Introduced in 2.12.1

Bug Fixes

• GH-458 Singleton thread pool for kex message handler flushing
• SSHD-1338 Restore binary compatibility with 2.9.2

What's Changed

• Fix link by @swiedenfeld in https://github.com/apache/mina-sshd/pull/454
• SSHD-1338 Restore binary compatibility with 2.9.2 by @gnodet in https://github.com/apache/mina-sshd/pull/456
• Use a singleton threadpool for kex message handler flushing by @FliegenKLATSCH in https://github.com/apache/mina-sshd/pull/459

New Contributors

• @swiedenfeld made their first contribution in https://github.com/apache/mina-sshd/pull/454

Full Changelog: https://github.com/apache/mina-sshd/compare/sshd-2.12.0...sshd-2.12.1

Introduced in 2.12.0

Bug Fixes

• GH-428/GH-392 SCP client fails silently when error signalled due to missing file or lacking permissions
• GH-434 Ignore unknown key types from agent or in OpenSSH host keys extension

New Features

• GH-429 Support GIT protocol-v2
• GH-445 OpenSSH "strict key exchange" protocol extension (CVE-2023-48795 mitigation)

Behavioral changes and enhancements

New ScpTransferEventListener callback method

Following GH-428/GH-392 a new handleReceiveCommandAckInfo method has been added to enable users to inspect acknowledgements of a receive related command. The user is free to inspect the command that was attempted as well as the response code and decide how to handle it - including even throwing an exception if OK status (if this makes sense for whatever reason). The default implementation checks for ERROR code and throws an exception if so.

OpenSSH protocol extension: strict key exchange

GH-445 implements an extension to the SSH protocol introduced in OpenSSH 9.6. This "strict key exchange" extension hardens the SSH key exchange against the "Terrapin attack" (CVE-2023-48795). The extension is active if both parties announce their support for it at the start of the initial key exchange. If only one party announces support, it is not activated to ensure compatibility with SSH implementations that do not implement it. Apache MINA sshd clients and servers always announce their support for strict key exchange.

New Contributors

• @evgeny-pasynkov made their first contribution in https://github.com/apache/mina-sshd/pull/424

Full Changelog: https://github.com/apache/mina-sshd/compare/sshd-2.11.0...sshd-2.12.0

Introduced in 2.11.0

This new minor release provides a bunch of bug fixes and enhancements. This release is available for download from the Apache MINA SSHD website.

Bug Fixes

• GH-328 Added configurable timeout(s) to DefaultSftpClient
• GH-370 Also compare file keys in ModifiableFileWatcher.
• GH-371 Fix channel pool in SftpFileSystem.
• GH-383 Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel().
• GH-384 Use correct lock modes for SFTP FileChannel.lock().
• GH-388 ScpClient: support issuing commands to a server that uses a non-UTF-8 locale.
• GH-398 SftpInputStreamAsync: fix reporting EOF on zero-length reads.
• GH-403 Work-around a bug in WS_FTP <= 12.9 SFTP clients.
• GH-407 (Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int).
• GH-410 Fix a race condition to ensure SSH_MSG_CHANNEL_EOF is always sent before SSH_MSG_CHANNEL_CLOSE.
• GH-414 Fix error handling while flushing queued packets at end of KEX.
• GH-420 Fix wrong log level on closing an Nio2Session.
• SSHD-789 Fix detection of Android O/S from system properties.
• SSHD-1259 Consider all applicable host keys from the known_hosts files.
• SSHD-1310 SftpFileSystem: do not close user session.
• SSHD-1327 ChannelAsyncOutputStream: remove write future when done.
• SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile file names in HostConfigEntry.

New Features

• SSHD-1330 Use KeepAliveHandler global request instance in client as well
• GH-356 Publish snapshot maven artifacts to the Apache Snapshots maven repository.
• Bundle sshd-contrib has support classes for the HAProxy protocol V2.

Behavioral changes and enhancements

SFTP file handle size

Previous versions of Apache MINA sshd used SFTP file handles that were twice as large as configured via SftpModuleProperties.FILE_HANDLE_SIZE. The reason for this was that the file handle bytes were stringified, representing each byte as two hex characters. This stringified file handle was then send over the wire. If SftpModuleProperties.FILE_HANDLE_SIZE was configured as 16, the actual file handle size was thus 32 bytes.

This has been fixed in this version.

Additionally, the default setting for the size of file handles has been changed from 16 to 4 bytes. OpenSSH also uses 4-byte SFTP file handles. Using the same size not only means that there is a little more space left in SSH packets for actual data transfer, it also completely avoids the WS_FTP bug mentioned in GH-403.

Potential compatibility issues

KeepAliveHandler global request handler moved from server to common global requests package

Was previously only on server-side - now also for client (see SSHD-1330). This should be fully backward compatible since most servers do not send this request. However, if users have somehow added this handler to the client side independently, the code should be re-examined and the independent handler removed or make it replace the global one.

Server-side SFTP file handle encoding

The aforementioned fix for the size of SFTP file handles has the potential to have undesired effects on existing server-side code that assumed that such SFTP file handles contained only printable characters. This is no longer the case. For historical reasons, Apache MINA sshd stores these SFTP file handles as Java Strings, and it's not possible to change this without breaking a lot of APIs. So this was kept, but the strings are now encoded as ISO-8859-1 and may contain arbitrary characters in the range from 0 to 255. This change should be transparent as SFTP file handles are supposed to be opaque, but there is one caveat:

If you have implemented your own server and have subclassed SftpSubsystem or if you install an SftpEventListener that stores or logs raw SFTP file handles, your code may need to be adapted. There is a new method String Handle.safe(String rawHandle) that can be used to convert an SFTP file handle to a printable string.

Otherwise the change is transparent to server implementors and to SFTP clients. (On the client side, Apache MINA sshd already used byte[] to represent SFTP file handles.)

Major Code Re-factoring

As part of the fix for GH-371 the channel pool in SftpFileSystem was rewritten completely. Previous code also used ThreadLocals to store SftpClients, which could cause memory leaks.

These ThreadLocals have been removed, and the channel pool has been rewritten to function similar to a Java ThreadPool: the pool has a maximum size; it has an expiration duration after which an idle channel is removed and closed, and it has a "core size" of channels to keep even if they are idle. If a channel is closed for any reason it is evicted from the pool.

Properties to configure these pool parameters have been added to SftpModuleProperties.

New Contributors

• @hannibal218bc made their first contribution in https://github.com/apache/mina-sshd/pull/372
• @fherbreteau made their first contribution in https://github.com/apache/mina-sshd/pull/404

Full Changelog: https://github.com/apache/mina-sshd/compare/sshd-2.10.0...sshd-2.11.0

Apache Mina SSHD 2.9.3 is a bug fix release. This release is available for download from the Apache MINA SSHD website.

What's Changed

• CVE-2023-35887 / SSHD-1324 Rooted file system can leak informations
• Fix reproducible builds issue
• Support building with Maven 3.9.x

Full Changelog: https://github.com/apache/mina-sshd/compare/sshd-2.9.2...sshd-2.9.3