11 files changed, 228 insertions, 25 deletions

diff --git a/.vscode/extensions.json b/.vscode/extensions.json
index 6177782..2f1e4f7 100644
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -1,6 +1,6 @@
 {
   "recommendations": [
-    "jpogran.puppet-vscode",
+    "puppet.puppet-vscode",
     "rebornix.Ruby"
   ]
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
index cfae002..bd806b7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) and this project adheres to [Semantic Versioning](http://semver.org).
 
-## [2.0.0](https://github.com/puppetlabs/puppetlabs-sshkeys_core/tree/2.0.0) (2020-03-12)
+## [2.1.0](https://github.com/puppetlabs/puppetlabs-sshkeys_core/tree/2.1.0) (2020-06-22)
+
+[Full Changelog](https://github.com/puppetlabs/puppetlabs-sshkeys_core/compare/2.0.0...2.1.0)
+
+### Added
+
+- \(MODULES-10671\) New SSH key types for OpenSSH 8.2 [\#31](https://github.com/puppetlabs/puppetlabs-sshkeys_core/pull/31) ([Dorin-Pleava](https://github.com/Dorin-Pleava))
+
+### Fixed
+
+- \(PUP-10510\) Fix sshkeys not being correctly purged [\#32](https://github.com/puppetlabs/puppetlabs-sshkeys_core/pull/32) ([GabrielNagy](https://github.com/GabrielNagy))
+
+## [2.0.0](https://github.com/puppetlabs/puppetlabs-sshkeys_core/tree/2.0.0) (2020-03-13)
 
 [Full Changelog](https://github.com/puppetlabs/puppetlabs-sshkeys_core/compare/1.0.3...2.0.0)
 
diff --git a/lib/puppet/provider/sshkey/parsed.rb b/lib/puppet/provider/sshkey/parsed.rb
index 965c20d..3ed0873 100644
--- a/lib/puppet/provider/sshkey/parsed.rb
+++ b/lib/puppet/provider/sshkey/parsed.rb
@@ -28,6 +28,10 @@ Puppet::Type.type(:sshkey).provide(
     0o644
   end
 
+  def title
+    "#{property_hash[:name]}@#{property_hash[:type]}"
+  end
+
   def self.default_target
     case Facter.value(:operatingsystem)
     when 'Darwin'
diff --git a/lib/puppet/type/ssh_authorized_key.rb b/lib/puppet/type/ssh_authorized_key.rb
index 648055c..9749e29 100644
--- a/lib/puppet/type/ssh_authorized_key.rb
+++ b/lib/puppet/type/ssh_authorized_key.rb
@@ -62,11 +62,16 @@ module Puppet
     newproperty(:type) do
       desc 'The encryption type used.'
 
-      newvalues :'ssh-dss', :'ssh-rsa', :'ecdsa-sha2-nistp256', :'ecdsa-sha2-nistp384', :'ecdsa-sha2-nistp521', :'ssh-ed25519'
+      newvalues :'ssh-dss', :'ssh-rsa', :'ecdsa-sha2-nistp256', :'ecdsa-sha2-nistp384', :'ecdsa-sha2-nistp521', :'ssh-ed25519',
+                :'sk-ecdsa-sha2-nistp256@openssh.com', :'sk-ssh-ed25519@openssh.com', :'ssh-rsa-cert-v01@openssh.com',
+                :'ssh-ed25519-cert-v01@openssh.com', :'ssh-dss-cert-v01@openssh.com', :'ecdsa-sha2-nistp256-cert-v01@openssh.com',
+                :'ecdsa-sha2-nistp384-cert-v01@openssh.com', :'ecdsa-sha2-nistp521-cert-v01@openssh.com'
 
       aliasvalue(:dsa, :'ssh-dss')
       aliasvalue(:ed25519, :'ssh-ed25519')
       aliasvalue(:rsa, :'ssh-rsa')
+      aliasvalue(:'ecdsa-sk', :'sk-ecdsa-sha2-nistp256@openssh.com')
+      aliasvalue(:'ed25519-sk', :'sk-ssh-ed25519@openssh.com')
     end
 
     newproperty(:key) do
@@ -159,7 +164,12 @@ module Puppet
     end
 
     # regular expression suitable for use by a ParsedFile based provider
-    REGEX = %r{^(?:(.+)\s+)?(ssh-dss|ssh-ed25519|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521)\s+([^ ]+)\s*(.*)$}
+    REGEX = %r{^(?:(.+)\s+)?(ssh-dss|ssh-ed25519|ssh-rsa|ecdsa-sha2-nistp256|
+            ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ecdsa-sk|ed25519-sk|
+            sk-ecdsa-sha2-nistp256@openssh.com|sk-ssh-ed25519@openssh.com|
+            ssh-rsa-cert-v01@openssh.com|ssh-ed25519-cert-v01@openssh.com|
+            ssh-dss-cert-v01@openssh.com|ecdsa-sha2-nistp256-cert-v01@openssh.com|
+            ecdsa-sha2-nistp384-cert-v01@openssh.com|ecdsa-sha2-nistp521-cert-v01@openssh.com)\s+([^ ]+)\s*(.*)$}x
     def self.keyline_regex
       REGEX
     end
diff --git a/lib/puppet/type/sshkey.rb b/lib/puppet/type/sshkey.rb
index c3cce5d..d45c059 100644
--- a/lib/puppet/type/sshkey.rb
+++ b/lib/puppet/type/sshkey.rb
@@ -12,10 +12,14 @@ module Puppet
       "#{self[:name]}@#{self[:type]}"
     end
 
+    def self.parameters_to_include
+      [:name, :type]
+    end
+
     def self.title_patterns
       [
         [
-          %r{^(.*)@(.*)$},
+          %r{^(.*?)@(.*)$},
           [
             [:name],
             [:type],
@@ -35,11 +39,14 @@ module Puppet
 
       isnamevar
 
-      newvalues :'ssh-dss', :'ssh-ed25519', :'ssh-rsa', :'ecdsa-sha2-nistp256', :'ecdsa-sha2-nistp384', :'ecdsa-sha2-nistp521'
+      newvalues :'ssh-dss', :'ssh-ed25519', :'ssh-rsa', :'ecdsa-sha2-nistp256', :'ecdsa-sha2-nistp384', :'ecdsa-sha2-nistp521',
+                :'sk-ecdsa-sha2-nistp256@openssh.com', :'sk-ssh-ed25519@openssh.com'
 
       aliasvalue(:dsa, :'ssh-dss')
       aliasvalue(:ed25519, :'ssh-ed25519')
       aliasvalue(:rsa, :'ssh-rsa')
+      aliasvalue(:'ecdsa-sk', :'sk-ecdsa-sha2-nistp256@openssh.com')
+      aliasvalue(:'ed25519-sk', :'sk-ssh-ed25519@openssh.com')
     end
 
     newproperty(:key) do
diff --git a/metadata.json b/metadata.json
index 06ade51..f9a84ef 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-sshkeys_core",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "author": "puppetlabs",
   "summary": "Manage SSH authorized keys, and known hosts.",
   "license": "Apache-2.0",
diff --git a/spec/acceptance/tests/resource/sshkey/purge_spec.rb b/spec/acceptance/tests/resource/sshkey/purge_spec.rb
new file mode 100644
index 0000000..23ce37b
--- /dev/null
+++ b/spec/acceptance/tests/resource/sshkey/purge_spec.rb
@@ -0,0 +1,73 @@
+require 'spec_helper_acceptance'
+
+RSpec.context 'sshkeys: Purge' do
+  let(:keyname) { "pl#{rand(999_999).to_i}" }
+
+  # FIXME: This is bletcherous
+  let(:ssh_known_hosts) { '/etc/ssh/ssh_known_hosts' }
+
+  let(:purge_manifest) do
+    <<-MANIFEST
+    resources { 'sshkey':
+      purge => true,
+    }
+    MANIFEST
+  end
+
+  before(:each) do
+    posix_agents.agents.each do |agent|
+      # The 'cp' might fail because the source file doesn't exist
+      on(
+        agent,
+        "cp -fv #{ssh_known_hosts} /tmp/ssh_known_hosts",
+        acceptable_exit_codes: [0, 1],
+      )
+      cmd = <<-CMD
+echo '' > #{ssh_known_hosts}
+echo '#{keyname} ssh-rsa how_about_the_initial_rsa_key_of_c' >> #{ssh_known_hosts}
+echo '#{keyname} ssh-dss how_about_the_initial_dss_key_of_c' >> #{ssh_known_hosts}
+CMD
+      on(agent, cmd)
+    end
+  end
+
+  after(:each) do
+    posix_agents.each do |agent|
+      # Is it present?
+      rc = on(
+        agent,
+        '[ -e /tmp/ssh_known_hosts ]',
+        accept_all_exit_codes: true,
+      )
+      if rc.exit_code == 0
+        # It's present, so restore the original
+        on(
+          agent,
+          "mv -fv /tmp/ssh_known_hosts #{ssh_known_hosts}",
+          accept_all_exit_codes: true,
+        )
+      else
+        # It's missing, which means there wasn't one to backup; just
+        # delete the one we laid down
+        on(
+          agent,
+          "rm -fv #{ssh_known_hosts}",
+          accept_all_exit_codes: true,
+        )
+      end
+    end
+  end
+
+  posix_agents.each do |agent|
+    it "#{agent} should be able to purge all SSH known host keys" do
+      apply_manifest_on(agent, purge_manifest, catch_failures: true)
+
+      # expect purging to be idempotent
+      apply_manifest_on(agent, purge_manifest, catch_changes: true)
+
+      on(agent, "cat #{ssh_known_hosts}") do |_res|
+        expect(stdout).not_to include('how_about_the_initial')
+      end
+    end
+  end
+end
diff --git a/spec/integration/provider/sshkey_spec.rb b/spec/integration/provider/sshkey_spec.rb
index 5f30db1..74e56a7 100644
--- a/spec/integration/provider/sshkey_spec.rb
+++ b/spec/integration/provider/sshkey_spec.rb
@@ -91,6 +91,25 @@ describe Puppet::Type.type(:sshkey).provider(:parsed), unless: Puppet.features.m
       expect(File.read(sshkey_file)).not_to match(%r{#{sshkey_name}.*Yqk0=})
     end
 
+    it 'prioritizes the specified type instead of type in the name' do
+      manifest = "#{type_under_test} { '#{super_unique}@rsa':
+      ensure => 'present',
+      type   => 'dsa',
+      key    => 'mykey',
+      target => '#{sshkey_file}' }"
+      apply_with_error_check(manifest)
+      expect(File.read(sshkey_file)).to match(%r{#{super_unique} ssh-dss.*mykey})
+    end
+
+    it 'can parse SSH key type that contains @openssh.com in name' do
+      manifest = "#{type_under_test} { '#{super_unique}@sk-ssh-ed25519@openssh.com':
+      ensure => 'present',
+      key    => 'mykey',
+      target => '#{sshkey_file}' }"
+      apply_with_error_check(manifest)
+      expect(File.read(sshkey_file)).to match(%r{#{super_unique} sk-ssh-ed25519@openssh.com.*mykey})
+    end
+
     # test all key types
     types = [
       'ssh-dss',     'dsa',
@@ -98,14 +117,18 @@ describe Puppet::Type.type(:sshkey).provider(:parsed), unless: Puppet.features.m
       'ssh-rsa',     'rsa',
       'ecdsa-sha2-nistp256',
       'ecdsa-sha2-nistp384',
-      'ecdsa-sha2-nistp521'
+      'ecdsa-sha2-nistp521',
+      'ecdsa-sk', 'sk-ecdsa-sha2-nistp256@openssh.com',
+      'ed25519-sk', 'sk-ssh-ed25519@openssh.com'
     ]
     # these types are treated as aliases for sshkey <ahem> type
     #   so they are populated as the *values* below
     aliases = {
-      'dsa'     => 'ssh-dss',
-      'ed25519' => 'ssh-ed25519',
-      'rsa'     => 'ssh-rsa',
+      'dsa'        => 'ssh-dss',
+      'ed25519'    => 'ssh-ed25519',
+      'rsa'        => 'ssh-rsa',
+      'ecdsa-sk'   => 'sk-ecdsa-sha2-nistp256@openssh.com',
+      'ed25519-sk' => 'sk-ssh-ed25519@openssh.com',
     }
     types.each do |type|
       it "should update an entry with #{type} type" do
diff --git a/spec/unit/type/ssh_authorized_key_spec.rb b/spec/unit/type/ssh_authorized_key_spec.rb
index 457537c..37981a4 100644
--- a/spec/unit/type/ssh_authorized_key_spec.rb
+++ b/spec/unit/type/ssh_authorized_key_spec.rb
@@ -85,7 +85,15 @@ describe Puppet::Type.type(:ssh_authorized_key), unless: Puppet.features.microso
         :'ecdsa-sha2-nistp256',
         :'ecdsa-sha2-nistp384',
         :'ecdsa-sha2-nistp521',
-        :ed25519, :'ssh-ed25519'
+        :ed25519, :'ssh-ed25519',
+        :'ecdsa-sk', :'sk-ecdsa-sha2-nistp256@openssh.com',
+        :'ed25519-sk', :'sk-ssh-ed25519@openssh.com',
+        :'ssh-rsa-cert-v01@openssh.com',
+        :'ssh-ed25519-cert-v01@openssh.com',
+        :'ssh-dss-cert-v01@openssh.com',
+        :'ecdsa-sha2-nistp256-cert-v01@openssh.com',
+        :'ecdsa-sha2-nistp384-cert-v01@openssh.com',
+        :'ecdsa-sha2-nistp521-cert-v01@openssh.com'
       ].each do |keytype|
         it "supports #{keytype}" do
           described_class.new(name: 'whev', type: keytype, user: 'nobody')
@@ -102,6 +110,16 @@ describe Puppet::Type.type(:ssh_authorized_key), unless: Puppet.features.microso
         expect(key.should(:type)).to eq :'ssh-dss'
       end
 
+      it 'aliases :ecdsa-sk to :sk-ecdsa-sha2-nistp256@openssh.com' do
+        key = described_class.new(name: 'whev', type: :'ecdsa-sk', user: 'nobody')
+        expect(key.should(:type)).to eq :'sk-ecdsa-sha2-nistp256@openssh.com'
+      end
+
+      it 'aliases :ed25519-sk to :sk-ssh-ed25519@openssh.com' do
+        key = described_class.new(name: 'whev', type: :'ed25519-sk', user: 'nobody')
+        expect(key.should(:type)).to eq :'sk-ssh-ed25519@openssh.com'
+      end
+
       it "doesn't support values other than ssh-dss, ssh-rsa, dsa, rsa" do
         expect { described_class.new(name: 'whev', type: :something) }.to raise_error(Puppet::Error, %r{Invalid value})
       end
@@ -126,6 +144,42 @@ describe Puppet::Type.type(:ssh_authorized_key), unless: Puppet.features.microso
       end
       # rubocop:enable Metrics/LineLength
 
+      # rubocop:disable Metrics/LineLength
+      it 'supports a valid ssh-rsa-cert-v01@openssh.com key' do
+        expect { described_class.new(name: 'bastelfreakwashere', type: :'ssh-rsa-cert-v01@openssh.com', user: 'opensshrulez', key: 'AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg07B03uArzrZbW5YYiH8y+mT5NNjbKOfDVz13rBPyiDAAAAADAQABAAABgQCltzNwldRtt+sn0EXx9IMPeeoGRQUpOD2KyLW7BfJSf+40SJnsVE4MkuH1WiJnow9nwhTMtBEIkx7ocqw6bBXxrXmnqMV50DbLYZiEVz1UDRdXx5RMnNb3bbmmsyf/doNeyDjiIHAwNM4cSyUppTwLw3sU/YcdeNSBbFcUDt5dJpZw6OjiD+V3OTdvpbmBeG7sftNM6871SRmNyc2T79bwG0QxBd1XMMwgK8ZjRkCPDLVl63Jy1vbV00mT65Gd+2enSC9Lb63XHS9ixZQ+vPqn9cw8ESNq3M3tNMvLUj4HdjopaEO8CAMMIjXWIJz8oOPUGWu2oFkSpWAo9r/lW+ox6s1QGbjp0l86Ve9KybHpaVKkWn9wJUDqcF04n82PHYJFs0srn397iN5FC/DHpviEBmT/GAzLeqnslf2f9lGXA/UleVE6fI3WUwlzcEgIy6rrozxh4lEPe7f5CqDIkjv6cIrid9StzqBPQE7U10yjlr/U3EKYajv5Il7gIg/qRaMAAAAAAAAAAAAAAAIAAAAQaG9zdC5leGFtcGxlLmNvbQAAABQAAAAQaG9zdC5leGFtcGxlLmNvbQAAAABfLFAkAAAAAGEMMoEAAAAAAAAAAAAAAAAAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCltzNwldRtt+sn0EXx9IMPeeoGRQUpOD2KyLW7BfJSf+40SJnsVE4MkuH1WiJnow9nwhTMtBEIkx7ocqw6bBXxrXmnqMV50DbLYZiEVz1UDRdXx5RMnNb3bbmmsyf/doNeyDjiIHAwNM4cSyUppTwLw3sU/YcdeNSBbFcUDt5dJpZw6OjiD+V3OTdvpbmBeG7sftNM6871SRmNyc2T79bwG0QxBd1XMMwgK8ZjRkCPDLVl63Jy1vbV00mT65Gd+2enSC9Lb63XHS9ixZQ+vPqn9cw8ESNq3M3tNMvLUj4HdjopaEO8CAMMIjXWIJz8oOPUGWu2oFkSpWAo9r/lW+ox6s1QGbjp0l86Ve9KybHpaVKkWn9wJUDqcF04n82PHYJFs0srn397iN5FC/DHpviEBmT/GAzLeqnslf2f9lGXA/UleVE6fI3WUwlzcEgIy6rrozxh4lEPe7f5CqDIkjv6cIrid9StzqBPQE7U10yjlr/U3EKYajv5Il7gIg/qRaMAAAGUAAAADHJzYS1zaGEyLTUxMgAAAYAdrQYxs/y/eYGBLQJIDQkCN5MumF3s14rpivxdkow6hc3fClLiVF0KE8viyENPpYmhUMOPFqpm/acCz9ueP1kigHw1P8la2E7FFDyAOveD8qLE+y2MigjRq1ZGzc8C4mjZutA3v+MO2Jxa+X9ZBs99wYDfAsD/3LeNFQfHJK7PlxZCFF//ZOkOfR3nLHyIWF1XHLzZlXgM5pQbsrrZF2I0VCU+BhsBI0gBrmvSflEgBlZqCipChGPBaRybK+OLa4rUq+HzCnHsaJ3KMri8aN5TMlMd2tZPq3ZaaaBRgg67nqm7B76c0kBI9vApB4KvvPxReJTAL9YUMXRzrNLSxbraQXhx8JYKEyIad1o4TXqKZBj+qzpR0L+w8RGkNZ+OhJiisP5WMuR1oTgZNPqNYDmpU84GAnzXgdjR5NpTxneQPRGD8SfRC+RsNqI5Vs5J5n5Ap5MoqlttiY86C+Ofe4/6GVIWVQuDpSMzhaRbgEVj4XxT9VLuDSWy8/l85UxKkQ8=') }.not_to raise_error # rubocop:disable Metrics/LineLength
+      end
+      # rubocop:enable Metrics/LineLength
+
+      # rubocop:disable Metrics/LineLength
+      it 'supports a valid ssh-ed25519-cert-v01@openssh.com key' do
+        expect { described_class.new(name: 'bastelfreakwashere', type: :'ssh-ed25519-cert-v01@openssh.com', user: 'opensshrulez', key: 'AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAII03FWZnj5mlByzlCf6DrreuQ1xd4P06OpWVtTv1LA8tAAAAIAELyKZcNagkQdfPc484zFekxiBOfkTYW5WQp8ZEQ0yRAAAAAAAAAAAAAAACAAAAEGhvc3QuZXhhbXBsZS5jb20AAAAUAAAAEGhvc3QuZXhhbXBsZS5jb20AAAAAXyxVTAAAAABhDDeOAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACABC8imXDWoJEHXz3OPOMxXpMYgTn5E2FuVkKfGRENMkQAAAFMAAAALc3NoLWVkMjU1MTkAAABAMeOkwGO8xK4xLWXemAtcwyFkBT+I57PdBI9Y+6r2MpU8WqpvY8BpR8eohwzrSyTaxt/SeRrrQ+npfMY1g2z5DA==') }.not_to raise_error # rubocop:disable Metrics/LineLength
+      end
+      # rubocop:enable Metrics/LineLength
+
+      # rubocop:disable Metrics/LineLength
+      it 'supports a valid ssh-dss-cert-v01@openssh.com key' do
+        expect { described_class.new(name: 'bastelfreakwashere', type: :'ssh-dss-cert-v01@openssh.com', user: 'opensshrulez', key: 'AAAAHHNzaC1kc3MtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgcCc5I4UIAZWRjnkQx/IiMadlKaM8AncxZnEepHrJU7QAAACBAK+gMKBIurFf2QdcVgf+PVJBJlGcC61ej2pFSaZURhgcyhAzf0PAxWwWmeSb5m89PXy09Q4ufDV/iDTKCLV2/tM/fk8Nqk8zT8R92SCdVLy5mN7q8seFhrDeZ1zsWRU6nQHFYiwoS0VhtMyGp1J39mX7wJqbdnIuG/1cqhB4Lxh7AAAAFQDPYY2uOe2WOrQQQY50KUjsUUdrrwAAAIBOio9RBHQasCGAuXGczY2ORp3P0rsUlPR7pLJ9C1+wN1tLfTmOkn9iNmRR3O1xButRs1gBkhlTz7zRreWHOtcXOEoZmj1wIvPqFdmvKv4KX5krq2Dd6vcmTO1LW5CZXvlPM5hYK+IE5+bER1K68xjDIIZfiM0tEmBhnME8nXENeAAAAIEAlHywsFzvdR8VP3acZSHdy82iiKslTn1fOeS10uk+qYZXP7NOhUf+b9WhGSCcv3IzlCGSHs5ClfmABBWUDJyOxF3Fwlmx1z/detbJYgrSBc6bzrqqofac7pWjf3lN7pB/bX4zpN27BjIUwDxYvLRdHlrwA5vZTN98187wOt7D1cwAAAAAAAAAAAAAAAIAAAAQaG9zdC5leGFtcGxlLmNvbQAAABQAAAAQaG9zdC5leGFtcGxlLmNvbQAAAABfLFZ4AAAAAGEMOLkAAAAAAAAAAAAAAAAAAAGyAAAAB3NzaC1kc3MAAACBAK+gMKBIurFf2QdcVgf+PVJBJlGcC61ej2pFSaZURhgcyhAzf0PAxWwWmeSb5m89PXy09Q4ufDV/iDTKCLV2/tM/fk8Nqk8zT8R92SCdVLy5mN7q8seFhrDeZ1zsWRU6nQHFYiwoS0VhtMyGp1J39mX7wJqbdnIuG/1cqhB4Lxh7AAAAFQDPYY2uOe2WOrQQQY50KUjsUUdrrwAAAIBOio9RBHQasCGAuXGczY2ORp3P0rsUlPR7pLJ9C1+wN1tLfTmOkn9iNmRR3O1xButRs1gBkhlTz7zRreWHOtcXOEoZmj1wIvPqFdmvKv4KX5krq2Dd6vcmTO1LW5CZXvlPM5hYK+IE5+bER1K68xjDIIZfiM0tEmBhnME8nXENeAAAAIEAlHywsFzvdR8VP3acZSHdy82iiKslTn1fOeS10uk+qYZXP7NOhUf+b9WhGSCcv3IzlCGSHs5ClfmABBWUDJyOxF3Fwlmx1z/detbJYgrSBc6bzrqqofac7pWjf3lN7pB/bX4zpN27BjIUwDxYvLRdHlrwA5vZTN98187wOt7D1cwAAAA3AAAAB3NzaC1kc3MAAAAoqdL2M2Q5R6xBk1mym3GrtmF7EbAh0PX0LiQ78c4+eQaWHJ71cEIe6A==') }.not_to raise_error # rubocop:disable Metrics/LineLength
+      end
+      # rubocop:enable Metrics/LineLength
+
+      # rubocop:disable Metrics/LineLength
+      it 'supports a valid ecdsa-sha2-nistp256-cert-v01@openssh.com key' do
+        expect { described_class.new(name: 'bastelfreakwashere', type: :'ecdsa-sha2-nistp256-cert-v01@openssh.com', user: 'opensshrulez', key: 'AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgQUGk9Pzd+RqECXZMmgj8bFEumUGfZPEhJhyUusF7hvwAAAAIbmlzdHAyNTYAAABBBBmo/Yw8pVDSObTkJxlpYL5s9tVnpj7ubeky+PKY2zJ8pRYIHS3XJ6x/NyB/iFoYlGxrn4CaMPwNvYxvSEdTj60AAAAAAAAAAAAAAAIAAAAQaG9zdC5leGFtcGxlLmNvbQAAABQAAAAQaG9zdC5leGFtcGxlLmNvbQAAAABfLFfgAAAAAGEMOkIAAAAAAAAAAAAAAAAAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBmo/Yw8pVDSObTkJxlpYL5s9tVnpj7ubeky+PKY2zJ8pRYIHS3XJ6x/NyB/iFoYlGxrn4CaMPwNvYxvSEdTj60AAABjAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABIAAAAIGkErINcPm1MpBhKuUmdR0KAPJGZCSeGT9E6FafcVhlFAAAAIERD5WsflI5QdJETz3n64tIDcdPbUF0GQW8iP8EV+Nf5') }.not_to raise_error # rubocop:disable Metrics/LineLength
+      end
+      # rubocop:enable Metrics/LineLength
+
+      # rubocop:disable Metrics/LineLength
+      it 'supports a valid ecdsa-sha2-nistp384-cert-v01@openssh.com key' do
+        expect { described_class.new(name: 'bastelfreakwashere', type: :'ecdsa-sha2-nistp384-cert-v01@openssh.com', user: 'opensshrulez', key: 'AAAAKGVjZHNhLXNoYTItbmlzdHAzODQtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgh+/K6gv7WlwX9qVlKLH8Vurzo5xfc8/glVcT7auQOhIAAAAIbmlzdHAzODQAAABhBDouPHnR+OD4jfdqMbhFXTfB8vTjpZYLQSl0HxEXRAs8AgqDEZI1lJEVwdxtJUbczyu1Wj7wM45YpSpgUQVU38rmVkpxujqhhMMmqMWf87gnjm9oVLLFvJHdauKNnXjJQQAAAAAAAAAAAAAAAgAAABBob3N0LmV4YW1wbGUuY29tAAAAFAAAABBob3N0LmV4YW1wbGUuY29tAAAAAF8sWnQAAAAAYQw85wAAAAAAAAAAAAAAAAAAAIgAAAATZWNkc2Etc2hhMi1uaXN0cDM4NAAAAAhuaXN0cDM4NAAAAGEEOi48edH44PiN92oxuEVdN8Hy9OOllgtBKXQfERdECzwCCoMRkjWUkRXB3G0lRtzPK7VaPvAzjlilKmBRBVTfyuZWSnG6OqGEwyaoxZ/zuCeOb2hUssW8kd1q4o2deMlBAAAAgwAAABNlY2RzYS1zaGEyLW5pc3RwMzg0AAAAaAAAADBJccfmOaYjNVbqkx0X7cLpl53EzTAMdv9k159mBLYaepMnLYmhKx+LvfA5bAUTar4AAAAwSO7n770NIdhhMZjGio4GKDyKq2WW6QLRXleY6QcynBaQ90rkMVnt+jeIEs30h6F8') }.not_to raise_error # rubocop:disable Metrics/LineLength
+      end
+      # rubocop:enable Metrics/LineLength
+
+      # rubocop:disable Metrics/LineLength
+      it 'supports a valid ecdsa-sha2-nistp521-cert-v01@openssh.com key' do
+        expect { described_class.new(name: 'bastelfreakwashere', type: :'ecdsa-sha2-nistp521-cert-v01@openssh.com', user: 'opensshrulez', key: 'AAAAKGVjZHNhLXNoYTItbmlzdHA1MjEtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg2xMe+Z9AuETNwM88pTDRpEtKbGRarajtZ5UaxSmmaQoAAAAIbmlzdHA1MjEAAACFBAFGg1vGsCq5kEzivd0s/kf0x5/TDzb0DwPzGz5YRsUtDlhT7+F7r2lVRvEEXCagc/UjTisIQ0kcG4IgMoI3VsaFEAHrBgF4whI/bhh6i+WzIHnT3NWkjqhdX+kLBXtlm+uFXyslmFlda4gGmjGeHvsDHgC2rN7cSuGh//3DBXtelkB+uQAAAAAAAAAAAAAAAgAAABBob3N0LmV4YW1wbGUuY29tAAAAFAAAABBob3N0LmV4YW1wbGUuY29tAAAAAF8sW9wAAAAAYQw+QgAAAAAAAAAAAAAAAAAAAKwAAAATZWNkc2Etc2hhMi1uaXN0cDUyMQAAAAhuaXN0cDUyMQAAAIUEAUaDW8awKrmQTOK93Sz+R/THn9MPNvQPA/MbPlhGxS0OWFPv4XuvaVVG8QRcJqBz9SNOKwhDSRwbgiAygjdWxoUQAesGAXjCEj9uGHqL5bMgedPc1aSOqF1f6QsFe2Wb64VfKyWYWV1riAaaMZ4e+wMeALas3txK4aH//cMFe16WQH65AAAApwAAABNlY2RzYS1zaGEyLW5pc3RwNTIxAAAAjAAAAEIA92a8QL5J/EMxRaKh9fSysTaEyyN/3KesBC8tI1rwytKILtfrcAIGxXtDQF6eZ72BWUvu6aqHIM6pmIHlnpzsROgAAABCAJHPzoeANenL8ZdlEf0jz8aEiGlGt02Z+vzsajQakKclFL4P8Nm5fojR2Mo2C45CQfO+kfkRQM1UUfDrVZcPzN0S') }.not_to raise_error # rubocop:disable Metrics/LineLength
+      end
+      # rubocop:enable Metrics/LineLength
+
       it "doesn't support whitespaces" do
         expect { described_class.new(name: 'whev', type: :rsa, user: 'nobody', key: 'AAA FA==') }.to raise_error(Puppet::Error, %r{Key must not contain whitespace})
       end
diff --git a/spec/unit/type/sshkey_spec.rb b/spec/unit/type/sshkey_spec.rb
index 680d9ec..53448ed 100644
--- a/spec/unit/type/sshkey_spec.rb
+++ b/spec/unit/type/sshkey_spec.rb
@@ -27,7 +27,9 @@ describe Puppet::Type.type(:sshkey) do
       :'ecdsa-sha2-nistp256',
       :'ecdsa-sha2-nistp384',
       :'ecdsa-sha2-nistp521',
-      :'ssh-ed25519', :ed25519
+      :'ssh-ed25519', :ed25519,
+      :'ecdsa-sk', :'sk-ecdsa-sha2-nistp256@openssh.com',
+      :'ed25519-sk', :'sk-ssh-ed25519@openssh.com'
     ].each do |keytype|
       it "supports #{keytype} as a type value" do
         described_class.new(name: 'foo', type: keytype)
@@ -44,6 +46,16 @@ describe Puppet::Type.type(:sshkey) do
       expect(key.parameter(:type).value).to eq :'ssh-dss'
     end
 
+    it 'aliases :ecdsa-sk to :sk-ecdsa-sha2-nistp256@openssh.com' do
+      key = described_class.new(name: 'foo', type: :'ecdsa-sk')
+      expect(key.parameter(:type).value).to eq :'sk-ecdsa-sha2-nistp256@openssh.com'
+    end
+
+    it 'aliases :ed25519-sk to :ssh-dss' do
+      key = described_class.new(name: 'foo', type: :'ed25519-sk')
+      expect(key.parameter(:type).value).to eq :'sk-ssh-ed25519@openssh.com'
+    end
+
     it "doesn't support values other than ssh-dss, ssh-rsa, dsa, rsa for type" do
       expect {
         described_class.new(name: 'whev', type: :'ssh-dsa')
diff --git a/spec/unit/type/user_spec.rb b/spec/unit/type/user_spec.rb
index 122434f..449f3dd 100644
--- a/spec/unit/type/user_spec.rb
+++ b/spec/unit/type/user_spec.rb
@@ -55,23 +55,23 @@ describe Puppet::Type.type(:user) do
       end
     end
 
-    context 'with no home directory specified' do
-      it 'does not accept true' do
-        expect {
+    if Puppet.version.start_with?('6')
+      context 'with no home directory specified' do
+        before(:each) do
+          Dir.stubs(:home).with('a').returns('/home/a')
+        end
+
+        it 'does accept true' do
           described_class.new(name: 'a', purge_ssh_keys: true)
-        }.to raise_error(Puppet::Error, %r{purge_ssh_keys can only be true for users with a defined home directory})
-      end
+        end
 
-      it 'does not accept the ~ wildcard' do
-        expect {
+        it 'does accept the ~ wildcard' do
           described_class.new(name: 'a', purge_ssh_keys: '~/keys')
-        }.to raise_error(Puppet::Error, %r{meta character ~ or %h only allowed for users with a defined home directory})
-      end
+        end
 
-      it 'does not accept the %h wildcard' do
-        expect {
+        it 'does accept the %h wildcard' do
           described_class.new(name: 'a', purge_ssh_keys: '%h/keys')
-        }.to raise_error(Puppet::Error, %r{meta character ~ or %h only allowed for users with a defined home directory})
+        end
       end
     end
 
@@ -82,6 +82,10 @@ describe Puppet::Type.type(:user) do
         res
       end
 
+      before(:each) do
+        Dir.stubs(:home).with('test').returns('/home/test')
+      end
+
       let(:paths) do
         ['/dev/null', '/tmp/keyfile'].map { |path| File.expand_path(path) }
       end
@@ -106,6 +110,10 @@ describe Puppet::Type.type(:user) do
         res
       end
 
+      before(:each) do
+        Dir.stubs(:home).with('test_user_name').returns('/home/test_user_name')
+      end
+
       context 'when purging is disabled' do
         let(:purge_param) { false }