Bug Fixes
- GH-743 Ensure the Java
ServiceLoaderuse a singletonSftpFileSystemProvider - GH-879 Close SSH channel gracefully on exception in port forwarding
- Improve handling of repository paths in
sshd-git.
New Features
- GH-892 Align handling certificates without principals with OpenSSH 10.3
Wildcard principals in host certificates are handled now.
- Putty keys with non-ASCII passphrases
The passphrase needs to be converted to a byte sequence to compute a decryption key for an encrypted private key. This
conversion depends on the character encoding. Putty on Windows uses the ANSI codepage set when the key was generated.
Apache MINA SSHD now tries multiple encodings in sequence: UTF-8, then the OS encoding, and finally ISO-8859-1 as a
last-chance fallback.
Potential Compatibility Issues
- GH-892 Align handling certificates without principals with OpenSSH 10.3
OpenSSH 10.3 changed the way such certificates are handled; see the OpenSSH 10.3 release notes.
In Apache MINA SSHD, there is a new flag CoreModuleProperties.ALLOW_EMPTY_CERTIFICATE_PRINCIPALS (by default false)
that can be set on an SshClient or SshServer or also on a Session directly. If the value is false, certificates
without principals are rejected as in OpenSSH 10.3; if it is true, such certificates are considered to match any
user or host name as in OpenSSH < 10.3.
Set the flag on an SshClient or ClientSession to determine the handling of host certificates. Set it on an
SshServer or ServerSession to govern the handling of user certificates.