Remove support for SSH DSA keys

DSA keys (in the SSH RFCs known as ssh-dss) have weaknesses:

The SSH standard fixes the hash to use with DSA to SHA1, which
effectively limits the key size to 1024, which is too small for a post
logjam world.

In addition, DSA is very sensitive to randomness failures.

For these reasons, OpenSSH starting from 7.0 doesn't support DSA keys
anymore.

We follow suit in Gerrit by not using or generating DSA keys either.

Bug: Issue 7534
Change-Id: I4afbbb5abd4228d9b061a0e2abc6a4cb96c41d90

java/com/google/gerrit/pgm/init/InitSshd.java

@@ -82,7 +82,6 @@ public class InitSshd implements InitStep {
   private void generateSshHostKeys() throws InterruptedException, IOException {
     if (!exists(site.ssh_key)
         && (!exists(site.ssh_rsa)
-            || !exists(site.ssh_dsa)
             || !exists(site.ssh_ed25519)
             || !exists(site.ssh_ecdsa_256)
             || !exists(site.ssh_ecdsa_384)
@@ -116,26 +115,6 @@ public class InitSshd implements InitStep {
             .waitFor();
       }
 
-      if (!exists(site.ssh_dsa)) {
-        System.err.print(" dsa...");
-        System.err.flush();
-        new ProcessBuilder(
-                "ssh-keygen",
-                "-q" /* quiet */,
-                "-t",
-                "dsa",
-                "-P",
-                emptyPassphraseArg,
-                "-C",
-                comment,
-                "-f",
-                site.ssh_dsa.toAbsolutePath().toString())
-            .redirectError(Redirect.INHERIT)
-            .redirectOutput(Redirect.INHERIT)
-            .start()
-            .waitFor();
-      }
-
       if (!exists(site.ssh_ed25519)) {
         System.err.print(" ed25519...");
         System.err.flush();

java/com/google/gerrit/server/config/SitePaths.java

@@ -58,7 +58,6 @@ public final class SitePaths {
   public final Path ssl_keystore;
   public final Path ssh_key;
   public final Path ssh_rsa;
-  public final Path ssh_dsa;
   public final Path ssh_ecdsa_256;
   public final Path ssh_ecdsa_384;
   public final Path ssh_ecdsa_521;
@@ -106,7 +105,6 @@ public final class SitePaths {
     ssl_keystore = etc_dir.resolve("keystore");
     ssh_key = etc_dir.resolve("ssh_host_key");
     ssh_rsa = etc_dir.resolve("ssh_host_rsa_key");
-    ssh_dsa = etc_dir.resolve("ssh_host_dsa_key");
     ssh_ecdsa_256 = etc_dir.resolve("ssh_host_ecdsa_key");
     ssh_ecdsa_384 = etc_dir.resolve("ssh_host_ecdsa_384_key");
     ssh_ecdsa_521 = etc_dir.resolve("ssh_host_ecdsa_521_key");

java/com/google/gerrit/sshd/HostKeyProvider.java

@@ -39,7 +39,6 @@ class HostKeyProvider implements Provider<KeyPairProvider> {
   public KeyPairProvider get() {
     Path objKey = site.ssh_key;
     Path rsaKey = site.ssh_rsa;
-    Path dsaKey = site.ssh_dsa;
     Path ecdsaKey_256 = site.ssh_ecdsa_256;
     Path ecdsaKey_384 = site.ssh_ecdsa_384;
     Path ecdsaKey_521 = site.ssh_ecdsa_521;
@@ -49,9 +48,6 @@ class HostKeyProvider implements Provider<KeyPairProvider> {
     if (Files.exists(rsaKey)) {
       stdKeys.add(rsaKey.toAbsolutePath().toFile());
     }
-    if (Files.exists(dsaKey)) {
-      stdKeys.add(dsaKey.toAbsolutePath().toFile());
-    }
     if (Files.exists(ecdsaKey_256)) {
       stdKeys.add(ecdsaKey_256.toAbsolutePath().toFile());
     }