Description
SUMMARY
I am currently trying to sign a public key that was generated using a hardware token like this:
ssh-keygen -t ed25519-sk
The resulting public key will look something like this:
[email protected] (...) jonas@jonas-thinkpad
If i now sign the key using my CA the ansible task will fail with this error message:
fatal: [openssh-ca.int.lipowsky.de]: FAILED! => {"changed": false, "msg": "Unable to read new certificate: Invalid certificate format identifier: b'[email protected]'"}
Looking on the target remote I noticed that the certificate was correctly signed and its just the ansible checks that failed.
Digging into the source code I noticed that the _SSH_TYPE_STRINGS in plugins/module_utils/openssh/certificate.py are missing the support for the public keys generated with the -sk suffix
ISSUE TYPE
- Bug Report
COMPONENT NAME
ANSIBLE VERSION
ansible [core 2.17.3]
python version = 3.10.12 (main, Jul 29 2024, 16:56:48) [GCC 11.4.0]
jinja version = 3.1.4
libyaml = True
COLLECTION VERSION
Collection Version
---------------- -------
community.crypto 2.21.1
OS / ENVIRONMENT
- Host: Ubuntu on WSL2
- Target: Ubuntu 22.04
STEPS TO REPRODUCE
- Generate a ssh key using -t ed25519-sk or -t ecdsa-sk
- Sign the key using community.crypto.openssh_cert
EXPECTED RESULTS
A valid ssh certificate should be produced with no error
ACTUAL RESULTS
A valid ssh certificate is produced - but an error is emitted