openssh 7.0 has dropped default support for ssh-dss (DSA) keys. Debian Stretch ships with openssh 7.4. This is seen as a security improvement upstream and by the Wikimedia operations team.
- Announce deprecation of ssh-dss keys
- Remove ability to upload new ssh-dss keys via MediaWiki-extensions-OpenStackManager
- Remove ability to upload new ssh-dss keys via Striker
- Audit LDAP for users with existing ssh-dss keys and prompt them to upload new keys
- Remove support for ssh-dss keys in Jessie openssh server configs