Skip to content

Remove DSSKey references from SSH provider, bump paramiko to 4.0+#69191

Open
joshuabvarghese wants to merge 5 commits into
apache:mainfrom
joshuabvarghese:54079-remove-dsskey
Open

Remove DSSKey references from SSH provider, bump paramiko to 4.0+#69191
joshuabvarghese wants to merge 5 commits into
apache:mainfrom
joshuabvarghese:54079-remove-dsskey

Conversation

@joshuabvarghese

@joshuabvarghese joshuabvarghese commented Jul 1, 2026

Copy link
Copy Markdown

closes: #54079

Summary

Motivation

paramiko 4.0 removed DSSKey (DSA) support entirely for security reasons. #54078 temporarily capped paramiko<4.0.0 to keep CI green, and #54173 did the same for types-paramiko, both explicitly deferring the real fix to this issue.

This PR does the follow-through: drops the DSA loader/host-key-mapping code paths so the provider no longer references a class that doesn't exist in modern paramiko, and lifts both version caps.

Migration

Users with SSH/SFTP connections configured to use a DSA (DSS) private key will need to generate a new RSA, ECDSA, or Ed25519 key (e.g. ssh-keygen -t ed25519) and update the connection's key_file/private_key accordingly. This is called out in the newsfragment and in the connection docs.

Testing

  • pytest providers/ssh/tests/unit/ssh/hooks/test_ssh.py
  • pytest providers/sftp/tests/unit/sftp/hooks/test_sftp.py
  • Verified paramiko.DSSKey no longer exists under paramiko>=4.0.0 (confirms the prior code path would have raised AttributeError at import time, matching the CI failure in Limit paramiko to < 4.0.0 till we remove DSS support #54078)

  • I acknowledge that I am not a maintainer/committer of the Apache Airflow project, this is my first contribution.

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@boring-cyborg

boring-cyborg Bot commented Jul 1, 2026

Copy link
Copy Markdown

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide
Here are some useful points:

  • Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example Dag that shows how users should use it.
  • Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
  • Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
    Apache Airflow is a community-driven project and together we are making it better 🚀.
    In case of doubts contact the developers at:
    Mailing List: dev@airflow.apache.org
    Slack: https://s.apache.org/airflow-slack

@joshuabvarghese joshuabvarghese marked this pull request as ready for review July 1, 2026 11:58
@joshuabvarghese joshuabvarghese changed the title 54079 remove dsskey Remove DSSKey references from SSH provider, bump paramiko to 4.0+ Jul 1, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

uv.lock on main just moved via #69198 ("[main] Upgrade important CI environment"), commit 38b2869 and this PR currently conflicts.

Quickest fix:

git fetch upstream main && git rebase upstream/main
rm uv.lock && uv lock
git add uv.lock && git rebase --continue
git push --force-with-lease

Automated nudge — ignore if you're not ready to rebase. This comment is updated in place on future uv.lock bumps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Remove/Replace DSSKey references from Airflow

1 participant