Upstream OpenSSH has been working on deprecating DSA keys for some time, and I intend to follow suit in FreeBSD.
>From the OpenSSH 9.8p1 release notes: === OpenSSH has disabled DSA keys by default since 2015 but has retained run-time optional support for them. DSA was the only mandatory-to- implement algorithm in the SSHv2 RFCs, mostly because alternative algorithms were encumbered by patents when the SSHv2 protocol was specified. This has not been the case for decades at this point and better algorithms are well supported by all actively-maintained SSH implementations. We do not consider the costs of maintaining DSA in OpenSSH to be justified and hope that removing it from OpenSSH can accelerate its wider deprecation in supporting cryptography libraries. This release, and its deactivation of DSA by default at compile-time, marks the second step in our timeline to finally deprecate DSA. The final step of removing DSA support entirely is planned for the first OpenSSH release of 2025. === As part of the update to OpenSSH 9.8p1 I intend to disable DSA key support at compile time. I intend to make this change in main only, leaving DSA key support enabled in stable/14 and stable/13. The change is a trivial update in config.h -- https://reviews.freebsd.org/D48910
