Release v0.6.0: Ed25519 SSH keys, CI improvements, and bug fixes

Features:
- Add Ed25519 SSH host key support for improved security and performance
- Add SSH port default (20022) to FarsshArguments
- Configure Dependabot for security-only updates (GitHub Actions, pip)
- Use version from const.py in CI workflows for consistent image tagging
- Add .gitignore for .venv directory
- Add TESTING.md with manual testing procedures

Bug fixes:
- Fix select_database() using wrong variable for cluster engine type
- Rename host_key to rsa_host_key for clarity with new Ed25519 support

Dependencies:
- Update Python requirement to 3.9+
- Update boto3 to >=1.35
- Upgrade GitHub Actions to v6 (checkout, aws-credentials)
- Upgrade Alpine base image to 3.23

Author: apparentorder

.github/dependabot.yml

@@ -0,0 +1,17 @@
+# Dependabot configuration
+# See: https://docs.github.com/en/code-security/dependabot
+
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0 # Only security updates, no regular version bumps
+
+  - package-ecosystem: "pip"
+    directory: "/client"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 0 # Only security updates, no regular version bumps

.github/workflows/image.yaml

@@ -3,26 +3,27 @@ on:
   push:
     branches:
       - main
-    paths: 
+    paths:
       - '.github/workflows/image.yaml'
+      - 'client/src/farssh/const.py'
       - 'image/*'
 
 permissions:
   id-token: write
   contents: read
-  
+
 jobs:
 
   deploy_source:
     name: build and push farssh to ecr-public
     runs-on: ubuntu-latest
     steps:
-    
+
       - name: Git clone the repository
-        uses: actions/checkout@v3
-        
+        uses: actions/checkout@v6
+
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::329261680777:role/farssh-github
           role-session-name: github-action-push
@@ -40,25 +41,27 @@ jobs:
 
       # use qemu + buildx to build arm64 image, per
       # https://community.ibm.com/community/user/powerdeveloper/blogs/siddhesh-ghadi/2023/02/08/build-multi-arch-images-on-github-actions-with-bui
-      
+
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: build and push to ECR
         env:
           ECR_REPOSITORY: public.ecr.aws/apparentorder/farssh
-          IMAGE_TAG: ${{ github.sha }}
         run: |
-          docker buildx build --push --platform linux/arm64 --tag $ECR_REPOSITORY:$IMAGE_TAG image
-          docker buildx build --push --platform linux/arm64 --tag $ECR_REPOSITORY:latest image
+          VERSION=$(python -c 'from client.src.farssh.const import FARSSH_VERSION; print(FARSSH_VERSION);')
+          DATE=$(date +%Y-%m-%d)
+          docker buildx build --push --platform linux/arm64 --build-arg FARSSH_VERSION=$VERSION --build-arg FARSSH_DATE=$DATE --tag $ECR_REPOSITORY:$VERSION image
+          docker buildx build --push --platform linux/arm64 --build-arg FARSSH_VERSION=$VERSION --build-arg FARSSH_DATE=$DATE --tag $ECR_REPOSITORY:latest image
 
       - name: build and push to Dockerhub
         env:
           DOCKERHUB_REPOSITORY: apparentorder/farssh
-          IMAGE_TAG: ${{ github.sha }}
         run: |
-          docker buildx build --push --platform linux/arm64 --tag $DOCKERHUB_REPOSITORY:$IMAGE_TAG image
-          docker buildx build --push --platform linux/arm64 --tag $DOCKERHUB_REPOSITORY:latest image
+          VERSION=$(python -c 'from client.src.farssh.const import FARSSH_VERSION; print(FARSSH_VERSION);')
+          DATE=$(date +%Y-%m-%d)
+          docker buildx build --push --platform linux/arm64 --build-arg FARSSH_VERSION=$VERSION --build-arg FARSSH_DATE=$DATE --tag $DOCKERHUB_REPOSITORY:$VERSION image
+          docker buildx build --push --platform linux/arm64 --build-arg FARSSH_VERSION=$VERSION --build-arg FARSSH_DATE=$DATE --tag $DOCKERHUB_REPOSITORY:latest image

.github/workflows/s3.yaml

@@ -3,28 +3,36 @@ on:
   push:
     branches:
       - main
-    paths: 
+    paths:
       - '.github/workflows/s3.yaml'
+      - 'client/src/farssh/const.py'
       - 'cloudformation/*'
 
 permissions:
   id-token: write
   contents: read
-  
+
 jobs:
 
   deploy_source:
     name: copy cfn to s3
     runs-on: ubuntu-latest
     steps:
       - name: Git clone the repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::329261680777:role/farssh-github
           role-session-name: github-action-copy-s3
           aws-region: eu-central-1
       - name: copy cfn to s3
-        run:
+        run: |
+          VERSION=$(python -c 'from client.src.farssh.const import FARSSH_VERSION; print(FARSSH_VERSION);')
+          sed -i "s|__VERSION__|$VERSION|g" cloudformation/farssh.yaml
+          # Validate placeholder was replaced
+          if grep -q '__VERSION__' cloudformation/farssh.yaml; then
+            echo "ERROR: __VERSION__ placeholder not replaced"
+            exit 1
+          fi
           aws s3 sync cloudformation/ s3://farssh/cloudformation/

.gitignore

@@ -0,0 +1 @@
+.venv

client/pyproject.toml

@@ -5,9 +5,9 @@ readme = "../README.md"
 license = { text = "BSD 2-clause" }
 authors = [ { name="@apparentorder", email="apparentorder@neveragain.de" } ]
 description = "Secure on-demand connections into AWS VPCs"
-requires-python = ">=3.8"
+requires-python = ">=3.9"
 dependencies = [
-	"boto3",
+	"boto3>=1.35",
 ]
 keywords = ["aws", "vpc", "ssh", "tunnel", "proxy", "rds", "postgresql", "mysql"]
 classifiers = [

client/src/farssh/args.py

@@ -15,6 +15,7 @@ def __init__(self):
 
 		# defaults, if not found in Parameter Store
 		self.force_public_ipv4 = False
+		self.ssh_port = "20022"
 
 		for (key, value) in get_farssh_ssm_parameters(FARSSH_ID).items():
 			setattr(self, key, value)

client/src/farssh/aws.py

@@ -45,9 +45,13 @@ def run_ecs_task(args, ssh_keys, farssh_id):
 			"name": "FARSSH_SSH_AUTHORIZED_KEYS",
 			"value": ssh_keys.login_key_pub,
 		},
+		{
+			"name": "FARSSH_SSH_HOST_ED25519_KEY_BASE64",
+			"value": base64.b64encode(bytes(ssh_keys.ed25519_host_key, "utf-8")).decode("utf-8")
+		},
 		{
 			"name": "FARSSH_SSH_HOST_RSA_KEY_BASE64",
-			"value": base64.b64encode(bytes(ssh_keys.host_key, "utf-8")).decode("utf-8")
+			"value": base64.b64encode(bytes(ssh_keys.rsa_host_key, "utf-8")).decode("utf-8")
 		}
 	]
 
@@ -140,7 +144,7 @@ def select_database(args):
 		available += [{
 			'identifier': cluster_id,
 			'cluster':    cluster_id,
-			'engine':     candidate_instance.get('Engine'),
+			'engine':     candidate_cluster.get('Engine'),
 			'status':     candidate_cluster.get('Status'),
 			'hostname':   candidate_cluster['Endpoint'],
 			'port':       candidate_cluster.get('Port'),

client/src/farssh/const.py

@@ -1,4 +1,4 @@
-FARSSH_VERSION = "0.5"
+FARSSH_VERSION = "0.6.0"
 FARSSH_ID = 'default'
 FARSSH_URL = 'https://github.com/apparentorder/farssh'
 

client/src/farssh/ssh.py

@@ -6,34 +6,40 @@
 # ----------------------------------------------------------------------
 
 class FarsshSshKeyHandler:
-	def __init__(self, farssh_args):
+	def __init__(self, farssh_args) -> None:
 		self._tempdir = tempfile.TemporaryDirectory()
 
 		self.farssh_args = farssh_args
 		self.known_hosts_file = f"{self._tempdir.name}/known-hosts"
 
-		subprocess.run(["ssh-keygen", "-q", "-N", "", "-t", "rsa", "-f", f"{self._tempdir.name}/ssh_host_rsa_key"], check = True)
-		subprocess.run(["ssh-keygen", "-q", "-N", "", "-t", "rsa", "-f", f"{self._tempdir.name}/ssh_login_key"], check = True)
-
-		self.host_key_file =      f"{self._tempdir.name}/ssh_host_rsa_key"
-		self.host_key_pub_file =  f"{self._tempdir.name}/ssh_host_rsa_key.pub"
-		self.login_key_file =     f"{self._tempdir.name}/ssh_login_key"
-		self.login_key_pub_file = f"{self._tempdir.name}/ssh_login_key.pub"
-
-		self.host_key = open(self.host_key_file, "r").read()
-		self.host_key_pub = open(self.host_key_pub_file, "r").read()
-		# self.login_key = open(self.login_key_file, "r").read() # not used
-		self.login_key_pub = open(self.login_key_pub_file, "r").read()
-
-	def write_known_hosts(self, ip_address):
+		subprocess.run(["ssh-keygen", "-q", "-N", "", "-t", "ed25519", "-f", f"{self._tempdir.name}/ssh_host_ed25519_key"], check = True)
+		subprocess.run(["ssh-keygen", "-q", "-N", "", "-t", "rsa",     "-f", f"{self._tempdir.name}/ssh_host_rsa_key"], check = True)
+		subprocess.run(["ssh-keygen", "-q", "-N", "", "-t", "ed25519", "-f", f"{self._tempdir.name}/ssh_login_key"], check = True)
+
+		self.ed25519_host_key_file =      f"{self._tempdir.name}/ssh_host_ed25519_key"
+		self.ed25519_host_key_pub_file =  f"{self._tempdir.name}/ssh_host_ed25519_key.pub"
+		self.rsa_host_key_file =          f"{self._tempdir.name}/ssh_host_rsa_key"
+		self.rsa_host_key_pub_file =      f"{self._tempdir.name}/ssh_host_rsa_key.pub"
+		self.login_key_file =             f"{self._tempdir.name}/ssh_login_key"
+		self.login_key_pub_file =         f"{self._tempdir.name}/ssh_login_key.pub"
+
+		self.ed25519_host_key =           open(self.ed25519_host_key_file, "r").read()
+		self.ed25519_host_key_pub =       open(self.ed25519_host_key_pub_file, "r").read()
+		self.rsa_host_key =               open(self.rsa_host_key_file, "r").read()
+		self.rsa_host_key_pub =           open(self.rsa_host_key_pub_file, "r").read()
+		self.login_key_pub =              open(self.login_key_pub_file, "r").read()
+		# self.login_key isn't used here, so don't read.
+
+	def write_known_hosts(self, ip_address) -> None:
 		# Create temporary known-hosts file so the SSH client can verify the remote host's public key that we configured it with.
 		# The `host` *must* be without port number when the port is 22; this seems to be a quirk of OpenSSH's known-hosts file format.
+		# Write Ed25519 key first (preferred), then RSA (fallback for backward compatibility).
 
 		with open(self.known_hosts_file, "w") as f:
 			host = ip_address
 
 			if self.farssh_args.ssh_port != "22":
 				host = f"[{host}]:{self.farssh_args.ssh_port}"
 
-			f.write(f"{host} {self.host_key_pub}\n")
-
+			f.write(f"{host} {self.ed25519_host_key_pub}\n")
+			f.write(f"{host} {self.rsa_host_key_pub}\n")

cloudformation/farssh.yaml

@@ -46,10 +46,11 @@ Parameters:
       When FarSSH runs in an IPv6 subnet, change this to the DockerHub image, as
       AWS ECR Public does not support image pull over IPv6.
     Type: String
-    Default: public.ecr.aws/apparentorder/farssh
+    # Placeholder __VERSION__ is replaced during deployment to S3.
+    Default: public.ecr.aws/apparentorder/farssh:__VERSION__
     AllowedValues:
-    - public.ecr.aws/apparentorder/farssh
-    - docker.io/apparentorder/farssh
+    - public.ecr.aws/apparentorder/farssh:__VERSION__
+    - docker.io/apparentorder/farssh:__VERSION__
 
 Conditions:
   AwslogsEnabled: !Equals [!Ref EnableAwslogsDriver, true]