From afa7721ab9cce7da2eee29f653e1bcd4218cfd5b Mon Sep 17 00:00:00 2001
From: Felix Albrigtsen <felix@albrigtsen.it>
Date: Wed, 27 May 2026 14:46:43 +0200
Subject: [PATCH] common/fa-t14-2025: add oldssh

---
 common/oldssh.nix          | 44 ++++++++++++++++++++++++++++++++++++++
 flake.nix                  |  2 ++
 hosts/fa-t14-2025/home.nix |  2 ++
 3 files changed, 48 insertions(+)
 create mode 100644 common/oldssh.nix

diff --git a/common/oldssh.nix b/common/oldssh.nix
new file mode 100644
index 0000000..f0608b7
--- /dev/null
+++ b/common/oldssh.nix
@@ -0,0 +1,44 @@
+# Credit https://git.pvv.ntnu.no/oysteikt 2026
+
+{
+  openssh,
+  fetchurl,
+  lib
+}:
+
+openssh.overrideAttrs (prev: rec {
+  # Old crypto was removed in v10.0
+  version = "9.9p2";
+  src = fetchurl {
+    url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
+    hash = "sha256-karbYD4IzChe3fll4RmdAlhfqU2ZTWyuW0Hhch4hVnM=";
+  };
+
+  configureFlags = prev.configureFlags ++ [
+    "--enable-dsa-keys"
+  ];
+
+  # Broken patches, meant for 10.3p :p
+  patches = lib.filter (x: !(lib.any (suf: lib.hasSuffix suf (baseNameOf x)) [
+    "dont_create_privsep_path.patch"
+    "pkcs11-fix-pinentry.patch"
+    "pkcs11-tests-allow-module-path.patch"
+    "ssh-agent-tests-increase-timeout.patch"
+  ])) prev.patches;
+
+  # We actually needed the `dont_create_privsep_path` one :3
+  postPatch = prev.postPatch + ''
+    substituteInPlace Makefile.in \
+      --replace-fail '$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)' '''
+  '';
+
+  # Tihi
+  doInstallCheck = false;
+  postFixup = ''
+    rm -rf $out/libexec $out/etc
+    rm $out/bin/ssh-* $out/bin/sshd $out/bin/sftp
+    cd $out/bin
+    for filename in *; do mv {,old}"$filename"; done;
+  '';
+})
+
diff --git a/flake.nix b/flake.nix
index a30a993..656070c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -59,6 +59,8 @@
         pwndbg = pwndbg.packages."${prev.system}".default;
 
         securecrt = prev.callPackage ./common/securecrt.nix { };
+
+        oldssh = prev.callPackage ./common/oldssh.nix { };
       };
     in
     {
diff --git a/hosts/fa-t14-2025/home.nix b/hosts/fa-t14-2025/home.nix
index cfc37d9..98a0306 100644
--- a/hosts/fa-t14-2025/home.nix
+++ b/hosts/fa-t14-2025/home.nix
@@ -20,6 +20,7 @@ in {
     libreoffice
     mpv
     oauth2ms
+    oldssh
     openssl
     openvpn
     pavucontrol
@@ -82,6 +83,7 @@ in {
     zsh = {
       shellAliases = {
         "kssh" = "ssh -t controlnode ssh";
+        "ossh" = "oldssh -oHostKeyAlgorithms=+ssh-dss -oCiphers=+aes256-cbc -oKexAlgorithms=+diffie-hellman-group14-sha1";
         "rebuild" = "sudo nixos-rebuild switch --flake /config";
       };
       prezto.pmodules = [ "ssh" ];