Despite the fact that the client disables DSA support by default since OpenSSH 7.0, the server still includes it in the implicit list of host keys used if you don't specify any HostKey options at all (which is the default behaviour in the stock sshd_config). This seems a bit odd. Would you consider removing it from the list in fill_default_server_options, thereby requiring people who really need it to specify it manually? That would seem to be useful in further discouraging the use of DSA. Background for why I'm asking: https://bugs.debian.org/823827 requested something similar, which at the time I handled only in the Debian packaging scripts. Recently I switched to doing a better job of upgrading server configuration files and using something much closer to the stock upstream sshd_config, which has resulted in https://bugs.debian.org/850614, so I'm considering patching this out of fill_default_server_options given that the Debian packaging scripts ensure that all necessary host keys are generated so something newer should always be available; but it seems worth asking if you have serious qualms about that approach.
Created attachment 2930 [details] Remove ssh_host_dsa_key from HostKey default Perhaps something like this?
Put this on the list. DSA isn't offered by default anyway.
Applied - thanks commit 88c50a5ae20902715f0fca306bb9c38514f71679 (HEAD -> master, origin/master, origin/HEAD) Author: djm@openbsd.org <djm@openbsd.org> Date: Fri Feb 16 02:32:40 2018 +0000 upstream: stop loading DSA keys by default, remove sshd_config stanza and manpage bits; from Colin Watson via bz#2662, ok dtucker@ OpenBSD-Commit-ID: d33a849f481684ff655c140f5eb1b4acda8c5c09
closing resolved bugs as of 8.6p1 release