#! /bin/sh
# allow_ssh-dsa (Bourne shell script) -- Tweaks /etc/ssh/sshd_config to allow DSA keys
#
# TO-DO: test for before Xenial (or earlier?) and warn & exit

if ! grep -q '^PubkeyAcceptedKeyTypes=.*ssh-dss' /etc/ssh/sshd_config
then
  if [ ! -f /etc/ssh/sshd_config.dist ] ; then
    cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.dist
  fi

  sed -i -e "\$a\\
\\
# Added by Alastair Irvine on $(date +%F)\\
# Not considered a risk because public SSH connections are not permitted\\
# See https://security.stackexchange.com/questions/112802/why-openssh-deprecated-dsa-keys\\
PubkeyAcceptedKeyTypes=+ssh-dss" \
    /etc/ssh/sshd_config

  service ssh reload
fi