[master] Manage SSH keys and certificates#64708
Merged
dwoz merged 29 commits intosaltstack:masterfrom Jan 29, 2026
Merged
Conversation
salt-project-bot-prod-environment
bot
changed the title
lkubb
force-pushed
the
openssh-cert
branch
2 times, most recently
from
182841a to
2949543
Compare
to be able to use them in a wrapper module
in CI, pytest complained about an `import file mismatch` because these files have the same basename as the x509_v2 tests. Output was: ``` ERROR collecting tests/pytests/integration/ssh/ssh_pki/test_certificate_managed_wrapper.py import file mismatch: imported module 'test_certificate_managed_wrapper' has this __file__ attribute: /__w/salt/salt/tests/pytests/integration/ssh/x509_v2/test_certificate_managed_wrapper.py which is not the same as the test file we want to collect: /__w/salt/salt/tests/pytests/integration/ssh/ssh_pki/test_certificate_managed_wrapper.py HINT: remove __pycache__ / .pyc files and/or use a unique basename for your test file modules ```
... and remove unnecessary fixture requests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Adds
ssh_pkiexecution and state modules that apply the principle (and rough code outline) of thex509modules to SSH keys and certificates. This allows to statefully manage ssh keys and certificates and create an OpenSSH CA managed by Salt.Note: Based on #65654.
What issues does this PR fix or reference?
Fixes: #65197
Merge requirements satisfied?
Commits signed with GPG?
Yes
Notes
I'm not sure if adding a new module fits the current zeitgeist of moving modules out into extensions, but tend to think being able to manage SSH keys (and certificates) should be part of Salt core.
In a lucky coincidence, the development of these modules resulted in the discovery of GHSA-cf7p-gm2m-833m, which means Salt now ships with the required
cryptographyversion for them by default. :)