From 23010095caf811ead98b5bf04585fab1329459bd Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Tue, 16 Jun 2020 19:37:40 +0100
Subject: [PATCH] Remove any legacy DSA host keys

---
 cookbooks/openssh/recipes/default.rb | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/cookbooks/openssh/recipes/default.rb b/cookbooks/openssh/recipes/default.rb
index 3349dc85d..c5738f45b 100644
--- a/cookbooks/openssh/recipes/default.rb
+++ b/cookbooks/openssh/recipes/default.rb
@@ -28,6 +28,14 @@ service "ssh" do
   supports :status => true, :restart => true, :reload => true
 end
 
+file "/etc/ssh/ssh_host_dsa_key" do
+  action :delete
+end
+
+file "/etc/ssh/ssh_host_dsa_key.pub" do
+  action :delete
+end
+
 hosts = search(:node, "networking:interfaces").sort_by { |n| n[:hostname] }.collect do |node|
   name = node.name.split(".").first
 
@@ -42,8 +50,7 @@ hosts = search(:node, "networking:interfaces").sort_by { |n| n[:hostname] }.coll
   end
 
   keys = {
-    "ssh-rsa" => node[:keys][:ssh][:host_rsa_public],
-    "ssh-dss" => node[:keys][:ssh][:host_dsa_public]
+    "ssh-rsa" => node[:keys][:ssh][:host_rsa_public]
   }
 
   if node[:keys][:ssh][:host_ecdsa_public]
-- 
2.39.5