Skip to content

build(deps): bump sshd.version from 2.17.1 to 2.18.0#2684

Merged
jbonofre merged 1 commit into
mainfrom
dependabot/maven/main/sshd.version-2.18.0
May 30, 2026
Merged

build(deps): bump sshd.version from 2.17.1 to 2.18.0#2684
jbonofre merged 1 commit into
mainfrom
dependabot/maven/main/sshd.version-2.18.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 28, 2026

Bumps sshd.version from 2.17.1 to 2.18.0.
Updates org.apache.sshd:sshd-osgi from 2.17.1 to 2.18.0

Release notes

Sourced from org.apache.sshd:sshd-osgi's releases.

Apache MINA SSHD 2.18.0

Bug Fixes

  • GH-743 Ensure the Java ServiceLoader use a singleton SftpFileSystemProvider
  • GH-879 Close SSH channel gracefully on exception in port forwarding
  • Improve handling of repository paths in sshd-git.

New Features

  • GH-892 Align handling certificates without principals with OpenSSH 10.3

Wildcard principals in host certificates are handled now.

  • Putty keys with non-ASCII passphrases

The passphrase needs to be converted to a byte sequence to compute a decryption key for an encrypted private key. This conversion depends on the character encoding. Putty on Windows uses the ANSI codepage set when the key was generated. Apache MINA SSHD now tries multiple encodings in sequence: UTF-8, then the OS encoding, and finally ISO-8859-1 as a last-chance fallback.

Potential Compatibility Issues

  • GH-892 Align handling certificates without principals with OpenSSH 10.3

OpenSSH 10.3 changed the way such certificates are handled; see the OpenSSH 10.3 release notes. In Apache MINA SSHD, there is a new flag CoreModuleProperties.ALLOW_EMPTY_CERTIFICATE_PRINCIPALS (by default false) that can be set on an SshClient or SshServer or also on a Session directly. If the value is false, certificates without principals are rejected as in OpenSSH 10.3; if it is true, such certificates are considered to match any user or host name as in OpenSSH < 10.3.

Set the flag on an SshClient or ClientSession to determine the handling of host certificates. Set it on an SshServer or ServerSession to govern the handling of user certificates.

Changelog

Sourced from org.apache.sshd:sshd-osgi's changelog.

Previous Versions

Latest Version

Planned for Next Version

Bug Fixes

New Features

Potential Compatibility Issues

Major Code Re-factoring

Commits
  • c2d7b7a [maven-release-plugin] prepare release sshd-2.18.0
  • 084cee8 Prepare release documentation
  • db0567b Improve git access
  • 1285419 GH-743: Use a singleton SftpFileSystemProvider for the ServiceLoader
  • 4e820c9 Add test cases to AuthorizedKeysCertificateTest
  • a85a3b1 Better handling of Putty keys with non-ASCII passphrases
  • 6c215e8 Bump BCFIPS bundles used in a test
  • 9def203 Fix annotation to ignore an unstable test
  • a0ef7a5 Host certificates: check both public keys for not being revoked
  • b11c159 GH-892: Host certificate principals may contain wildcards
  • Additional commits viewable in compare view

Updates org.apache.sshd:sshd-scp from 2.17.1 to 2.18.0

Release notes

Sourced from org.apache.sshd:sshd-scp's releases.

Apache MINA SSHD 2.18.0

Bug Fixes

  • GH-743 Ensure the Java ServiceLoader use a singleton SftpFileSystemProvider
  • GH-879 Close SSH channel gracefully on exception in port forwarding
  • Improve handling of repository paths in sshd-git.

New Features

  • GH-892 Align handling certificates without principals with OpenSSH 10.3

Wildcard principals in host certificates are handled now.

  • Putty keys with non-ASCII passphrases

The passphrase needs to be converted to a byte sequence to compute a decryption key for an encrypted private key. This conversion depends on the character encoding. Putty on Windows uses the ANSI codepage set when the key was generated. Apache MINA SSHD now tries multiple encodings in sequence: UTF-8, then the OS encoding, and finally ISO-8859-1 as a last-chance fallback.

Potential Compatibility Issues

  • GH-892 Align handling certificates without principals with OpenSSH 10.3

OpenSSH 10.3 changed the way such certificates are handled; see the OpenSSH 10.3 release notes. In Apache MINA SSHD, there is a new flag CoreModuleProperties.ALLOW_EMPTY_CERTIFICATE_PRINCIPALS (by default false) that can be set on an SshClient or SshServer or also on a Session directly. If the value is false, certificates without principals are rejected as in OpenSSH 10.3; if it is true, such certificates are considered to match any user or host name as in OpenSSH < 10.3.

Set the flag on an SshClient or ClientSession to determine the handling of host certificates. Set it on an SshServer or ServerSession to govern the handling of user certificates.

Changelog

Sourced from org.apache.sshd:sshd-scp's changelog.

Previous Versions

Latest Version

Planned for Next Version

Bug Fixes

New Features

Potential Compatibility Issues

Major Code Re-factoring

Commits
  • c2d7b7a [maven-release-plugin] prepare release sshd-2.18.0
  • 084cee8 Prepare release documentation
  • db0567b Improve git access
  • 1285419 GH-743: Use a singleton SftpFileSystemProvider for the ServiceLoader
  • 4e820c9 Add test cases to AuthorizedKeysCertificateTest
  • a85a3b1 Better handling of Putty keys with non-ASCII passphrases
  • 6c215e8 Bump BCFIPS bundles used in a test
  • 9def203 Fix annotation to ignore an unstable test
  • a0ef7a5 Host certificates: check both public keys for not being revoked
  • b11c159 GH-892: Host certificate principals may contain wildcards
  • Additional commits viewable in compare view

Updates org.apache.sshd:sshd-sftp from 2.17.1 to 2.18.0

Release notes

Sourced from org.apache.sshd:sshd-sftp's releases.

Apache MINA SSHD 2.18.0

Bug Fixes

  • GH-743 Ensure the Java ServiceLoader use a singleton SftpFileSystemProvider
  • GH-879 Close SSH channel gracefully on exception in port forwarding
  • Improve handling of repository paths in sshd-git.

New Features

  • GH-892 Align handling certificates without principals with OpenSSH 10.3

Wildcard principals in host certificates are handled now.

  • Putty keys with non-ASCII passphrases

The passphrase needs to be converted to a byte sequence to compute a decryption key for an encrypted private key. This conversion depends on the character encoding. Putty on Windows uses the ANSI codepage set when the key was generated. Apache MINA SSHD now tries multiple encodings in sequence: UTF-8, then the OS encoding, and finally ISO-8859-1 as a last-chance fallback.

Potential Compatibility Issues

  • GH-892 Align handling certificates without principals with OpenSSH 10.3

OpenSSH 10.3 changed the way such certificates are handled; see the OpenSSH 10.3 release notes. In Apache MINA SSHD, there is a new flag CoreModuleProperties.ALLOW_EMPTY_CERTIFICATE_PRINCIPALS (by default false) that can be set on an SshClient or SshServer or also on a Session directly. If the value is false, certificates without principals are rejected as in OpenSSH 10.3; if it is true, such certificates are considered to match any user or host name as in OpenSSH < 10.3.

Set the flag on an SshClient or ClientSession to determine the handling of host certificates. Set it on an SshServer or ServerSession to govern the handling of user certificates.

Changelog

Sourced from org.apache.sshd:sshd-sftp's changelog.

Previous Versions

Latest Version

Planned for Next Version

Bug Fixes

New Features

Potential Compatibility Issues

Major Code Re-factoring

Commits
  • c2d7b7a [maven-release-plugin] prepare release sshd-2.18.0
  • 084cee8 Prepare release documentation
  • db0567b Improve git access
  • 1285419 GH-743: Use a singleton SftpFileSystemProvider for the ServiceLoader
  • 4e820c9 Add test cases to AuthorizedKeysCertificateTest
  • a85a3b1 Better handling of Putty keys with non-ASCII passphrases
  • 6c215e8 Bump BCFIPS bundles used in a test
  • 9def203 Fix annotation to ignore an unstable test
  • a0ef7a5 Host certificates: check both public keys for not being revoked
  • b11c159 GH-892: Host certificate principals may contain wildcards
  • Additional commits viewable in compare view

Updates org.apache.sshd:sshd-mina from 2.17.1 to 2.18.0

Release notes

Sourced from org.apache.sshd:sshd-mina's releases.

Apache MINA SSHD 2.18.0

Bug Fixes

  • GH-743 Ensure the Java ServiceLoader use a singleton SftpFileSystemProvider
  • GH-879 Close SSH channel gracefully on exception in port forwarding
  • Improve handling of repository paths in sshd-git.

New Features

  • GH-892 Align handling certificates without principals with OpenSSH 10.3

Wildcard principals in host certificates are handled now.

  • Putty keys with non-ASCII passphrases

The passphrase needs to be converted to a byte sequence to compute a decryption key for an encrypted private key. This conversion depends on the character encoding. Putty on Windows uses the ANSI codepage set when the key was generated. Apache MINA SSHD now tries multiple encodings in sequence: UTF-8, then the OS encoding, and finally ISO-8859-1 as a last-chance fallback.

Potential Compatibility Issues

  • GH-892 Align handling certificates without principals with OpenSSH 10.3

OpenSSH 10.3 changed the way such certificates are handled; see the OpenSSH 10.3 release notes. In Apache MINA SSHD, there is a new flag CoreModuleProperties.ALLOW_EMPTY_CERTIFICATE_PRINCIPALS (by default false) that can be set on an SshClient or SshServer or also on a Session directly. If the value is false, certificates without principals are rejected as in OpenSSH 10.3; if it is true, such certificates are considered to match any user or host name as in OpenSSH < 10.3.

Set the flag on an SshClient or ClientSession to determine the handling of host certificates. Set it on an SshServer or ServerSession to govern the handling of user certificates.

Changelog

Sourced from org.apache.sshd:sshd-mina's changelog.

Previous Versions

Latest Version

Planned for Next Version

Bug Fixes

New Features

Potential Compatibility Issues

Major Code Re-factoring

Commits
  • c2d7b7a [maven-release-plugin] prepare release sshd-2.18.0
  • 084cee8 Prepare release documentation
  • db0567b Improve git access
  • 1285419 GH-743: Use a singleton SftpFileSystemProvider for the ServiceLoader
  • 4e820c9 Add test cases to AuthorizedKeysCertificateTest
  • a85a3b1 Better handling of Putty keys with non-ASCII passphrases
  • 6c215e8 Bump BCFIPS bundles used in a test
  • 9def203 Fix annotation to ignore an unstable test
  • a0ef7a5 Host certificates: check both public keys for not being revoked
  • b11c159 GH-892: Host certificate principals may contain wildcards
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump sshd.version from 2.17.1 to 2.18.0
0af04d9 
Bumps `sshd.version` from 2.17.1 to 2.18.0.

Updates `org.apache.sshd:sshd-osgi` from 2.17.1 to 2.18.0
- [Release notes](https://github.com/apache/mina-sshd/releases)
- [Changelog](https://github.com/apache/mina-sshd/blob/master/CHANGES.md)
- [Commits](apache/mina-sshd@sshd-2.17.1...sshd-2.18.0)

Updates `org.apache.sshd:sshd-scp` from 2.17.1 to 2.18.0
- [Release notes](https://github.com/apache/mina-sshd/releases)
- [Changelog](https://github.com/apache/mina-sshd/blob/master/CHANGES.md)
- [Commits](apache/mina-sshd@sshd-2.17.1...sshd-2.18.0)

Updates `org.apache.sshd:sshd-sftp` from 2.17.1 to 2.18.0
- [Release notes](https://github.com/apache/mina-sshd/releases)
- [Changelog](https://github.com/apache/mina-sshd/blob/master/CHANGES.md)
- [Commits](apache/mina-sshd@sshd-2.17.1...sshd-2.18.0)

Updates `org.apache.sshd:sshd-mina` from 2.17.1 to 2.18.0
- [Release notes](https://github.com/apache/mina-sshd/releases)
- [Changelog](https://github.com/apache/mina-sshd/blob/master/CHANGES.md)
- [Commits](apache/mina-sshd@sshd-2.17.1...sshd-2.18.0)

---
updated-dependencies:
- dependency-name: org.apache.sshd:sshd-osgi
  dependency-version: 2.18.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
- dependency-name: org.apache.sshd:sshd-scp
  dependency-version: 2.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.apache.sshd:sshd-sftp
  dependency-version: 2.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: org.apache.sshd:sshd-mina
  dependency-version: 2.18.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels May 28, 2026
@jbonofre jbonofre merged commit 767b70d into main May 30, 2026
6 checks passed
@jbonofre jbonofre deleted the dependabot/maven/main/sshd.version-2.18.0 branch May 30, 2026 05:09
@holgerfriedrich
Copy link
Copy Markdown
Contributor

holgerfriedrich commented May 30, 2026

@jbonofre

OpenSSH 10.3 changed the way such certificates are handled; see the OpenSSH 10.3 release notes. In Apache MINA SSHD, there is a new flag CoreModuleProperties.ALLOW_EMPTY_CERTIFICATE_PRINCIPALS (by default false) that can be set on an SshClient or SshServer or also on a Session directly. If the value is false, certificates without principals are rejected as in OpenSSH 10.3; if it is true, such certificates are considered to match any user or host name as in OpenSSH < 10.3.

Set the flag on an SshClient or ClientSession to determine the handling of host certificates. Set it on an SshServer or ServerSession to govern the handling of user certificates.

Do you think we need a follow-up PR to keep the old behaviour, at least for the 4.4.x branch?
The patch itself would be just a one-liner:
CoreModuleProperties.ALLOW_EMPTY_CERTIFICATE_PRINCIPALS.set(..., true);
affecting ~5 files where we build instances of ssh client or server, and maybe a new test.

@holgerfriedrich holgerfriedrich mentioned this pull request May 30, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@holgerfriedrich @jbonofre