[fix] Allow user to trigger the moment when they remove dsa

data/hooks/conf_regen/03-ssh

@@ -13,6 +13,11 @@ do_pre_regen() {
       [[ -f /proc/net/if_inet6 ]] \
         || sed -i "s/ListenAddress ::/#ListenAddress ::/g" sshd_config
 
+      # Add DSA HostKey to let user remove it with migration 7
+      if [[ "$(yunohost settings 'service.ssh._deprecated_dsa_hostkey')" == "True" ]]; then
+          sed -i '/HostKey \/etc\/ssh\/ssh_host_rsa_key/a HostKey /etc/ssh/ssh_host_dsa_key' sshd_config
+      fi
+
       install -D -m 644 sshd_config "${pending_dir}/etc/ssh/sshd_config"
   fi
 }

data/templates/ssh/sshd_config

@@ -9,14 +9,12 @@ ListenAddress 0.0.0.0
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 
-# Lifetime and size of ephemeral version 1 server key
-KeyRegenerationInterval 3600
-ServerKeyBits 768
-
 # Logging
 SyslogFacility AUTH
 LogLevel INFO

src/yunohost/data_migrations/0006_manage_sshd_config.py

@@ -11,6 +11,7 @@ from moulinette.utils.filesystem import mkdir, rm
 from yunohost.tools import Migration
 from yunohost.service import service_regen_conf, _get_conf_hashes, \
                              _calculate_hash, _run_service_command
+from yunohost.settings import settings_set
 
 logger = getActionLogger('yunohost.migration')
 
@@ -25,6 +26,16 @@ class MyMigration(Migration):
 
     def migrate(self):
 
+        # Check if deprecated DSA Host Key is in config
+        dsa_rgx = r'^[ \t]*HostKey[ \t]+/etc/ssh/ssh_host_dsa_key[ \t]*(?:#.*)?$'
+        dsa = False
+        for line in open(SSHD_CONF):
+            if re.match(dsa_rgx, line) is not None:
+                dsa = True
+                break
+        if dsa:
+            settings_set("service.ssh._deprecated_dsa_hostkey", True)
+
         # Create sshd_config.d dir
         if not os.path.exists(SSHD_CONF + '.d'):
             mkdir(SSHD_CONF + '.d', 0755, uid='root', gid='root')

src/yunohost/data_migrations/0007_reset_sshd_config.py

@@ -7,6 +7,7 @@ from moulinette.utils.log import getActionLogger
 from yunohost.tools import Migration
 from yunohost.service import service_regen_conf, _get_conf_hashes, \
                              _calculate_hash
+from yunohost.settings import settings_set, settings_get
 
 logger = getActionLogger('yunohost.migration')
 
@@ -15,6 +16,7 @@ class MyMigration(Migration):
     "Reset SSH conf to the YunoHost one"
 
     def migrate(self):
+        settings_set("service.ssh._deprecated_dsa_hostkey", False)
         service_regen_conf(names=['ssh'], force=True)
 
     def backward(self):
@@ -29,7 +31,8 @@ class MyMigration(Migration):
         if '/etc/ssh/sshd_config' in ynh_hash:
             ynh_hash = ynh_hash['/etc/ssh/sshd_config']
         current_hash = _calculate_hash('/etc/ssh/sshd_config')
-        if ynh_hash == current_hash:
+        dsa = settings_get("service.ssh._deprecated_dsa_hostkey")
+        if ynh_hash == current_hash and not dsa:
             return "auto"
 
         return "manual"
@@ -53,7 +56,7 @@ class MyMigration(Migration):
 
             root_login = root_login + re.findall(root_rgx, line)
 
-            if not dsa and re.match(dsa_rgx, line):
+            if not dsa and re.match(dsa_rgx, line) is not None:
                 dsa = True
 
         if len(ports) == 0:

src/yunohost/settings.py

@@ -39,6 +39,7 @@ DEFAULTS = OrderedDict([
     # -1 disabled, 0 alert if listed, 1 8-letter, 2 normal, 3 strong, 4 strongest
     ("security.password.admin.strength", {"type": "int", "default": 1}),
     ("security.password.user.strength", {"type": "int", "default": 1}),
+    ("service.ssh._deprecated_dsa_hostkey", {"type": "bool", "default": False}),
 ])