sshkeys-lint: refactor keytype and accept ed25519

sshkeys-lint was rejecting Ed25519 type keys, and also not detecting
ecdsa keys for shell users; refactor the key type detection code to use
a single variable and introduce Ed25519 into the new variable.

Also explicitly matches the ECDSA key types now, rather than leaving it
open-ended.

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>

1 files changed, 4 insertions, 3 deletions

diff --git a/src/commands/sshkeys-lint b/src/commands/sshkeys-lint
index 3b2689d..7c0f508 100755
--- a/src/commands/sshkeys-lint
+++ b/src/commands/sshkeys-lint
@@ -17,6 +17,7 @@ $|++;
 
 my $in_gl_section = 0;
 my $warnings      = 0;
+my $KEYTYPE_REGEX = qr/\b(?:ssh-(?:rsa|dss|ed25519)|ecdsa-sha2-nistp(?:256|384|521))\b/;
 
 sub dbg {
     use Data::Dumper;
@@ -126,7 +127,7 @@ sub user {
     my $user = '';
     $user ||= "user $1"         if /^command=.*gitolite-shell (.*?)"/;
     $user ||= "unknown command" if /^command/;
-    $user ||= "shell access"    if /^ssh-(rsa|dss)/;
+    $user ||= "shell access"    if /$KEYTYPE_REGEX/;
 
     return $user;
 }
@@ -142,10 +143,10 @@ sub ak_comment {
 sub fprint {
     local $_ = shift;
     my ( $fh, $tempfn, $in );
-    if ( /ssh-(dss|rsa) / || /ecdsa-/ ) {
+    if ( /$KEYTYPE_REGEX/ ) {
         # an actual key was passed.  Since ssh-keygen requires an actual file,
         # make a temp file to take the data and pass on to ssh-keygen
-        s/^.* (ssh-dss|ssh-rsa|ecdsa-\S+)/$1/;
+        s/^.* ($KEYTYPE_REGEX)/$1/;
         use File::Temp qw(tempfile);
         ( $fh, $tempfn ) = tempfile();
         $in = $tempfn;