From 65b73d71cbe5df15ce62024123eedea284d825db Mon Sep 17 00:00:00 2001
From: Peter Hoeg <peter@speartail.com>
Date: Thu, 6 Oct 2016 14:37:38 +0800
Subject: [PATCH] ssh: deprecate use of old DSA keys

They are not safe and shouldn't be used.
---
 nixos/modules/services/networking/ssh/sshd.nix | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index 8828429a817..0834fc67284 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -363,12 +363,9 @@ in
           HostKey ${k.path}
         '')}
 
-        # Allow DSA client keys for now. (These were deprecated
-        # in OpenSSH 7.0.)
-        PubkeyAcceptedKeyTypes +ssh-dss
-
-        # Re-enable DSA host keys for now.
         ${optionalString supportOldHostKeys ''
+          # Allow DSA keys for now. (deprecated in OpenSSH 7.0)
+          PubkeyAcceptedKeyTypes +ssh-dss
           HostKeyAlgorithms +ssh-dss
         ''}
       '';