When we compile dropbear (with or without a savedconfig) with DROPBEAR_DSS set to 0, the DSS algorithm is still enabled. The main reason is upstream (as it is enforced in sysoptions.h to make Fuzzing happy as far as I understood). However, the init.d/dropbear script relies on the output of "dropbearkey -h" to detect available algorithms and generates a key for each of them. A solution is to avoid to rely on the dropbearkey output and have a variable in conf.d/dropbear to list algorithms... or, better, just let the admin generate the keys he wants to support without letting the script decide. upstream don't want to fix that as their proposed solution is to just no create a dss key file. Reproducible: Always
(In reply to fariouche from comment #0) > [...] > upstream don't want to fix that as their proposed solution is to just no > create a dss key file. Do you have a source/reference for this, just for completeness?
There is also a related PR ( https://github.com/gentoo/gentoo/pull/36489 ), maybe instead of adding ed25519 we could move all of them in conf.d and disable dss by default.