`ssh_known_hosts.present` does not support SHA256 key fingerprints

[vutny]

Description of Issue/Question

The ssh_known_hosts.present state function does not support SH256-hashed public key fingerprints, which would be given by modern versions of OpenSSH binaries. For example:

$ ssh-keyscan bitbucket.org | ssh-keygen -lf -
# bitbucket.org:22 SSH-2.0-conker_1.0.284-7b46313 app-123
# bitbucket.org:22 SSH-2.0-conker_1.0.284-7b46313 app-125
# bitbucket.org:22 SSH-2.0-conker_1.0.284-7b46313 app-126
2048 SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)

At the moment, I can't use such strong hash in SLS, but have to deal with legacy MD5:

$ ssh-keyscan bitbucket.org | ssh-keygen -E md5 -lf -
# bitbucket.org:22 SSH-2.0-conker_1.0.284-7b46313 app-123
# bitbucket.org:22 SSH-2.0-conker_1.0.284-7b46313 app-132
# bitbucket.org:22 SSH-2.0-conker_1.0.284-7b46313 app-133
2048 MD5:97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40 bitbucket.org (RSA)

Also, this is little bit awkward that the option -E md5 seems to be not documented properly and you need to remember how to extract proper fingerprint.

Setup

Authorize SSH host bitbucket.org:
  ssh_known_hosts.present:
    - name: bitbucket.org
    - enc: ssh-rsa
    - fingerprint: zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A

Actual result

----------
          ID: Authorize SSH host bitbucket.org
    Function: ssh_known_hosts.present
        Name: bitbucket.org
      Result: False
     Comment: Remote host public key found but its fingerprint does not match one you have provided
     Started: 10:41:59.213731
    Duration: 1000.601 ms
     Changes:   

Expected result

The key has been added successfully.

Versions Report

Salt Version:
           Salt: 2016.11.3
 
Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.4.2
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
         pygit2: Not Installed
         Python: 2.7.12 (default, Nov 19 2016, 06:48:10)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4
 
System Versions:
           dist: Ubuntu 16.04 xenial
        machine: x86_64
        release: 4.4.0-53-generic
         system: Linux
        version: Ubuntu 16.04 xenial

[Ch3LL]

@vutny i am able to replicate this. The problem i believe resides here It is hardcoded to use md5.

Here is a docker container for anyone to quickly replicate this:

1. docker run -it -v /home/ch3ll/git/salt/:/testing/ ch3ll/issues:40005 salt-call --local state.sls test -ldebug (where /home/ch3ll/git/salt is a local cloned git repo of salt)

[Ch3LL]

NOTE: We need to check in the code for any other hard coded md5 values like this and get those changed up. Thanks for bringing this to our attention

[rallytime]

Hi @vutny - I have added the fingerprint_hash_type option to the ssh_known_hosts.present state. That should allow you to specify the type of fingerprint hash that was used originally on the public key, so we can use it in the _fingerprint function in salt.modules.ssh.py.