Update the list of valid ssh keys.

cloudinit/config/cc_ssh.py

@@ -35,6 +35,42 @@
 
     no-port-forwarding,no-agent-forwarding,no-X11-forwarding
 
+Supported public key types for the ``ssh_authorized_keys`` are:
+
+    - dsa
+    - rsa
+    - ecdsa
+    - ed25519
+    - ecdsa-sha2-nistp256-cert-v01@openssh.com
+    - ecdsa-sha2-nistp256
+    - ecdsa-sha2-nistp384-cert-v01@openssh.com
+    - ecdsa-sha2-nistp384
+    - ecdsa-sha2-nistp521-cert-v01@openssh.com
+    - ecdsa-sha2-nistp521
+    - sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
+    - sk-ecdsa-sha2-nistp256@openssh.com
+    - sk-ssh-ed25519-cert-v01@openssh.com
+    - sk-ssh-ed25519@openssh.com
+    - ssh-dss-cert-v01@openssh.com
+    - ssh-dss
+    - ssh-ed25519-cert-v01@openssh.com
+    - ssh-ed25519
+    - ssh-rsa-cert-v01@openssh.com
+    - ssh-rsa
+    - ssh-xmss-cert-v01@openssh.com
+    - ssh-xmss@openssh.com
+
+.. note::
+    this list has been filtered out from the supported keytypes of
+    `OpenSSH`_ source, where the sigonly keys are removed. Please see
+    ``ssh_util`` for more information.
+
+    ``dsa``, ``rsa``, ``ecdsa`` and ``ed25519`` are added for legacy,
+    as they are valid public keys in some old distros. They can possibly
+    be removed in the future when support for the older distros are dropped
+
+.. _OpenSSH: https://github.com/openssh/openssh-portable/blob/master/sshkey.c
+
 Host Keys
 ^^^^^^^^^
 

cloudinit/config/cc_ssh_authkey_fingerprints.py

@@ -13,7 +13,7 @@
 default, but can be disabled using ``no_ssh_fingerprints``. The hash type for
 the keys can be specified, but defaults to ``sha256``.
 
-**Internal name:** `` cc_ssh_authkey_fingerprints``
+**Internal name:** ``cc_ssh_authkey_fingerprints``
 
 **Module frequency:** per instance
 
@@ -59,8 +59,8 @@ def _gen_fingerprint(b64_text, hash_meth='sha256'):
 
 def _is_printable_key(entry):
     if any([entry.keytype, entry.base64, entry.comment, entry.options]):
-        if (entry.keytype and
-                entry.keytype.lower().strip() in ['ssh-dss', 'ssh-rsa']):
+        if (entry.keytype and entry.keytype.lower().strip()
+                in ssh_util.VALID_KEY_TYPES):
             return True
     return False
 

cloudinit/ssh_util.py

@@ -17,27 +17,43 @@
 # See: man sshd_config
 DEF_SSHD_CFG = "/etc/ssh/sshd_config"
 
-# taken from OpenSSH source openssh-7.3p1/sshkey.c:
-# static const struct keytype keytypes[] = { ... }
+# this list has been filtered out from keytypes of OpenSSH source
+# openssh-8.3p1/sshkey.c:
+# static const struct keytype keytypes[] = {
+# filter out the keytypes with the sigonly flag, eg:
+# { "rsa-sha2-256", "RSA", NULL, KEY_RSA, 0, 0, 1 },
+# refer to the keytype struct of OpenSSH in the same file, to see
+# if the position of the sigonly flag has been moved.
+#
+# dsa, rsa, ecdsa and ed25519 are added for legacy, as they are valid
+# public keys in some old distros. They can possibly be removed
+# in the future when support for the older distros is dropped
+#
+# When updating the list, also update the _is_printable_key list in
+# cloudinit/config/cc_ssh_authkey_fingerprints.py
 VALID_KEY_TYPES = (
     "dsa",
+    "rsa",
     "ecdsa",
-    "ecdsa-sha2-nistp256",
+    "ed25519",
     "ecdsa-sha2-nistp256-cert-v01@openssh.com",
-    "ecdsa-sha2-nistp384",
+    "ecdsa-sha2-nistp256",
     "ecdsa-sha2-nistp384-cert-v01@openssh.com",
-    "ecdsa-sha2-nistp521",
+    "ecdsa-sha2-nistp384",
     "ecdsa-sha2-nistp521-cert-v01@openssh.com",
-    "ed25519",
-    "rsa",
-    "rsa-sha2-256",
-    "rsa-sha2-512",
-    "ssh-dss",
+    "ecdsa-sha2-nistp521",
+    "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com",
+    "sk-ecdsa-sha2-nistp256@openssh.com",
+    "sk-ssh-ed25519-cert-v01@openssh.com",
+    "sk-ssh-ed25519@openssh.com",
     "ssh-dss-cert-v01@openssh.com",
-    "ssh-ed25519",
+    "ssh-dss",
     "ssh-ed25519-cert-v01@openssh.com",
-    "ssh-rsa",
+    "ssh-ed25519",
     "ssh-rsa-cert-v01@openssh.com",
+    "ssh-rsa",
+    "ssh-xmss-cert-v01@openssh.com",
+    "ssh-xmss@openssh.com",
 )
 
 _DISABLE_USER_SSH_EXIT = 142