sha256 & ssh_known_hosts

[xanderificnl]

Description
Fingerprints generated by ssh-keygen in sha256 format aren't accepted by ssh_known_hosts

Setup
Single user machine (not using salt-master. Simply salt-call). Simple file:

github.com:
    ssh_known_hosts:
        - present
        - fingerprint: nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8

Steps to Reproduce the behavior
GitHub's fingerprints can be found here but they can also be obtained via ssh-keyscan

Expected behavior
I expect ssh_known_hosts to accept a valid fingerprint generated by ssh-keygen -l -Esha256 -f <(ssh-keyscan github.com)

Versions Report

$ salt-call --versions-report
Salt Version:
          Salt: 3003.2
 
Dependency Versions:
          cffi: Not Installed
      cherrypy: Not Installed
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 2.11.2
       libgit2: Not Installed
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.0
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: Not Installed
      pycrypto: Not Installed
  pycryptodome: 3.9.7
        pygit2: Not Installed
        Python: 3.9.5 (default, May 11 2021, 08:20:37)
  python-gnupg: 0.4.6
        PyYAML: 5.3.1
         PyZMQ: 20.0.0
         smmap: Not Installed
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: ubuntu 21.04 hirsute
        locale: utf-8
       machine: x86_64
       release: 5.11.0-31-generic
        system: Linux
       version: Ubuntu 21.04 hirsute

Additional context

I had to go through many hoops before figuring out what fingerprint would be accepted. For the record, here it is:

9d:38:5b:83:a9:17:52:92:56:1a:5e:c4:d4:81:8e:0a:ca:51:a2:64:f1:74:20:11:2e:f8:8a:c3:a1:39:49:8f

[welcome]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[Ch3LL]

Looks like in openssh 6.8 they updated the fingerprints from hex md5 to base64 sha256: http://www.openssh.com/txt/release-6.8

• Add FingerprintHash option to ssh(1) and sshd(8), and equivalent
  command-line flags to the other tools to control algorithm used
  for key fingerprints. The default changes from MD5 to SHA256 and
  format from hex to base64.

Fingerprints now have the hash algorithm prepended. An example of
the new format: SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE
Please note that visual host keys will also be different.

We probably need to update the _fingerprint function in salt/modules/ssh.py to not always return : return ":".join(chunks)

[HerHde]

This still seems to be a problem. If someone touches the code, it would be nice to add the example ssh-keygen -l -Esha256 -f <(ssh-keyscan github.com) to the docs for convenience.

[HeinrichFilter]

The new fingerprint in this format after Github had to update their RSA SSH host key is:

b8:d8:95:ce:d9:2c:0a:c0:e1:71:cd:2e:f5:ef:01:ba:34:17:55:4a:4a:64:80:d3:31:cc:c2:be:3d:ed:0f:6b