

@@ -1,4 +1,4 @@
-# Copyright (c) 2013-2024 by Ron Frederick <ronf@timeheart.net> and others.
+# Copyright (c) 2013-2025 by Ron Frederick <ronf@timeheart.net> and others.
 #
 # This program and the accompanying materials are made available under
 # the terms of the Eclipse Public License v2.0 which accompanies this

{asyncssh-2.21.0 → asyncssh-2.22.0}/asyncssh/config.py

@@ -146,7 +146,7 @@ class SSHConfig:
             else:
                 path = self._default_path
 
-            paths = list(path.glob(pattern))
+            paths = list(p for p in path.glob(pattern) if p.is_file())
 
             if not paths:
                 logger.debug1(f'Config pattern "{pattern}" matched no files')

{asyncssh-2.21.0 → asyncssh-2.22.0}/asyncssh/connection.py

@@ -877,6 +877,7 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         self._peer_addr = ''
         self._peer_port = 0
         self._tcp_keepalive = options.tcp_keepalive
+        self._utf8_decode_errors = options.utf8_decode_errors
         self._owner: Optional[Union[SSHClient, SSHServer]] = None
         self._extra: Dict[str, object] = {}
 
@@ -1042,6 +1043,11 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
 
         return self._logger
 
+    def _decode_utf8(self, msg_bytes) -> str:
+        """Decode UTF-8 bytes, honoring utf8_decode_errors setting"""
+
+        return msg_bytes.decode('utf-8', self._utf8_decode_errors)
+
     def _cleanup(self, exc: Optional[Exception]) -> None:
         """Clean up this connection"""
 
@@ -1550,8 +1556,7 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
 
         self._inpbuf = self._inpbuf[idx+1:]
 
-        if (version.startswith(b'SSH-2.0-') or
-                (self.is_client() and version.startswith(b'SSH-1.99-'))):
+        if version.startswith(b'SSH-2.0-') or version.startswith(b'SSH-1.99-'):
             if len(version) > _MAX_VERSION_LINE_LEN:
                 self._force_close(ProtocolError('Version too long'))
 
@@ -2194,7 +2199,7 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         packet.check_end()
 
         try:
-            reason = reason_bytes.decode('utf-8')
+            reason = self._decode_utf8(reason_bytes)
             lang = lang_bytes.decode('ascii')
         except UnicodeDecodeError:
             raise ProtocolError('Invalid disconnect message') from None
@@ -2237,7 +2242,7 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         packet.check_end()
 
         try:
-            msg = msg_bytes.decode('utf-8')
+            msg = self._decode_utf8(msg_bytes)
             lang = lang_bytes.decode('ascii')
         except UnicodeDecodeError:
             raise ProtocolError('Invalid debug message') from None
@@ -2639,7 +2644,7 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         packet.check_end()
 
         try:
-            msg = msg_bytes.decode('utf-8')
+            msg = self._decode_utf8(msg_bytes)
             lang = lang_bytes.decode('ascii')
         except UnicodeDecodeError:
             raise ProtocolError('Invalid userauth banner') from None
@@ -2756,7 +2761,7 @@ class SSHConnection(SSHPacketHandler, asyncio.Protocol):
         packet.check_end()
 
         try:
-            reason = reason_bytes.decode('utf-8')
+            reason = self._decode_utf8(reason_bytes)
             lang = lang_bytes.decode('ascii')
         except UnicodeDecodeError:
             raise ProtocolError('Invalid channel open failure') from None
@@ -4169,7 +4174,7 @@ class SSHClientConnection(SSHConnection):
     async def create_session(self, session_factory: SSHClientSessionFactory,
                              command: DefTuple[Optional[str]] = (), *,
                              subsystem: DefTuple[Optional[str]]= (),
-                             env: DefTuple[Env] = (),
+                             env: DefTuple[Optional[Env]] = (),
                              send_env: DefTuple[Optional[EnvSeq]] = (),
                              request_pty: DefTuple[Union[bool, str]] = (),
                              term_type: DefTuple[Optional[str]] = (),
@@ -4374,8 +4379,8 @@ class SSHClientConnection(SSHConnection):
         window: int
         max_pktsize: int
 
-        chan = SSHClientChannel(self, self._loop, encoding, errors,
-                                window, max_pktsize)
+        chan = SSHClientChannel(self, self._loop, self._utf8_decode_errors,
+                                encoding, errors, window, max_pktsize)
 
         session = await chan.create(session_factory, command, subsystem,
                                     new_env, request_pty, term_type, term_size,
@@ -5687,7 +5692,7 @@ class SSHClientConnection(SSHConnection):
         return cast(SSHForwarder, peer)
 
     @async_context_manager
-    async def start_sftp_client(self, env: DefTuple[Env] = (),
+    async def start_sftp_client(self, env: DefTuple[Optional[Env]] = (),
                                 send_env: DefTuple[Optional[EnvSeq]] = (),
                                 path_encoding: Optional[str] = 'utf-8',
                                 path_errors = 'strict',
@@ -5746,9 +5751,9 @@ class SSHClientConnection(SSHConnection):
                                                     env=env, send_env=send_env,
                                                     encoding=None)
 
-        return await start_sftp_client(self, self._loop, reader, writer,
-                                       path_encoding, path_errors,
-                                       sftp_version)
+        return await start_sftp_client(self, self._loop,
+                                       self._utf8_decode_errors, reader, writer,
+                                       path_encoding, path_errors, sftp_version)
 
 
 class SSHServerConnection(SSHConnection):
@@ -7279,6 +7284,7 @@ class SSHConnectionOptions(Options, Generic[_Options]):
     family: int
     local_addr: HostPort
     tcp_keepalive: bool
+    utf8_decode_errors: str
     canonicalize_hostname: Union[bool, str]
     canonical_domains: Sequence[str]
     canonicalize_fallback_local: bool
@@ -7324,6 +7330,7 @@ class SSHConnectionOptions(Options, Generic[_Options]):
                 passphrase: Optional[BytesOrStr],
                 proxy_command: DefTuple[_ProxyCommand], family: DefTuple[int],
                 local_addr: DefTuple[HostPort], tcp_keepalive: DefTuple[bool],
+                utf8_decode_errors: str,
                 canonicalize_hostname: DefTuple[Union[bool, str]],
                 canonical_domains: DefTuple[Sequence[str]],
                 canonicalize_fallback_local: DefTuple[bool],
@@ -7388,6 +7395,8 @@ class SSHConnectionOptions(Options, Generic[_Options]):
         self.tcp_keepalive = cast(bool, tcp_keepalive if tcp_keepalive != ()
             else config.get('TCPKeepAlive', True))
 
+        self.utf8_decode_errors = utf8_decode_errors
+
         self.canonicalize_hostname = \
             cast(Union[bool, str], canonicalize_hostname
                  if canonicalize_hostname != ()
@@ -7813,6 +7822,13 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
        :param tcp_keepalive: (optional)
            Whether or not to enable keepalive probes at the TCP level to
            detect broken connections, defaulting to `True`.
+       :param utf8_decode_errors: (optional)
+           Error handling strategy to apply when UTF-8 decode errors
+           occur in SSH protocol messages, defaulting to 'strict'
+           which shuts down the connection with a ProtocolError.
+           Choosing other strategies can allow the message parsing
+           to proceed with invalid bytes in the message being removed
+           or replaced.
        :param canonicalize_hostname: (optional)
            Whether or not to enable hostname canonicalization, defaulting
            to `False`, in which case hostnames are passed as-is to the
@@ -7985,6 +8001,7 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
        :type keepalive_interval: *see* :ref:`SpecifyingTimeIntervals`
        :type keepalive_count_max: `int`
        :type tcp_keepalive: `bool`
+       :type utf8_decode_errors: `str`
        :type canonicalize_hostname: `bool` or `'always'`
        :type canonical_domains: `list` of `str`
        :type canonicalize_fallback_local: `bool`
@@ -8042,7 +8059,7 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
     pkcs11_pin: Optional[str]
     command: Optional[str]
     subsystem: Optional[str]
-    env: Env
+    env: Optional[Env]
     send_env: Optional[EnvSeq]
     request_pty: _RequestPTY
     term_type: Optional[str]
@@ -8070,6 +8087,7 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
                 family: DefTuple[int] = (),
                 local_addr: DefTuple[HostPort] = (),
                 tcp_keepalive: DefTuple[bool] = (),
+                utf8_decode_errors: str = 'strict',
                 canonicalize_hostname: DefTuple[Union[bool, str]] = (),
                 canonical_domains: DefTuple[Sequence[str]] = (),
                 canonicalize_fallback_local: DefTuple[bool] = (),
@@ -8115,7 +8133,8 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
                 pkcs11_provider: DefTuple[Optional[str]] = (),
                 pkcs11_pin: Optional[str] = None,
                 command: DefTuple[Optional[str]] = (),
-                subsystem: Optional[str] = None, env: DefTuple[Env] = (),
+                subsystem: Optional[str] = None,
+                env: DefTuple[Optional[Env]] = (),
                 send_env: DefTuple[Optional[EnvSeq]] = (),
                 request_pty: DefTuple[_RequestPTY] = (),
                 term_type: Optional[str] = None,
@@ -8180,10 +8199,11 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
 
         super().prepare(config, client_factory or SSHClient, client_version,
                         host, port, tunnel, passphrase, proxy_command, family,
-                        local_addr, tcp_keepalive, canonicalize_hostname,
-                        canonical_domains, canonicalize_fallback_local,
-                        canonicalize_max_dots, canonicalize_permitted_cnames,
-                        kex_algs, encryption_algs, mac_algs, compression_algs,
+                        local_addr, tcp_keepalive, utf8_decode_errors,
+                        canonicalize_hostname, canonical_domains,
+                        canonicalize_fallback_local, canonicalize_max_dots,
+                        canonicalize_permitted_cnames, kex_algs,
+                        encryption_algs, mac_algs, compression_algs,
                         signature_algs, host_based_auth, public_key_auth,
                         kbdint_auth, password_auth, x509_trusted_certs,
                         x509_trusted_cert_paths, x509_purposes, rekey_bytes,
@@ -8354,7 +8374,8 @@ class SSHClientConnectionOptions(SSHConnectionOptions):
 
         self.subsystem = subsystem
 
-        self.env = cast(Env, env if env != () else config.get('SetEnv'))
+        self.env = cast(Optional[Env], env if env != () else
+            config.get('SetEnv'))
 
         self.send_env = cast(Optional[EnvSeq], send_env if send_env != () else
             config.get('SendEnv'))
@@ -8635,6 +8656,13 @@ class SSHServerConnectionOptions(SSHConnectionOptions):
        :param tcp_keepalive: (optional)
            Whether or not to enable keepalive probes at the TCP level to
            detect broken connections, defaulting to `True`.
+       :param utf8_decode_errors: (optional)
+           Error handling strategy to apply when UTF-8 decode errors
+           occur in SSH protocol messages, defaulting to 'strict'
+           which shuts down the connection with a ProtocolError.
+           Choosing other strategies can allow the message parsing
+           to proceed with invalid bytes in the message being removed
+           or replaced.
        :param canonicalize_hostname: (optional)
            Whether or not to enable hostname canonicalization, defaulting
            to `False`, in which case hostnames are passed as-is to the
@@ -8731,6 +8759,7 @@ class SSHServerConnectionOptions(SSHConnectionOptions):
        :type keepalive_interval: *see* :ref:`SpecifyingTimeIntervals`
        :type keepalive_count_max: `int`
        :type tcp_keepalive: `bool`
+       :type utf8_decode_errors: `str`
        :type canonicalize_hostname: `bool` or `'always'`
        :type canonical_domains: `list` of `str`
        :type canonicalize_fallback_local: `bool`
@@ -8789,6 +8818,7 @@ class SSHServerConnectionOptions(SSHConnectionOptions):
                 family: DefTuple[int] = (),
                 local_addr: DefTuple[HostPort] = (),
                 tcp_keepalive: DefTuple[bool] = (),
+                utf8_decode_errors: str = 'strict',
                 canonicalize_hostname: DefTuple[Union[bool, str]] = (),
                 canonical_domains: DefTuple[Sequence[str]] = (),
                 canonicalize_fallback_local: DefTuple[bool] = (),
@@ -8864,10 +8894,11 @@ class SSHServerConnectionOptions(SSHConnectionOptions):
 
         super().prepare(config, server_factory or SSHServer, server_version,
                         host, port, tunnel, passphrase, proxy_command, family,
-                        local_addr, tcp_keepalive, canonicalize_hostname,
-                        canonical_domains, canonicalize_fallback_local,
-                        canonicalize_max_dots, canonicalize_permitted_cnames,
-                        kex_algs, encryption_algs, mac_algs, compression_algs,
+                        local_addr, tcp_keepalive, utf8_decode_errors,
+                        canonicalize_hostname, canonical_domains,
+                        canonicalize_fallback_local, canonicalize_max_dots,
+                        canonicalize_permitted_cnames, kex_algs,
+                        encryption_algs, mac_algs, compression_algs,
                         signature_algs, host_based_auth, public_key_auth,
                         kbdint_auth, password_auth, x509_trusted_certs,
                         x509_trusted_cert_paths, x509_purposes,

{asyncssh-2.21.0 → asyncssh-2.22.0}/asyncssh/crypto/__init__.py

@@ -62,11 +62,11 @@ __all__ = [
     'BasicCipher', 'ChachaCipher', 'CryptoKey', 'Curve25519DH', 'Curve448DH',
     'DH', 'DSAPrivateKey', 'DSAPublicKey', 'ECDH', 'ECDSAPrivateKey',
     'ECDSAPublicKey', 'EdDSAPrivateKey', 'EdDSAPublicKey', 'GCMCipher', 'PQDH',
-    'PyCAKey', 'RSAPrivateKey', 'RSAPublicKey', 'chacha_available',
-    'curve25519_available', 'curve448_available', 'X509Certificate',
-    'X509Name', 'X509NamePattern', 'ed25519_available', 'ed448_available',
-    'generate_x509_certificate', 'get_cipher_params', 'import_x509_certificate',
-    'lookup_ec_curve_by_params', 'mlkem_available', 'pbkdf2_hmac',
-    'register_cipher', 'sntrup_available', 'umac32', 'umac64', 'umac96',
-    'umac128'
+    'PyCAKey', 'RSAPrivateKey', 'RSAPublicKey', 'X509Certificate',
+    'X509Name', 'X509NamePattern', 'chacha_available', 'curve25519_available',
+    'curve448_available', 'ed25519_available', 'ed448_available',
+    'generate_x509_certificate', 'get_cipher_params',
+    'import_x509_certificate', 'lookup_ec_curve_by_params', 'mlkem_available',
+    'pbkdf2_hmac', 'register_cipher', 'sntrup_available', 'umac32', 'umac64',
+    'umac96', 'umac128'
 ]