sshd: Use RSA and ED25519 host keys

Closes #7939.

nixos/doc/manual/release-notes/rl-unstable.xml

@@ -50,6 +50,19 @@ following incompatible changes:
 
 <itemizedlist>
 
+<listitem><para><command>sshd</command> no longer supports DSA and ECDSA
+host keys by default. If you have existing systems with such host keys
+and want to continue to use them, please set
+
+<programlisting>
+system.stateVersion = "14.12";
+</programlisting>
+
+(The new option <option>system.stateVersion</option> ensures that
+certain configuration changes that could break existing systems (such
+as the <command>sshd</command> host key setting) will maintain
+compatibility with the specified NixOS release.)</para></listitem>
+
 <listitem><para><command>cron</command> is no longer enabled by
 default, unless you have a non-empty
 <option>services.cron.systemCronJobs</option>. To force

nixos/modules/services/networking/ssh/sshd.nix

@@ -184,16 +184,11 @@ in
       hostKeys = mkOption {
         type = types.listOf types.attrs;
         default =
-          [ { path = "/etc/ssh/ssh_host_dsa_key";
+          [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; }
-              type = "dsa";
+            { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
-            }
+          ] ++ optionals (!versionAtLeast config.system.stateVersion "15.07")
-            { path = "/etc/ssh/ssh_host_ecdsa_key";
+          [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; }
-              type = "ecdsa";
+            { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; }
-              bits = 521;
-            }
-            { path = "/etc/ssh/ssh_host_ed25519_key";
-              type = "ed25519";
-            }
           ];
         description = ''
           NixOS can automatically generate SSH host keys.  This option