From 4b84dead8ef1bb7a47014291b8e279a1d48d5074 Mon Sep 17 00:00:00 2001
From: Alexander Weidinger <aw@sz9i.net>
Date: Tue, 12 Feb 2019 14:53:10 +0100
Subject: [PATCH] Made host key algos configurable; dropped DSA

---
 openssh/config.sls    | 2 +-
 openssh/defaults.yaml | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/openssh/config.sls b/openssh/config.sls
index 9fbe895..76a11a1 100644
--- a/openssh/config.sls
+++ b/openssh/config.sls
@@ -36,7 +36,7 @@ ssh_config:
     {%- endif %}
 {% endif %}
 
-{%- for keyType in ['ecdsa', 'dsa', 'rsa', 'ed25519'] %}
+{%- for keyType in openssh['host_key_algos'].split(',') %}
 {%-   set keyFile = "/etc/ssh/ssh_host_" ~ keyType ~ "_key" %}
 {%-   set keySize = salt['pillar.get']('openssh:generate_' ~ keyType ~ '_size', False) %}
 {%-   if salt['pillar.get']('openssh:provide_' ~ keyType ~ '_keys', False) %}
diff --git a/openssh/defaults.yaml b/openssh/defaults.yaml
index f26d784..4652da6 100644
--- a/openssh/defaults.yaml
+++ b/openssh/defaults.yaml
@@ -19,6 +19,10 @@ openssh:
   dig_pkg: dnsutils
   ssh_moduli: /etc/ssh/moduli
   root_group: root
+  # Prevent merge of array; always override values
+  host_key_algos: ecdsa,ed25519,rsa
+  # To manage/remove DSA:
+  #host_key_algos: dsa,ecdsa,ed25519,rsa
 
 sshd_config: {}
 ssh_config: {}