Made host key algos configurable; dropped DSA

openssh/config.sls

@@ -36,7 +36,7 @@ ssh_config:
     {%- endif %}
 {% endif %}
 
-{%- for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %}
+{%- for keyType in openssh['host_key_algos'].split(',') %}
 {%-   set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %}
 {%-   set keySize = salt['pillar.get']('openssh:generate_' ~ keyType ~ '_size', False) %}
 {%-   if salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %}

openssh/defaults.yaml

@@ -19,6 +19,10 @@ openssh:
   dig_pkg: dnsutils
   ssh_moduli: /etc/ssh/moduli
   root_group: root
+  # Prevent merge of array; always override values
+  host_key_algos: ecdsa,ed25519,rsa
+  # To manage/remove DSA:
+  #host_key_algos: dsa,ecdsa,ed25519,rsa
 
 sshd_config: {}
 ssh_config: {}