This is the third milestone pre-release on the way to a new major version Apache MINA SSHD 3.0.0.

Like regular releases it is available in Maven Central and in the Apache repositories; the Apache source release is also at the usual location.

See the change notes for what has changed with respect to version 2.

This third milestone fixes two bugs in 3.0.0-M2 and brings the improvements done in the current main 2.x version into 3.0.

Version 3 of Apache MINA SSHD is not API compatible with version 2. API comparison reports and a (very high-level and tentative) roadmap are available on the 3.0.0 development website.

This pre-release has passed all our quality and regression tests, just like any other release. We encourage interested parties to try this pre-release. Be aware that APIs might change in future milestone pre-releases.

Full Changelog since 3.0.0-M2: https://github.com/apache/mina-sshd/compare/sshd-3.0.0-M2...sshd-3.0.0-M3

This patch release fixes the broken Maven deployment of 2.17.0. (The root pom was missing).

There were no code changes, only a pom update to work around a tooling bug that caused the problem with 2.17.0:

• GH-875 Use Apache Parent POM 36

For the real changes since version 2.16.0 see the 2.17.0 change notes.

See the change log.

• @JannuMies made their first contribution in https://github.com/apache/mina-sshd/pull/832
• @bemoty made their first contribution in https://github.com/apache/mina-sshd/pull/843
• @chrjohn made their first contribution in https://github.com/apache/mina-sshd/pull/849
• @denyshorman made their first contribution in https://github.com/apache/mina-sshd/pull/870

Full Changelog: https://github.com/apache/mina-sshd/compare/sshd-2.16.0...sshd-2.17.0

This is the second milestone pre-release on the way to a new major version Apache MINA SSHD 3.0.0.

Like regular releases it is available in Maven Central and in the Apache repositories; the Apache source release is also at the usual location.

See the change notes for what has changed with respect to version 2.

The focus in this milestone was on the use of cryptography. Bundles sshd-common and sshd-osgi have become multi-release JARs. Apache MINA SSHD 3.0.0-M2 now supports

• On Java11+: using Java's built-in ChaCha20 cipher for the chacha20-poly1305@openssh.com SSH cipher, which bring a hug speed-up.
• On Java15+: using Java's built-in ed25519 private/public key implementation instead on Bouncy Castle or net.i2p.crypto:eddsa.
• On Java24+: using Java's built-in ML-KEM post-quantum key exchange method instead of Bouncy Castle.

Version 3 of Apache MINA SSHD is not API compatible with version 2. API comparison reports and a (very high-level and tentative) roadmap are available on the 3.0.0 development website.

This pre-release has passed all our quality and regression tests, just like any other release. We encourage interested parties to try this pre-release. Be aware that APIs might change in future milestone pre-releases.

Full Changelog since 3.0.0-M1: https://github.com/apache/mina-sshd/compare/sshd-3.0.0-M1...sshd-3.0.0-M2

This is a first milestone pre-release on the way to a new major version Apache MINA SSHD 3.0.0.

Like regular releases it is available in Maven Central and in the Apache repositories; the Apache source release is also at the usual location.

See the change notes for what has changed with respect to version 2. In short, we have refactored the implementation of the SSH transport layer, which then enabled providing support for client-side proxies. In doing so we've technically broken a lot of APIs, but the impact on existing code bases using the library should be small in practice. API comparison reports and a (very high-level and tentative) roadmap are available on the 3.0.0 development website.

This pre-release has passed all our quality and regression tests, just like any other release. We encourage interested early adopters to try this pre-release. Be aware that APIs might change in future milestone pre-releases.

Full Changelog: https://github.com/apache/mina-sshd/compare/sshd-2.16.0...sshd-3.0.0-M1

• bugfix: fix cert auth failed bug by @liuziyu1226 in https://github.com/apache/mina-sshd/pull/660
• GH-664: Skip MAC negotiation if an AEAD cipher was negotiated by @tomaswolf in https://github.com/apache/mina-sshd/pull/666
• GH-663: Fix a race in IoSession creation by @tomaswolf in https://github.com/apache/mina-sshd/pull/667
• Also test sshd-mina using mina-core 2.2.4 by @tomaswolf in https://github.com/apache/mina-sshd/pull/681
• ScpShell fixes; SFTP append mode for buggy servers by @tomaswolf in https://github.com/apache/mina-sshd/pull/696
• fix sources.jar Reproducible Builds issue by @hboutemy in https://github.com/apache/mina-sshd/pull/695
• GH-700: Fix race in AbstractCloseable.doCloseImmediately() by @tomaswolf in https://github.com/apache/mina-sshd/pull/702
• GH-705: Make ChannelToPortHandler accessible to user code by @tomaswolf in https://github.com/apache/mina-sshd/pull/707
• GH-709: Handle keep-alive channel messages sent by an old OpenSSH server by @tomaswolf in https://github.com/apache/mina-sshd/pull/710
• GH-727: supply default port for proxyJump if no HostConfigEntry by @tomaswolf in https://github.com/apache/mina-sshd/pull/730
• GH-733: Fix SftpRemotePathChannel.transferTo by @tomaswolf in https://github.com/apache/mina-sshd/pull/734
• [GH-725] Added commandTimeoutMillis in executeRemoteCommand by @raajeive in https://github.com/apache/mina-sshd/pull/726
• GH-774: Fix WritePendingException by @tomaswolf in https://github.com/apache/mina-sshd/pull/775
• #771 Avoid NoClassDefFoundError: net/i2p/crypto/eddsa/EdDSAPublicKey by @rde-infologic in https://github.com/apache/mina-sshd/pull/773
• [GH-516] Fix filesystem-id parsing in getFileSystem(URI) by @ago1024 in https://github.com/apache/mina-sshd/pull/766
• GH-754: Don't close DefaultForwarder on bind error by @tomaswolf in https://github.com/apache/mina-sshd/pull/776
• Close repository after usage in GitPackCommand by @kwin in https://github.com/apache/mina-sshd/pull/794
• Trigger ClientChannelEvent.Timeout and ClientSessionEvent.TIMEOUT independently to host's program cycle times by @fersaru in https://github.com/apache/mina-sshd/pull/790

• @liuziyu1226 made their first contribution in https://github.com/apache/mina-sshd/pull/660
• @raajeive made their first contribution in https://github.com/apache/mina-sshd/pull/726
• @rde-infologic made their first contribution in https://github.com/apache/mina-sshd/pull/773
• @ago1024 made their first contribution in https://github.com/apache/mina-sshd/pull/766
• @kwin made their first contribution in https://github.com/apache/mina-sshd/pull/794
• @fersaru made their first contribution in https://github.com/apache/mina-sshd/pull/790

Full Changelog: https://github.com/apache/mina-sshd/compare/sshd-2.15.0...sshd-2.16.0

• GH-618: Fix reading an OpenSshCertificate from a Buffer by @tomaswolf in https://github.com/apache/mina-sshd/pull/619
• Add interface to configure details of JGit's pack implementation by @JohnnyJayJay in https://github.com/apache/mina-sshd/pull/617
• ML-KEM key exchanges using Bouncy Castle 1.79 by @tomaswolf in https://github.com/apache/mina-sshd/pull/629
• GH-628: Fix reading directories with trailing blanks in the name by @tomaswolf in https://github.com/apache/mina-sshd/pull/630
• GH-626: Enable Streaming.Async for ChannelDirectTcpip by @tomaswolf in https://github.com/apache/mina-sshd/pull/631
• Sftp server ‘ls’ command timeout by @Main-Tomi in https://github.com/apache/mina-sshd/pull/634
• GH-636: Handle unknown key types in known_hosts by @tomaswolf in https://github.com/apache/mina-sshd/pull/638
• GH-643: provide interfaces for caching file attributes on paths by @tomaswolf in https://github.com/apache/mina-sshd/pull/645
• Bouncy Castle EdDSA / Ed25519 Support by @ianjoneill in https://github.com/apache/mina-sshd/pull/639
• Abstract revoked key handling in KnownHostsServerKeyVerifier by @joeljohansson99 in https://github.com/apache/mina-sshd/pull/653

• @JohnnyJayJay made their first contribution in https://github.com/apache/mina-sshd/pull/617
• @Main-Tomi made their first contribution in https://github.com/apache/mina-sshd/pull/634
• @ianjoneill made their first contribution in https://github.com/apache/mina-sshd/pull/639
• @joeljohansson99 made their first contribution in https://github.com/apache/mina-sshd/pull/653

Full Changelog: https://github.com/apache/mina-sshd/compare/sshd-2.14.0...sshd-2.15.0

Full Changelog: https://github.com/apache/mina-sshd/compare/sshd-2.13.2...sshd-2.14.0

• GH-524 Performance improvements
• GH-533 Fix multi-step authentication
• GH-582 Fix filtering in NamedFactory
• GH-587 Prevent NullPointerExceptionon closed channel in NettyIoSession
• GH-590 Better support for FIPS
• GH-597 Pass on Charset in ClientSession.executeRemoteCommand()

• New utility methods SftpClient.put(Path localFile, String remoteFileName) and SftpClient.put(InputStream in, String remoteFileName) facilitate SFTP file uploading.

Besides fixing a bug with bc-fips (the RandomGenerator class exists in normal Bouncy Castle, but not in the FIPS version, but Apache MINA sshd referenced it even if only bc-fips was present), support was improved for running in an environment restricted by FIPS.

There is a new system property org.apache.sshd.security.fipsEnabled. If set to true, a number of crypto-algorithms not approved by FIPS 140 are disabled:

• key exchange methods sntrup761x25519-sha512, sntrup761x25519-sha512@openssh.com, curve25519-sha256, curve25519-sha256@libssh.org, curve448-sha512.
• the chacha20-poly1305 cipher.
• the bcrypt KDF used in encrypted private key files in OpenSSH format.
• all ed25519 keys and signatures.

Additionally, the new "SunJCEWrapper" SecurityProviderRegistrar (see below) and the EdDSASecurityProviderRegistrar are disabled, and the BouncyCastleScurityProviderRegistrar looks only for the "BCFIPS" security provider, not for the normal "BC" provider.

If the system property is not set to true, FIPS mode can be enabled programmatically by calling SecurityUtils.setFipsMode() before any other call to Apache MINA sshd.

There is a new SecurityProviderRegistrar that is registered by default if there is a SunJCE security provider. It uses the AES and HmacSHA* implementations from SunJCE even if Bouncy Castle is also registered. SunJCE has native implementations, whereas Bouncy Castle may not.

The new registrar has the name "SunJCEWrapper" and can be configured like any other registrar. It can be disabled via the system property org.apache.sshd.security.provider.SunJCEWrapper.enabled=false. It is also disabled in FIPS mode (see above).

The methods NamedFactory.setupBuiltinFactories(boolean ignoreUnsupported, ...) and NamedFactory.setupTransformedFactories(boolean ignoreUnsupported, ...) had a bug that gave the "ignoreUnsupported" parameter actually the meaning of "include unsupported".

This was fixed in this release, but existing code calling these or one of the following methods:

• BaseBuilder.setUpDefaultMacs(boolean ignoreUnsupported)
• BaseBuilder.setUpDefaultCiphers(boolean ignoreUnsupported)
• ClientBuilder.setUpDefaultCompressionFactories(boolean ignoreUnsupported)
• ClientBuilder.setUpDefaultKeyExchanges(boolean ignoreUnsupported)
• ClientBuilder.setUpDefaultSignatureFactories(boolean ignoreUnsupported)
• ServerBuilder.setUpDefaultCompressionFactories(boolean ignoreUnsupported)
• ServerBuilder.setUpDefaultKeyExchanges(boolean ignoreUnsupported)
• ServerBuilder.setUpDefaultSignatureFactories(boolean ignoreUnsupported)
• any of the methods starting with SshConfigFileReader.configure
• SshClientConfigFileReader.configure(...)
• SshServerConfigFileReader.configure(...)

should be reviewed:

• if the method is called with parameter value true, the result will no longer include unsupported algorithms. Formerly it wrongly did.
• if the method is called with parameter value false, the result may include unsupported algorithms. Formerly it did not.

So if existing code used parameter value false to ensure it never got unsupported algorithms, change it to true.

• GH-536 The project now requires JDK 17 at build time, while the target runtime still remains unchanged to support JDK 8.

• GH-525: Fix sntrup761x25519-sha512 by @tomaswolf in https://github.com/apache/mina-sshd/pull/528

Full Changelog: https://github.com/apache/mina-sshd/compare/sshd-2.13.1...sshd-2.13.2

This release does not contain any code changes. It is solely to rectify the issue that the 2.13.0 release encountered during the release process, where the source jars were not created.

Full Changelog: https://github.com/apache/mina-sshd/compare/sshd-2.13.0...sshd-2.13.1

The 2.13.0 release notes are available at https://github.com/apache/mina-sshd/releases/tag/sshd-2.13.0