ssh: allow all additional ssh key types

[MEschenbacher]

What does this PR do?

Propose a fix for #59429 by extending the list of allowed ssh public key types in salt/modules/ssh.py as of openssh 8.5.

What issues does this PR fix or reference?

Fixes: #59429

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

• Docs
• Changelog - https://docs.saltstack.com/en/master/topics/development/changelog.html
• Tests written/updated

Commits signed with GPG?

Yes

Please review Salt's Contributing Guide for best practices.

See GitHub's page on GPG signing for more information about signing commits with GPG.

[xeacott]

Hey @MEschenbacher are you still wanting to make more changes to this PR? We can get this into Si just need to keep moving along

[MEschenbacher]

The PR should be complete as far as changes to code are concerned. Are you fine with the changes themselves?

I'm assuming in order to move along, I need to check all boxes?

[Ch3LL]

This will require a changelog file.

[MEschenbacher]

Okay, I'm now waiting for the final call as to whether we allow any pubkey type or continue maintaining an allowlist of types.

[dwoz]

Okay, I'm now waiting for the final call as to whether we allow any pubkey type or continue maintaining an allowlist of types.

Continue maintaining a list for now please.

[MEschenbacher]

Maintaining an allow list for now and rebased on master.

I'm not sure if https://github.com/saltstack/salt/blob/master/salt/states/ssh_auth.py and https://github.com/saltstack/salt/blob/master/salt/states/ssh_auth.py need some care, too. The regex look to be only allowing ssh- and ecdsa- but not sk-ssh- and sk-ecdsa-.

[xeacott]

I think the debian test is the last one to address here, and there's only one, and then we should be good to go!

[dwoz]

Pre-commit and tests need to be fixed still.

[MEschenbacher]

I've added a few tests and I'm not sure if they assert that all salt modules and states with a ssh key type accept the additional key types. As far as the failing test for debian jinja filters is concerned: need to look into it.

[Ch3LL]

The jinja filters tests is a know failing test that someone else is working on and is not related to this PR. The pre-commit and lint test failures will need to be cleaned up though.

[Ch3LL]

I went ahead and pushed a fix for pre-commit and lint. Just waiting on the test results.

[Ch3LL]

@MEschenbacher is this still WIP? Or is it ready for review and merge?

[MEschenbacher]

Ready for review and merge.

[welcome]

Congratulations on your first PR being merged! 🎉