Apache MINA SSHD 3.0.0-M3

This is the third milestone pre-release on the way to a new major version Apache MINA SSHD 3.0.0.

Like regular releases it is available in Maven Central and in the Apache repositories; the Apache source release is also at the usual location.

See the change notes for what has changed with respect to version 2.

This third milestone fixes two bugs in 3.0.0-M2 and brings the improvements done in the current main 2.x version into 3.0.

Version 3 of Apache MINA SSHD is not API compatible with version 2. API comparison reports and a (very high-level and tentative) roadmap are available on the 3.0.0 development website.

This pre-release has passed all our quality and regression tests, just like any other release. We encourage interested parties to try this pre-release. Be aware that APIs might change in future milestone pre-releases.

Full Changelog since 3.0.0-M2: sshd-3.0.0-M2...sshd-3.0.0-M3

Apache MINA SSHD 2.17.1

This patch release fixes the broken Maven deployment of 2.17.0. (The root pom was missing).

There were no code changes, only a pom update to work around a tooling bug that caused the problem with 2.17.0:

• GH-875 Use Apache Parent POM 36

For the real changes since version 2.16.0 see the 2.17.0 change notes.

Apache MINA SSHD 2.17.0

Warning: the publication of this release to Maven Central somehow went wrong; it is missing the root POM.

Use the 2.17.1 release instead.

See the change log.

New Contributors

• @JannuMies made their first contribution in #832
• @bemoty made their first contribution in #843
• @chrjohn made their first contribution in #849
• @denyshorman made their first contribution in #870

Full Changelog: sshd-2.16.0...sshd-2.17.0

Apache MINA SSHD 3.0.0-M2

This is the second milestone pre-release on the way to a new major version Apache MINA SSHD 3.0.0.

Like regular releases it is available in Maven Central and in the Apache repositories; the Apache source release is also at the usual location.

See the change notes for what has changed with respect to version 2.

The focus in this milestone was on the use of cryptography. Bundles sshd-common and sshd-osgi have become multi-release JARs. Apache MINA SSHD 3.0.0-M2 now supports

• On Java11+: using Java's built-in ChaCha20 cipher for the chacha20-poly1305@openssh.com SSH cipher, which bring a hug speed-up.
• On Java15+: using Java's built-in ed25519 private/public key implementation instead on Bouncy Castle or net.i2p.crypto:eddsa.
• On Java24+: using Java's built-in ML-KEM post-quantum key exchange method instead of Bouncy Castle.

Version 3 of Apache MINA SSHD is not API compatible with version 2. API comparison reports and a (very high-level and tentative) roadmap are available on the 3.0.0 development website.

This pre-release has passed all our quality and regression tests, just like any other release. We encourage interested parties to try this pre-release. Be aware that APIs might change in future milestone pre-releases.

Full Changelog since 3.0.0-M1: sshd-3.0.0-M1...sshd-3.0.0-M2

Apache MINA SSHD 3.0.0-M1

This is a first milestone pre-release on the way to a new major version Apache MINA SSHD 3.0.0.

Like regular releases it is available in Maven Central and in the Apache repositories; the Apache source release is also at the usual location.

See the change notes for what has changed with respect to version 2. In short, we have refactored the implementation of the SSH transport layer, which then enabled providing support for client-side proxies. In doing so we've technically broken a lot of APIs, but the impact on existing code bases using the library should be small in practice. API comparison reports and a (very high-level and tentative) roadmap are available on the 3.0.0 development website.

This pre-release has passed all our quality and regression tests, just like any other release. We encourage interested early adopters to try this pre-release. Be aware that APIs might change in future milestone pre-releases.

Full Changelog: sshd-2.16.0...sshd-3.0.0-M1

Apache MINA SSHD 2.16.0

What's Changed

• bugfix: fix cert auth failed bug by @liuziyu1226 in #660
• GH-664: Skip MAC negotiation if an AEAD cipher was negotiated by @tomaswolf in #666
• GH-663: Fix a race in IoSession creation by @tomaswolf in #667
• Also test sshd-mina using mina-core 2.2.4 by @tomaswolf in #681
• ScpShell fixes; SFTP append mode for buggy servers by @tomaswolf in #696
• fix sources.jar Reproducible Builds issue by @hboutemy in #695
• GH-700: Fix race in AbstractCloseable.doCloseImmediately() by @tomaswolf in #702
• GH-705: Make ChannelToPortHandler accessible to user code by @tomaswolf in #707
• GH-709: Handle keep-alive channel messages sent by an old OpenSSH server by @tomaswolf in #710
• GH-727: supply default port for proxyJump if no HostConfigEntry by @tomaswolf in #730
• GH-733: Fix SftpRemotePathChannel.transferTo by @tomaswolf in #734
• [GH-725] Added commandTimeoutMillis in executeRemoteCommand by @raajeive in #726
• GH-774: Fix WritePendingException by @tomaswolf in #775
• #771 Avoid NoClassDefFoundError: net/i2p/crypto/eddsa/EdDSAPublicKey by @rde-infologic in #773
• [GH-516] Fix filesystem-id parsing in getFileSystem(URI) by @ago1024 in #766
• GH-754: Don't close DefaultForwarder on bind error by @tomaswolf in #776
• Close repository after usage in GitPackCommand by @kwin in #794
• Trigger ClientChannelEvent.Timeout and ClientSessionEvent.TIMEOUT independently to host's program cycle times by @fersaru in #790

New Contributors

• @liuziyu1226 made their first contribution in #660
• @raajeive made their first contribution in #726
• @rde-infologic made their first contribution in #773
• @ago1024 made their first contribution in #766
• @kwin made their first contribution in #794
• @fersaru made their first contribution in #790

Full Changelog: sshd-2.15.0...sshd-2.16.0

Apache MINA SSHD 2.15.0

What's Changed

• GH-618: Fix reading an OpenSshCertificate from a Buffer by @tomaswolf in #619
• Add interface to configure details of JGit's pack implementation by @JohnnyJayJay in #617
• ML-KEM key exchanges using Bouncy Castle 1.79 by @tomaswolf in #629
• GH-628: Fix reading directories with trailing blanks in the name by @tomaswolf in #630
• GH-626: Enable Streaming.Async for ChannelDirectTcpip by @tomaswolf in #631
• Sftp server ‘ls’ command timeout by @Main-Tomi in #634
• GH-636: Handle unknown key types in known_hosts by @tomaswolf in #638
• GH-643: provide interfaces for caching file attributes on paths by @tomaswolf in #645
• Bouncy Castle EdDSA / Ed25519 Support by @ianjoneill in #639
• Abstract revoked key handling in KnownHostsServerKeyVerifier by @joeljohansson99 in #653

New Contributors

• @JohnnyJayJay made their first contribution in #617
• @Main-Tomi made their first contribution in #634
• @ianjoneill made their first contribution in #639
• @joeljohansson99 made their first contribution in #653

Full Changelog: sshd-2.14.0...sshd-2.15.0

SSHD 2.14.0

Full Changelog: sshd-2.13.2...sshd-2.14.0

Bug Fixes

• GH-524 Performance improvements
• GH-533 Fix multi-step authentication
• GH-582 Fix filtering in NamedFactory
• GH-587 Prevent NullPointerExceptionon closed channel in NettyIoSession
• GH-590 Better support for FIPS
• GH-597 Pass on Charset in ClientSession.executeRemoteCommand()

New Features

• New utility methods SftpClient.put(Path localFile, String remoteFileName) and
  SftpClient.put(InputStream in, String remoteFileName) facilitate SFTP file uploading.

GH-590 Better support for FIPS

Besides fixing a bug with bc-fips (the RandomGenerator class exists in normal Bouncy Castle,
but not in the FIPS version, but Apache MINA sshd referenced it even if only bc-fips was present),
support was improved for running in an environment restricted by FIPS.

There is a new system property org.apache.sshd.security.fipsEnabled. If set to true, a number
of crypto-algorithms not approved by FIPS 140 are disabled:

• key exchange methods sntrup761x25519-sha512, sntrup761x25519-sha512@openssh.com, curve25519-sha256, curve25519-sha256@libssh.org, curve448-sha512.
• the chacha20-poly1305 cipher.
• the bcrypt KDF used in encrypted private key files in OpenSSH format.
• all ed25519 keys and signatures.

Additionally, the new "SunJCEWrapper" SecurityProviderRegistrar (see below) and the
EdDSASecurityProviderRegistrar are disabled, and the BouncyCastleScurityProviderRegistrar
looks only for the "BCFIPS" security provider, not for the normal "BC" provider.

If the system property is not set to true, FIPS mode can be enabled programmatically
by calling SecurityUtils.setFipsMode() before any other call to Apache MINA sshd.

Potential compatibility issues

New security provider registrar

There is a new SecurityProviderRegistrar that is registered by default
if there is a SunJCE security provider. It uses the AES and
HmacSHA* implementations from SunJCE even if Bouncy Castle is also
registered. SunJCE has native implementations, whereas Bouncy Castle
may not.

The new registrar has the name "SunJCEWrapper" and can be configured
like any other registrar. It can be disabled via the system property
org.apache.sshd.security.provider.SunJCEWrapper.enabled=false. It is also
disabled in FIPS mode (see above).

GH-582 Fix filtering in NamedFactory

The methods NamedFactory.setupBuiltinFactories(boolean ignoreUnsupported, ...) and
NamedFactory.setupTransformedFactories(boolean ignoreUnsupported, ...) had a bug that
gave the "ignoreUnsupported" parameter actually the meaning of "include unsupported".

This was fixed in this release, but existing code calling these or one of the following methods:

• BaseBuilder.setUpDefaultMacs(boolean ignoreUnsupported)
• BaseBuilder.setUpDefaultCiphers(boolean ignoreUnsupported)
• ClientBuilder.setUpDefaultCompressionFactories(boolean ignoreUnsupported)
• ClientBuilder.setUpDefaultKeyExchanges(boolean ignoreUnsupported)
• ClientBuilder.setUpDefaultSignatureFactories(boolean ignoreUnsupported)
• ServerBuilder.setUpDefaultCompressionFactories(boolean ignoreUnsupported)
• ServerBuilder.setUpDefaultKeyExchanges(boolean ignoreUnsupported)
• ServerBuilder.setUpDefaultSignatureFactories(boolean ignoreUnsupported)
• any of the methods starting with SshConfigFileReader.configure
• SshClientConfigFileReader.configure(...)
• SshServerConfigFileReader.configure(...)

should be reviewed:

• if the method is called with parameter value true, the result will no longer include unsupported algorithms. Formerly it wrongly did.
• if the method is called with parameter value false, the result may include unsupported algorithms. Formerly it did not.

So if existing code used parameter value false to ensure it never got unsupported algorithms, change it to true.

Major Code Re-factoring

JDK requirements

• GH-536 The project now requires
  JDK 17 at build time, while the target runtime still remains unchanged to support JDK 8.

SSHD 2.13.2

What's Changed

• GH-525: Fix sntrup761x25519-sha512 by @tomaswolf in #528

Full Changelog: sshd-2.13.1...sshd-2.13.2

SSHD 2.13.1

What's changed

This release does not contain any code changes. It is solely to rectify the issue that the 2.13.0 release encountered during the release process, where the source jars were not created.

Full Changelog: sshd-2.13.0...sshd-2.13.1

The 2.13.0 release notes are available at https://github.com/apache/mina-sshd/releases/tag/sshd-2.13.0