If an environment variable passing request and a subsystem request were
both sent on the same channel, then SSHSession only cleaned up the
ISession adapter when receiving EOF or closing the channel, and did not
call loseConnection on the client transport which is the only reasonable
way for a subsystem to be notified when a connection is closed.
SSHSession now cleans up both the client transport and the ISession
adapter if both are set.
Pin a few upper bounds so that tests mostly work on 3.5
twisted.protocols.test.test_tls.NonStreamingProducerTests.test_writeUntilDone
still fails, but that doesn't seem to be new, and we don't use Twisted's
TLS protocol code in Launchpad anyway.
Ubuntu 16.04 LTS lacks a version of OpenSSL new enough to support X25519
via cryptography. Add a fallback path using PyNaCl to support these.
This can't really be submitted upstream since Twisted no longer supports
Ubuntu 16.04 for other reasons (its Python version is too old), but the
approach here is very similar to the PyNaCl fallback for Ed25519. I've
manually compared it with the cryptography-based code and verified that
it produces the same shared secrets given the same input keys.