Releases: rwinkhart/sshyp
v1.5.3
sshyp v1.5.3
01/08/2024
the fortified flock update - patch three
this release is a quick hot-fix for some bugs that were noticed after the release of v1.5.2
fixes/optimizations:
- fixed a regression with the entry list causing entries not part of a subdirectory to appear in-line with the entry list header
- fixed extension group ownership under FreeBSD
^ the "wheel" group is now used where previously the non-existent "root" group was used - fixed notes sometimes being appended in the wrong position after editing an incomplete entry
- addressed flake8 suggestions (slight optimization)
- removed unnecessary empty variable declarations
^ these were previously included to silence PyCharm's PEP8 warnings
^ the project is now primarily developed in VSCodium with the flake8 linter
^ the only change to flake8 defaults is the line length limit (79->120)
v1.5.2
sshyp v1.5.2
01/07/2024
the fortified flock update - patch two
this release focuses on fixing various bugs, crashes, and visual oddities; additionally, the new-user setup experience has been vastly improved
compatibility-breaking changes:
- this release is fully compatible with sshyp v1.5.0-v1.5.1
- the minimum Python version has been raised from Python 3.7 to Python 3.8
^ this was needed for the new device id changing behavior
^ Python 3.7 no longer receives security updates, so this should have minimal impact
^ please create an issue on GitHub if any Python version (3.8 or newer) does not work as intended
user-facing features:
- registered device ids can now be removed from the server tweak menu
^ all device id menus now stay open until the user manually exits - changing a client's device id now attempts to automatically remove the previous id from the server
- the extension downloader now supports showing multiple lines of usage information
^ sshyp-mfa is taking advantage of this to display the info from the old man page - basic tweak/init menu text wrapping and terminal-resizing has been added
^ the tweak/init radio menus now warn if the terminal needs to be resized to see all content; this resizing can be done in real time without restarting sshyp (layout dynamically adjusts)
^ this avoids crashes on large radio menus in small terminals (crashes are still possible, but only on unreasonably small terminals - this will probably stay the way it is now) - ssh connections are no longer made from the init menu
^ this is to give the user time to register their ssh pubkey with the server - the user is now warned that gpg key generation may take time and that sshyp should not be terminated
- the user is now warned about risks associated with changing or removing active device ids
- back buttons have been added to menus that were missing a safe way to exit
fixes/optimizations:
- quick-unlock has been fixed - invalid pins have been generated since v1.5.0
^ if quick-unlock is not working for you, re-generate your pin after this update! - extension removal now works on Busybox environments (Alpine Linux)
- instead of crashing with an unhelpful error, sshyp now warns if a valid pinentry program is not found (gpg)
^ affects some Alpine Linux 3.19 base installs (pinentry does not always get installed with gpg) - a recursive curses.wrapper() function is no longer used (fixes menu crash on Alpine Linux 3.19)
^ the new method of transitioning menus is more efficient on all platforms - the wl-paste empty clipboard warning is no longer shown when multiple copies are done within 30 seconds (Wayland)
- quotes are no longer copied to the Termux clipboard on clear
- the entry reader and entry list should now be more visible in light terminals
^ in testing, I noticed some solarized dark themes bind color 8 to the same color as the terminal background, leading to some invisible text - this will not be fixed (unless custom accent colors are added), as I believe this is poor theme design and the fault of the particular solarized dark themes I tested - entry list text wrapping has been vastly improved
^ better utilization of full terminal width
^ less prone to splitting entry names in half (should be impossible now)
^ no longer crashes on small terminals - multi-word device ids can now verify via quick-unlock
- various language standardization changes
^ all back buttons in menus are now named "BACK"
^ all mentions of device ids are now referred to as "ids", rather than "names"
^ various non-user-facing variable renamings have also been made - various menu helptext have been made more clear
^ this includes quick-unlock configuration, ssh configuration, device id configuration, and more
v1.5.1
sshyp v1.5.1
10/24/2023
the fortified flock update - patch one
this release fixes both long and short-standing bugs that managed to escape discovery in testing;
it also addresses some issues that first-time users may be put-off by upon encountering
user-facing features:
- the clipboard is now only cleared if the contents of the clipboard still match what was placed onto it by sshyp
^ this means that sshyp will no longer remove data from the clipboard that it did not place there - a warning/explanation is now provided when the user attempts to sync in offline mode
- a readable error is now provided if the user attempts to edit a note and the specified text editor cannot be found
- the optional configuration menu is now explained when encountered during "sshyp init"
- the man page now includes common troubleshooting information
fixes/optimizations:
- custom, user-provided ssh keyfiles are now properly utilized in all cases
^ previously, using custom ssh keyfiles would break various features - clipboard contents are no longer leaked via the process list on Wayland
- interpolation has been disabled for ConfigParser, allowing "%" to be stored in configuration files
- gpg keys with ":" or "\" in their names are now properly written to the configuration file
- copy_id_check() and whitelist_verify() are now safely callable from extensions
- the ssh key selection will no longer see "known_hosts.old" as a valid keyfile
- when possible, data from the configuration file is now read as boolean values
- the Haiku package has been updated to use Python 3.11
v1.5.0
sshyp v1.5.0
07/12/2023
the fortified flock update
this release implements new curses-based TUI configuration menus and improves the security of sshyp
compatibility-breaking changes:
- a completely new configuration system calls for a new configuration file
^ before using sshyp v1.5.0 for the first time, 'sshyp init' will need to be ran to create the new configuration file - the old configuration files can be safely deleted
^ 'sshyp tweak' has been repurposed as the configuration menu for changing individual options, rather than re-doing setup entirely - after initialization, this is the one you want to use - the new extension manager is replacing the old method of installing extensions as system packages
^ any older extensions you have installed should be uninstalled to prevent conflicts
^ extensions are now installed and removed through the 'sshyp tweak' menu's extension manager
^ this does not yet apply to Haiku and Termux, which will continue to install extensions using the previous method - all clients and servers must be updated to this release for the folder renaming bug fix to work
^ failure to update all devices will result in errors and/or potential data loss - various packaging changes
^ x-clip and wl-clipboard are now marked as optional dependencies, so the correct tool will need to be installed as needed - a warning has been added for this if neither package is installed
^ the changelog no longer ships with sshyp - it is still available on GitHub
user-facing features:
- the old configuration menu, 'sshyp tweak', has been split into two new curses-based TUI menus
^ 'sshyp init' is for first-time setup/initialization
^ 'sshyp tweak' can be used at any time to quickly adjust individual settings
^ whitelist management tools have been moved to the new 'sshyp tweak' menu
^ clients and servers now each have their own dedicated 'sshyp tweak' menu
^ the new config file is in .INI format, making it easier to edit the config without sshyp - added a 'sshyp tweak' option for re-encrypting all entries with a new gpg key
- added a security advisory when enabling quick-unlock to ensure the user understands potential risks
- the user is now warned if the clipboard tool relevant to their platform is not installed
- passwords are now hidden by default in the entry reader
^ they can be displayed by appending '--show' or '-s' to the end of the command - input is now hidden when adding/editing a password in an entry
- entries are no longer re-encrypted and synced if the note editor is quit without saving
fixes/optimizations:
- a tmpfs is no longer used for decrypting entries unless editing notes
^ data is now decrypted directly into sshyp and written to entries pre-encrypted
^ this makes reading entries much more secure
^ editing entries is similarly secure to before - greater improvements coming in a future update - folder renaming has been re-enabled and now functions as intended
- some unnecessarily verbose outputs were silenced and/or made to appear more cleanly
- FreeBSD packaging fixes
^ no longer incorrectly includes and uses the logic for the Termux clipboard
^ now specifies 'python3' dependency instead of 'python' - many lists provided to the subprocess module have been swapped with tuples
- more correct and clear language is used to describe options and arguments in the help menus
- properly display an error when attempting to copy blank fields from entries
- shebangs have been removed from libraries not meant to be run directly
other factors of note:
- with the release of Debian 12 Bookworm, sshyp is once again fully supported on vanilla Debian
^ previously, it was only working correctly in offline mode due to Debian 11's old OpenSSH package - this is the biggest release of sshyp ever
^ it includes LOTS of minor changes and optimizations not included in the patch notes summary
^ as such, keep an eye out for new bugs! - the next major release of sshyp may be even larger...
^ but it is also likely very far away
^ GnuPG is great, but it is inherently incompatible with sshyp's future security model
^ if all goes according to plan, GnuPG will be replaced in the next release
^ assuming this happens, this next release will be crowned v2.0.0
^ sshyp v1.5.X is expected to be the latest stable release for a longer amount of time than usual
^ sshyp v1.5.X may receive security/bug fix patches after the release of v2.0.0, as needed
v1.4.3
sshyp v1.4.3
06/08/2023
the argumentative agronomist update - patch three
IMPORTANT: the next major release of sshyp, v1.5.0, will make breaking changes that will require running through 'sshyp tweak' again - also starting with v1.5.0, a copy of the changelog will no longer be packaged with sshyp (it will still be available on GitHub) and clipboard tools (x-clip and wl-clipboard) will be set to optional dependencies ('sshyp tweak' will warn of this)
this is a highly unconventional release featuring backports to fix critical bugs found during the development of the upcoming v1.5.0
fixes:
- folder renaming has been disabled to prevent a severe data loss bug from occuring
^ this has been properly fixed for v1.5.0, but the fix requires all clients and servers to be updated - to avoid breaking compatibility with 1.4.X, folder renaming was simply disabled for the time being - backported fix for syncing over IPv6
- backported fix for multiple versions of Powershell being called under WSL
- backported fix for checking /lib/sshyp instead of /usr/lib/sshyp
v1.4.2
sshyp v1.4.2
04/30/2023
the argumentative agronomist update - patch two
IMPORTANT: the next major release of sshyp, v1.5.0, will make breaking changes that will require running through 'sshyp tweak' again - also starting with v1.5.0, a copy of the changelog will no longer be packaged with sshyp (it will still be available on GitHub) and clipboard tools (x-clip and wl-clipboard) will be set to optional dependencies ('sshyp tweak' will warn of this)
update 05/11/2023: the FreeBSD package has been re-built to use the appropriate clipboard tools
this release makes use of a new ports framework to make sshyp even smaller and faster than before
user-facing features:
- full WSL (Windows Subsystem for Linux) support
- partial MacOS support
^ fully functional; packaging support has not yet been added - dedicated help screen for 'gen'
^ this was previously not included due to 'sshyp gen' being a valid command prior to v1.4.0 - removed interactive input for whitelist management
^ this is to be consistent with the removal of interactive input on clients in v1.4.0
fixes/optimizations:
- leading and following spaces are no longer stripped when printing entry contents
- properly display an error when trying to remove a device from the whitelist that is not whitelisted
- ports framework to remove unneeded code for each platform
^ BLANKS.py removes all blank lines
^ CLIPBOARD.py removes non-platform-critical clipboard code
^ COMMENTS.py removes all comments
^ RMSERVER.py removes server-only code for creating client-only packages
^ the Haiku package, which was already unsupported as a server, now only includes client code
^ SHEBANG.sh sets the shebang to what is required by the platform
^ TABS.sh converts all groups of spaces to tabs for space efficiency
^ UNAME.py removes all instances of platform detection and leaves only the platform-required code
^ THESE SCRIPTS ARE ONLY USED FOR PACKAGING AND DO NOT AFFECT THE SOURCE FILES IN THE GIT REPO
v1.4.1
sshyp v1.4.1
the argumentative agronomist update - patch one
this release improves sshyp's shell completions by adding zsh support and significantly optimizing and improving Bash support
user-facing features:
- zsh completion support
^ ensure modern completions are enabled in your ~/.zshrc
fixes/optimizations:
- Bash completions are now much faster due to the use of recursive globbing
- Bash completions have been modified to be functionally similar to the new zsh completions
other notable changes:
- some official packages now use more space-efficient compression
v1.4.0
sshyp v1.4.0
the argumentative agronomist update
this release overhauls sshyp's argument system and further streamlines
the experience with optimizations and the removal of legacy features
compatibility-breaking changes:
- there are no technical breaking changes, but the UX has changed significantly due to the new argument system (detailed below)
user-facing features:
- when typing an entry/folder name, it is now always the FIRST argument
^ e.g. instead ofsshyp copy -p /example/test
, it would now besshyp /example/test copy -p
^ this allows more easily editing the previous command to copy/edit a different field - better extension integration
^ extensions can now ship with a config file that sshyp can use to call them from standard sshyp arguments
^ the first extension supporting this is sshyp-mfa
^ if sshyp-mfa v1.4.0.1+ is installed,sshyp /example/test copy -m
will copy MFA keys to your clipboard - entry/folder names now MUST be specified as arguments
^ there is no longer a separate input prompt if the entry/folder name is not provided as an argument
^ the input prompt was a legacy feature from before arguments could specify entrys/folders with shell completion
^ the entry list generated by entry_list_gen() is still present and can be viewed by runningsshyp
with no arguments - better Bash completions
^ now correctly places backslashes to escape spaces in entry/folder names
^ slightly faster than the previous iteration - IPv6 configuration support
fixes/optimizations:
- replaced "+=" with ".append" when extending lists to prevent creating an additional list
- optimized usage of "str.split()" and replaced it with "str.splitlines()" where applicable
- more concise "if... in ()" syntax replaces long "if" statement chains
- lists have been substituted with tuples where applicable
- entry_list_gen() has been re-written to be much smaller and faster
- os.path is now used in place of pathlib.Path in areas where it is faster
- the user's home directory is saved to a variable to prevent running expanduser() every time it is needed
other notable changes:
- removed some uncommonly used, redundant arguments
^ e.g. "-rm", "-s", "delete"
^ their functionality was NOT removed, just their redundant arguments, since "shear", "sync", and "del" are the accepted syntax - errors containing entry/folder names reinforce correct syntax by adding leading/following slashes where necessary
- thanks to pull request #25, there are new error messages for the read shortcut
^ includes when no entry name is provided or the entry name only refers to a directory - directories provided in user input are no longer denoted by a following slash
^ instead, os.path is used to determine if the user is referring to a file or directory
v1.3.0
sshyp v1.3.0
the serious shepherd update
this release ties up many of sshyp's loose ends where there was
room for major performance, compatibility, and security improvements
compatibility-breaking changes:
- due to a near full re-write of the syncing functionality, all clients and servers
must be updated to this release (v1.3.0 is not backwards compatible with any prior release) - it is recommended to either delete the contents of ~/.config/sshyp/deleted (on the server-side)
or sync all of your clients before updating
^ old entries in this folder will throw errors with v1.3.0
user-facing features:
- none - all changes were under-the-hood - the user experience should be
exactly the same as v1.2.0 - just faster, less buggy, and more secure
major fixes/optimizations:
- a near full re-write of the syncing functionality
^ all syncing logic has been moved into sshync.py (from sshyp.py and sshypRemote.py)
^ in my setup, a dry, local "sshyp sync" went from 2.00+ seconds (v1.2.0) to 0.36 seconds (v1.3.0)
^ the performance improvements are even greater when syncing from outside your local network - the following character sequences will no longer break the syncing logic: "@", "^&", and "&^"
^ ASCII separator characters 29-31 are now used, instead - os.system has been replaced with subprocess.run in all cases, shell=True is no longer used with subprocess.run
^ this protects against shell escape attacks and potentially makes sshyp more compatible with some environments - replaced shell commands with python built-in library functions where applicable
^ this brings speed and compatibility improvements - sshyp should no longer incorrectly assume an X11 environment when Wayland is in use
^ this fixes clipboard support in some Wayland environments, such as Sway (Plasma/Gnome/Phosh were unaffected) - sshyp now uses the default pinentry on Haiku thanks to haikuports/haikuports#7457
^ this brings the Haiku port in-line with the other sshyp packages in terms of security - "python3" is now called over ssh, rather than "python"
^ some environments do not have a "python" symlink, or it links to "python2" - changing this increases compatibility - fixed an issue from v1.2.0 where renaming threw an error if not in offline mode
other notable changes:
- quick-unlock password input is now hidden while the user is typing
^ user input is now invisible to prevent snooping - lots of smaller optimizations not listed here
v1.2.0
sshyp v1.2.0
the brisk bahh update
this release focuses on speeding up the sshyp user experience by adding
new features that reduce wasted time
compatibility-breaking changes:
- new configuration options (quick-unlock, offline mode) have been added and
the configuration files have been reorganized
^ simply running "sshyp tweak" and following the setup wizard will correct any compatibility
issues - for quick-unlock security, device names have been replaced with more secure device ids
^ older device names are still compatible, but for security reasons it is recommended
to delete any pre-existing device names from the server and allow "sshyp tweak" to re-register
your devices
user-facing features:
- quick-unlock mode has been added
^ this allows you to use a shortened version of your password by verifying that your device
is whitelisted on your sshyp server - it's both faster and more secure than standard unlock,
but it requires an active connection to your sshyp server to authenticate (otherwise it will
fall back to standard unlock) - full support for offline usage
^ though sshyp could be used without a server before, it now can be configured to not attempt
to find one ever - this saves time and hides sync failure error messages - bash completions have been added
^ if you have bash-completion installed, you can now use the tab key in bash to auto-complete
sshyp arguments and entry names (client only, not added for server-specific arguments)
^ if you do not have bash-completion installed, you can source
/usr/share/bash-completion/completions/sshyp (Linux/BSD) or
/boot/system/data/bash-completion/completions/sshyp (Haiku) in your ~/.bashrc to
use this feature
fixes/optimizations:
- fixed entries with multi-word titles failing to decrypt
- password generation is now much faster and more resource efficient
- there is no longer a length limit on generated passwords
- improved visual consistency of help menus
- rarely used modules are now imported only when needed
- sshyp now uses one fewer configuration file
other notable changes:
- sshyp is now specifically licensed under the GPL-3.0-only (keyword: only)
- sshyp now has some possible arguments and its own help menu when running in server mode
- temporary files in /dev/shm are now generated with more complex names
- sshyp now installs in /usr/lib/sshyp (Linux/BSD) or /system/lib/sshyp (Haiku) instead of
/usr/bin or /bin (it is still symlinked to the old directories)